Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1499938
MD5:	61d31fb13c1dd46fcb03caf7f648508c
SHA1:	ecd46d1e09bdfa50c1587690e70262bc14ba751c
SHA256:	6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
Tags:	exe
Infos:

Detection

RHADAMANTHYS, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected RHADAMANTHYS Stealer

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Dllhost Internet Connection

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7196 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 61D31FB13C1DD46FCB03CAF7F648508C)

SendBugReportNew.exe (PID: 7368 cmdline: "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" MD5: 58717509C1521EACFCC7CDA39E6BD45C)

V3.exe (PID: 7404 cmdline: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe MD5: AE36397A23D16920DDFE4DFEC24F6B85)

OpenWith.exe (PID: 7560 cmdline: "C:\Windows\system32\openwith.exe" MD5: 0ED31792A7FFF811883F80047CBCFC91)

OpenWith.exe (PID: 7724 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)

wmplayer.exe (PID: 6000 cmdline: "C:\Program Files\Windows Media Player\wmplayer.exe" MD5: 89DCD2D4C0EC638AADC00D3530E07E1D)

dllhost.exe (PID: 7132 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cmd.exe (PID: 7596 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1196 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

SendBugReportNew.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe" MD5: 58717509C1521EACFCC7CDA39E6BD45C)

cmd.exe (PID: 8160 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SendBugReportNew.exe (PID: 336 cmdline: "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe" MD5: 58717509C1521EACFCC7CDA39E6BD45C)

cmd.exe (PID: 744 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 2908 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/jxfGm9Pc", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Threatname: Rhadamanthys

{"C2 url": "https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\tqco	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\tqco	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b11:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\cfi	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\cfi	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b11:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\rtl120.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d67:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e04:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6f19:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bd9:$cnc4: POST / HTTP/1.1
00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000002.1720054061.0000000003440000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d67:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e04:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6f19:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bd9:$cnc4: POST / HTTP/1.1
0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6911:$cnc4: POST / HTTP/1.1
0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000007.00000003.1286758641.00000000026C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.1405996378.0000000050001000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: SendBugReportNew.exe PID: 7368	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SendBugReportNew.exe PID: 7368	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: V3.exe PID: 7404	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: OpenWith.exe PID: 7560	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 7596	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: cmd.exe PID: 7596	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: OpenWith.exe PID: 7724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.cmd.exe.34407f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.34407f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f78:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f40:$s2: Elevation:Administrator!new:
32.2.cmd.exe.31c00c8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.2.cmd.exe.31c00c8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b11:$cnc4: POST / HTTP/1.1
10.2.V3.exe.c30000.0.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
14.2.cmd.exe.5152b57.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5152b57.4.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
14.2.cmd.exe.5152b57.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x87bfb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87e87:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87c86:$s1: CoGetObject 0x87f12:$s1: CoGetObject 0x87bdf:$s2: Elevation:Administrator!new: 0x87e6b:$s2: Elevation:Administrator!new:
23.2.cmd.exe.53fcb57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.53fcb57.3.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
23.2.cmd.exe.53fcb57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x87bfb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87e87:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87c86:$s1: CoGetObject 0x87f12:$s1: CoGetObject 0x87bdf:$s2: Elevation:Administrator!new: 0x87e6b:$s2: Elevation:Administrator!new:
14.2.cmd.exe.59800c8.8.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.cmd.exe.59800c8.8.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b11:$cnc4: POST / HTTP/1.1
14.2.cmd.exe.59800c8.8.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.cmd.exe.59800c8.8.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5051:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d11:$cnc4: POST / HTTP/1.1
14.2.cmd.exe.510da8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.510da8a.3.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
14.2.cmd.exe.510da8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0xcccc8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccf54:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccd53:$s1: CoGetObject 0xccfdf:$s1: CoGetObject 0xcccac:$s2: Elevation:Administrator!new: 0xccf38:$s2: Elevation:Administrator!new:
9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x86ffb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87287:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87086:$s1: CoGetObject 0x87312:$s1: CoGetObject 0x86fdf:$s2: Elevation:Administrator!new: 0x8726b:$s2: Elevation:Administrator!new:
10.0.V3.exe.c30000.0.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
36.2.MSBuild.exe.150000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
36.2.MSBuild.exe.150000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b11:$cnc4: POST / HTTP/1.1
23.2.cmd.exe.53fd757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.53fd757.4.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
23.2.cmd.exe.53fd757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x86ffb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87287:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87086:$s1: CoGetObject 0x87312:$s1: CoGetObject 0x86fdf:$s2: Elevation:Administrator!new: 0x8726b:$s2: Elevation:Administrator!new:
32.2.cmd.exe.52e1a8a.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.cmd.exe.52e1a8a.6.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
32.2.cmd.exe.52e1a8a.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0xcccc8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccf54:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccd53:$s1: CoGetObject 0xccfdf:$s1: CoGetObject 0xcccac:$s2: Elevation:Administrator!new: 0xccf38:$s2: Elevation:Administrator!new:
13.3.OpenWith.exe.4bd0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.cmd.exe.53b7a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.53b7a8a.5.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
23.2.cmd.exe.53b7a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0xcccc8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccf54:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccd53:$s1: CoGetObject 0xccfdf:$s1: CoGetObject 0xcccac:$s2: Elevation:Administrator!new: 0xccf38:$s2: Elevation:Administrator!new:
10.3.V3.exe.4890000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.3.OpenWith.exe.4df0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
32.2.cmd.exe.31c00c8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.2.cmd.exe.31c00c8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5051:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d11:$cnc4: POST / HTTP/1.1
32.2.cmd.exe.5327757.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.cmd.exe.5327757.3.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
32.2.cmd.exe.5327757.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x86ffb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87287:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87086:$s1: CoGetObject 0x87312:$s1: CoGetObject 0x86fdf:$s2: Elevation:Administrator!new: 0x8726b:$s2: Elevation:Administrator!new:
10.3.V3.exe.4670000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x87bfb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87e87:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87c86:$s1: CoGetObject 0x87f12:$s1: CoGetObject 0x87bdf:$s2: Elevation:Administrator!new: 0x87e6b:$s2: Elevation:Administrator!new:
32.2.cmd.exe.5326b57.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.cmd.exe.5326b57.4.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
32.2.cmd.exe.5326b57.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x87bfb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87e87:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87c86:$s1: CoGetObject 0x87f12:$s1: CoGetObject 0x87bdf:$s2: Elevation:Administrator!new: 0x87e6b:$s2: Elevation:Administrator!new:
14.2.cmd.exe.5153757.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5153757.6.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
14.2.cmd.exe.5153757.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x86ffb:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87287:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x87086:$s1: CoGetObject 0x87312:$s1: CoGetObject 0x86fdf:$s2: Elevation:Administrator!new: 0x8726b:$s2: Elevation:Administrator!new:
9.2.SendBugReportNew.exe.2e80901.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.SendBugReportNew.exe.2e80901.3.raw.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
9.2.SendBugReportNew.exe.2e80901.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0xcccc8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccf54:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xccd53:$s1: CoGetObject 0xccfdf:$s1: CoGetObject 0xcccac:$s2: Elevation:Administrator!new: 0xccf38:$s2: Elevation:Administrator!new:
9.2.SendBugReportNew.exe.50000000.8.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
13.3.OpenWith.exe.4df0000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 51 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.20.4.235, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1196, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49725

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 154.216.19.149, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 7132, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49724

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7196, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" , ProcessId: 7368, ProcessName: SendBugReportNew.exe

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:39.178331+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49742
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:27:41.196133+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:34.785984+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:24:30.796640+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:20.764109+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:20.764109+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:57.630580+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:04.577640+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:26.866896+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:12.788465+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49738
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:49.796937+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:57.626918+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:38.022006+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:47.874046+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49743
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:06.198814+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:26.349934+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:27:10.633780+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:26.009886+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49740
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:49.692892+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:54.396979+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:10.629778+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:01.054684+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49745
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:04.674425+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:50.775975+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:50.775975+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:32.243193+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:09.054842+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:33.370929+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:30.794802+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:47.100381+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:20.770041+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:20.770041+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:32.286779+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:27:26.868692+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:24:42.460464+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:23:55.617151+0200
SID:	2854802
Severity:	1
Source Port:	2047
Destination Port:	49722
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO JA3 HASH Suspected Malware Related Response - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:23:55.617151+0200
SID:	2854824
Severity:	2
Source Port:	2047
Destination Port:	49722
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:20.762189+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:20.762189+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:17.618090+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:20.760087+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:20.760087+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:27.456651+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49749
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:50.765418+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:50.765418+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:56.694912+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:47.105103+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:26.168534+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:13.397343+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49724
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:58.981890+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:20.847926+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49748
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:32.600766+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49741
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:04.628339+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:20.210101+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49757
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:59.597331+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49736
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:50.757178+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:50.757178+0200
SID:	2852874
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:05.826678+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:26.348263+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:04.528278+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:27:29.788300+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:00.915808+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:33.268990+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:19.421341+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49739
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:33.270765+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:58.985323+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:07.007597+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49755
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:33.103498+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49732
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:04.629665+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:38.024231+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:20.733952+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:39.764202+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:54.412909+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49744
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:41.194654+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:17.677745+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:40.707005+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49751
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:33.412952+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49759
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:54.399226+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:54.129729+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:57.543554+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:13.613289+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49756
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:26.161543+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:17.538502+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:26.810973+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49758
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:22.307659+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:04.514116+0200
SID:	2853193
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:07.680138+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49746
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:53.831904+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49753
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:33.369248+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:26:00.917898+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:40.797989+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49760
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:20.554917+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:17.536001+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:57.536064+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:27:22.311512+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:46.292252+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49734
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:42.457944+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:48.876419+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:09.050707+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:48.879074+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:05.821094+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:14.309050+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49747
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:20.493111+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:29.786129+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:26.490485+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49728
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:47.223099+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49752
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:27:00.478416+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49754
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:34.056313+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49750
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:58.629118+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:23:40.370278+0200
SID:	2854802
Severity:	1
Source Port:	2047
Destination Port:	49706
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:26:04.673062+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:34.788787+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:20.104509+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49727
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:52.951046+0200
SID:	2854802
Severity:	1
Source Port:	443
Destination Port:	49735
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:07.411768+0200
SID:	2854802
Severity:	1
Source Port:	2047
Destination Port:	49723
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ETPRO JA3 HASH Suspected Malware Related Response - Source IP: 154.216.19.149 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:24:07.411768+0200
SID:	2854824
Severity:	2
Source Port:	2047
Destination Port:	49723
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:25:58.631925+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 85.209.133.150 - Destination IP: 192.168.2.7

Timestamp:	2024-08-27T18:25:56.693091+0200
SID:	2852870
Severity:	1
Source Port:	6677
Destination Port:	49726
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:24:54.131663+0200
SID:	2852923
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 85.209.133.150

Timestamp:	2024-08-27T18:24:30.688337+0200
SID:	2855924
Severity:	1
Source Port:	49726
Destination Port:	6677
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cfi	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Local\Temp\tqco	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud"}
Source: 00000019.00000002.3766821762.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/jxfGm9Pc", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cfi	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tqco	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 32.2.cmd.exe.31c00c8.0.raw.unpack	String decryptor: https://pastebin.com/raw/jxfGm9Pc
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack	String decryptor: <123456789>
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack	String decryptor: <Xwormmm>
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack	String decryptor: V3
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack	String decryptor: USB.exe

Source: C:\Windows\System32\OpenWith.exe

Code function: 17_3_00007DF4218A2258 CryptUnprotectData,

17_3_00007DF4218A2258

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1720054061.0000000003440000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SendBugReportNew.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49760 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: wmplayer.exe
Source:	Binary string: wkernel32.pdbUGP source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\OpenWith.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	7_2_0040301A
Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	7_2_00402B79
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C8A165 FindFirstFileExW,	10_2_00C8A165

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Code function: 4x nop then dec esp	17_3_00007DF4218AE261
Source: C:\Windows\System32\OpenWith.exe	Code function: 4x nop then dec esp	17_2_000001F664380511
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 4x nop then dec esp	26_2_00000230766F5641

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49706
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49723
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49724
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 85.209.133.150:6677 -> 192.168.2.7:49726
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 85.209.133.150:6677 -> 192.168.2.7:49726
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49728
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49722
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49727
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49738
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49732
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49743
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49740
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49746
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49751
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49742
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49733
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49756
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49758
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49736
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49753
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49749
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49748
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49760
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49750
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49739
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49759
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49752
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49734
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49737
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49755
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49745
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49744
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49735
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49754
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49757

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://pastebin.com/raw/jxfGm9Pc
Source: Malware configuration extractor	URLs: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 154.216.19.149 ports 0,2,443,4,2047,7

Source: global traffic	TCP traffic: 192.168.2.7:49706 -> 154.216.19.149:2047
Source: global traffic	TCP traffic: 192.168.2.7:49726 -> 85.209.133.150:6677

Source: global traffic

HTTP traffic detected: GET /raw/jxfGm9Pc HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235

Source: Joe Sandbox View	ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 154.216.19.149:2047 -> 192.168.2.7:49723
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 154.216.19.149:2047 -> 192.168.2.7:49722

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.149

Source: C:\Windows\System32\OpenWith.exe

Code function: 17_3_00007DF4218D4520 WSARecv,

17_3_00007DF4218D4520

Source: global traffic

HTTP traffic detected: GET /raw/jxfGm9Pc HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.00000000050BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: OpenWith.exe, OpenWith.exe, 00000011.00000003.1505283509.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1677547052.000001F6663D7000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1498738651.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1511247150.000001F6663E4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495447075.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501372188.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1494409589.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1496020851.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1496455071.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1494693265.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Source: OpenWith.exe, 0000000D.00000002.1394086131.00000000026EC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud(
Source: OpenWith.exe, 0000000D.00000003.1393605091.0000000004F54000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1393605091.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000002.1394825096.0000000004F59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifudkernelbasentdllkernel32GetProcessMitigationP
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.sea
Source: OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: OpenWith.exe, 00000011.00000003.1505283509.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91
Source: OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502338268.000001F66667B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201691ad-216
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.iobit.com/en/privacy.phpOpenU

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49760 version: TLS 1.2

Source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_c02683ce-3

Source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_e06d1c42-3

Source: Yara match	File source: 13.3.OpenWith.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.V3.exe.4890000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.OpenWith.exe.4df0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.V3.exe.4670000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.OpenWith.exe.4df0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SendBugReportNew.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: V3.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OpenWith.exe PID: 7560, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D830C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,	17_3_000001F665D830C7
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AC10C NtAcceptConnectPort,	17_3_00007DF4218AC10C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AD2F4 NtAcceptConnectPort,NtAcceptConnectPort,	17_3_00007DF4218AD2F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AC47C NtAcceptConnectPort,	17_3_00007DF4218AC47C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AB498 NtAcceptConnectPort,_calloc_dbg,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,	17_3_00007DF4218AB498
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AD3C0 NtAcceptConnectPort,NtAcceptConnectPort,	17_3_00007DF4218AD3C0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AC70C NtAcceptConnectPort,	17_3_00007DF4218AC70C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AC7CC NtAcceptConnectPort,	17_3_00007DF4218AC7CC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AAD14 NtAcceptConnectPort,	17_3_00007DF4218AAD14
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AACC8 NtAcceptConnectPort,	17_3_00007DF4218AACC8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218ABCC0 RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z,	17_3_00007DF4218ABCC0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AACE8 NtAcceptConnectPort,	17_3_00007DF4218AACE8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AAC0C NtAcceptConnectPort,	17_3_00007DF4218AAC0C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AAF40 NtAcceptConnectPort,	17_3_00007DF4218AAF40
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AAF60 NtAcceptConnectPort,	17_3_00007DF4218AAF60
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218ABE6C NtAcceptConnectPort,	17_3_00007DF4218ABE6C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AAE5C NtAcceptConnectPort,	17_3_00007DF4218AAE5C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218AADD4 NtAcceptConnectPort,	17_3_00007DF4218AADD4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F664381A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler,	17_2_000001F664381A90
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F664380AC8 NtAcceptConnectPort,NtAcceptConnectPort,	17_2_000001F664380AC8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F664381CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification,	17_2_000001F664381CD0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F6643815AC NtAcceptConnectPort,	17_2_000001F6643815AC
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_3_00007DF4ADB71CE8 _calloc_dbg,CreateProcessW,NtResumeThread,FindCloseChangeNotification,??3@YAXPEAX@Z,	26_3_00007DF4ADB71CE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_3_00007DF4ADB71958 _calloc_dbg,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	26_3_00007DF4ADB71958
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076702418 NtAcceptConnectPort,	26_2_0000023076702418
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670288C NtAcceptConnectPort,	26_2_000002307670288C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767028E8 NtAcceptConnectPort,	26_2_00000230767028E8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767028B8 NtAcceptConnectPort,	26_2_00000230767028B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076702990 NtAcceptConnectPort,	26_2_0000023076702990
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767029D4 NtAcceptConnectPort,	26_2_00000230767029D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767027B8 NtAcceptConnectPort,	26_2_00000230767027B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076702C64 NtAcceptConnectPort,	26_2_0000023076702C64
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670252C NtAcceptConnectPort,	26_2_000002307670252C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00007DF4ADB71E64 CreateProcessW,NtResumeThread,FindCloseChangeNotification,	26_2_00007DF4ADB71E64
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00007DF4ADB7199C NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,	26_2_00007DF4ADB7199C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00007DF4ADB82704 NtQuerySystemInformation,??3@YAXPEAX@Z,_malloc_dbg,NtQuerySystemInformation,	26_2_00007DF4ADB82704
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5385C NtQuerySystemInformation,	27_2_00000213BBF5385C

Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_00404FAA	7_2_00404FAA
Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_0041206B	7_2_0041206B
Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_0041022D	7_2_0041022D
Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_00411F91	7_2_00411F91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C90BC1	10_2_00C90BC1
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D824F7	17_3_000001F665D824F7
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D85E7C	17_3_000001F665D85E7C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D8557C	17_3_000001F665D8557C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D858FC	17_3_000001F665D858FC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D81BA6	17_3_000001F665D81BA6
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D8279C	17_3_000001F665D8279C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D84A38	17_3_000001F665D84A38
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_000001F665D82C3C	17_3_000001F665D82C3C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218DB104	17_3_00007DF4218DB104
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421882634	17_3_00007DF421882634
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42194A168	17_3_00007DF42194A168
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218F20BC	17_3_00007DF4218F20BC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218CF02C	17_3_00007DF4218CF02C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421881058	17_3_00007DF421881058
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196AF80	17_3_00007DF42196AF80
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218FCFB4	17_3_00007DF4218FCFB4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42197BFCC	17_3_00007DF42197BFCC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196B318	17_3_00007DF42196B318
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4219772C8	17_3_00007DF4219772C8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42191E24C	17_3_00007DF42191E24C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218D2524	17_3_00007DF4218D2524
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196A4A0	17_3_00007DF42196A4A0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421968474	17_3_00007DF421968474
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218E93F4	17_3_00007DF4218E93F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218C43F8	17_3_00007DF4218C43F8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218DA430	17_3_00007DF4218DA430
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42195A3D4	17_3_00007DF42195A3D4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218CF3B8	17_3_00007DF4218CF3B8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218E96E0	17_3_00007DF4218E96E0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42188F624	17_3_00007DF42188F624
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218DD594	17_3_00007DF4218DD594
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218E95D0	17_3_00007DF4218E95D0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218D75E4	17_3_00007DF4218D75E4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218A996C	17_3_00007DF4218A996C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42189F95C	17_3_00007DF42189F95C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196A8BC	17_3_00007DF42196A8BC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218DB7B8	17_3_00007DF4218DB7B8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42189FB24	17_3_00007DF42189FB24
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196FB04	17_3_00007DF42196FB04
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42197CB04	17_3_00007DF42197CB04
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218E9B38	17_3_00007DF4218E9B38
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218D9B70	17_3_00007DF4218D9B70
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218CFA94	17_3_00007DF4218CFA94
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218F9AE0	17_3_00007DF4218F9AE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218DCA38	17_3_00007DF4218DCA38
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4219669A8	17_3_00007DF4219669A8
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42189D9F0	17_3_00007DF42189D9F0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421885C24	17_3_00007DF421885C24
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421926C60	17_3_00007DF421926C60
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218EDC54	17_3_00007DF4218EDC54
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42195EBE4	17_3_00007DF42195EBE4
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218B0F04	17_3_00007DF4218B0F04
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218B9F4C	17_3_00007DF4218B9F4C
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421969F68	17_3_00007DF421969F68
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF42196AE00	17_3_00007DF42196AE00
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421891E54	17_3_00007DF421891E54
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421976DAC	17_3_00007DF421976DAC
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF421963D84	17_3_00007DF421963D84
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218CFDE0	17_3_00007DF4218CFDE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F664380C5C	17_2_000001F664380C5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D47068	25_2_00D47068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D4B550	25_2_00D4B550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D46798	25_2_00D46798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D46450	25_2_00D46450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D40C10	25_2_00D40C10
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_3_00007DF4ADB74EFC	26_3_00007DF4ADB74EFC
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_3_00007DF4ADB7392C	26_3_00007DF4ADB7392C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_3_00007DF4ADB72204	26_3_00007DF4ADB72204
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230766FC25C	26_2_00000230766FC25C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076702D24	26_2_0000023076702D24
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230766F2628	26_2_00000230766F2628
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076707270	26_2_0000023076707270
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076730270	26_2_0000023076730270
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076724A50	26_2_0000023076724A50
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076733A4D	26_2_0000023076733A4D
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076723A38	26_2_0000023076723A38
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076705ADC	26_2_0000023076705ADC
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670E398	26_2_000002307670E398
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672CC00	26_2_000002307672CC00
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076717094	26_2_0000023076717094
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076730874	26_2_0000023076730874
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307671D854	26_2_000002307671D854
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076725918	26_2_0000023076725918
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767248D0	26_2_00000230767248D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672E984	26_2_000002307672E984
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076710174	26_2_0000023076710174
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672F940	26_2_000002307672F940
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672F1D0	26_2_000002307672F1D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076713EA4	26_2_0000023076713EA4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076717684	26_2_0000023076717684
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076706F24	26_2_0000023076706F24
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076725EC8	26_2_0000023076725EC8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767186B4	26_2_00000230767186B4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670BEB8	26_2_000002307670BEB8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076723F70	26_2_0000023076723F70
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670C750	26_2_000002307670C750
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670D010	26_2_000002307670D010
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672A81C	26_2_000002307672A81C
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076720478	26_2_0000023076720478
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076736434	26_2_0000023076736434
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076716D18	26_2_0000023076716D18
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670DCE4	26_2_000002307670DCE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307672ECE4	26_2_000002307672ECE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230766F14D0	26_2_00000230766F14D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076730D90	26_2_0000023076730D90
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_000002307670F618	26_2_000002307670F618
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_0000023076724DE8	26_2_0000023076724DE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767295D4	26_2_00000230767295D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230767255B0	26_2_00000230767255B0
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00007DF4ADB722CC	26_2_00007DF4ADB722CC
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5737C	27_2_00000213BBF5737C
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF73B40	27_2_00000213BBF73B40
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF7C2EC	27_2_00000213BBF7C2EC
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF692D4	27_2_00000213BBF692D4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF72AA0	27_2_00000213BBF72AA0
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF72254	27_2_00000213BBF72254
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF73210	27_2_00000213BBF73210
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF69998	27_2_00000213BBF69998
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF68980	27_2_00000213BBF68980
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF74144	27_2_00000213BBF74144
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6A860	27_2_00000213BBF6A860
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF69818	27_2_00000213BBF69818
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5BFE4	27_2_00000213BBF5BFE4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF627A4	27_2_00000213BBF627A4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6F76C	27_2_00000213BBF6F76C
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6AF55	27_2_00000213BBF6AF55
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF68EB8	27_2_00000213BBF68EB8
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF7C668	27_2_00000213BBF7C668
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF74660	27_2_00000213BBF74660
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5D604	27_2_00000213BBF5D604
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6AE10	27_2_00000213BBF6AE10
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF58DF4	27_2_00000213BBF58DF4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5C5D4	27_2_00000213BBF5C5D4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF725B4	27_2_00000213BBF725B4
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF69D30	27_2_00000213BBF69D30
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF7B516	27_2_00000213BBF7B516
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6E51C	27_2_00000213BBF6E51C
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF6A4F8	27_2_00000213BBF6A4F8
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF7C500	27_2_00000213BBF7C500
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF5BC68	27_2_00000213BBF5BC68
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF653C8	27_2_00000213BBF653C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00A20C0C	36_2_00A20C0C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe D76D0650B630FDB70756A446E0A43672B5DA1C2A74014118B02133923305DA9A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\vcl120.bpl CCCCADDE7393F1B624CDE32B38274E60BBE65B1769D614D129BABDAEEF9A6715

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 0040243B appears 37 times

Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSendBugReportNew.exe8 vs file.exe
Source: file.exe, 00000007.00000002.1407887534.000000000062C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSe vs file.exe
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LegalTrademarks OriginalFileName vs file.exe
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSendBugReportNew.exe8 vs file.exe
Source: file.exe, 00000007.00000000.1278151691.0000000000432000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs file.exe
Source: file.exe, 00000007.00000003.1280929299.00000000024CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRTL120.BPLR vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVCL120.BPLR vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVCLX120.BPLR vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: cfi.14.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cfi.14.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cfi.14.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: cfi.14.dr, Settings.cs	Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Settings.cs	Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: tqco.32.dr, Settings.cs	Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Settings.cs	Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'

Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: tqco.32.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: tqco.32.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: cfi.14.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: cfi.14.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@28/14@2/3

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

7_2_00407776

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

7_2_0040118A

Source: C:\Windows\System32\OpenWith.exe

Code function: 17_3_00007DF421882634 CreateToolhelp32Snapshot,Thread32First,Thread32Next,FindCloseChangeNotification,SuspendThread,

17_3_00007DF421882634

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

7_2_004034C1

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

7_2_00401BDF

Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe

File created: C:\Users\user\AppData\Roaming\Javaoraclev4

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\TN3sSNYI1fDMFOs2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
Source: C:\Windows\SysWOW64\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user~1\AppData\Local\Temp\mvyvk

Jump to behavior

Source: Yara match	File source: 9.2.SendBugReportNew.exe.50000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.1286758641.00000000026C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1405996378.0000000050001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rtl120.bpl, type: DROPPED

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000011.00000003.1502193124.000001F666866000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll

Source: C:\Windows\SysWOW64\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: uhlqevxks.14.dr

LNK file: ..\..\..\..\user\AppData\Local\Temp\SendBugReportNew.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source: file.exe

Static file information: File size 2594056 > 1048576

Source:	Binary string: wkernel32.pdb source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: wmplayer.exe
Source:	Binary string: wkernel32.pdbUGP source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: cfi.14.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: cfi.14.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: tqco.32.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: tqco.32.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: cfi.14.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: cfi.14.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: cfi.14.dr, Messages.cs	.Net Code: Memory
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs	.Net Code: Memory
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.2.OpenWith.exe.1f665dac830.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.2.OpenWith.exe.1f665dac830.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: tqco.32.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: tqco.32.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: tqco.32.dr, Messages.cs	.Net Code: Memory
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

7_2_00406D5D

Source: rtl120.bpl.7.dr	Static PE information: real checksum: 0x11a2e4 should be: 0x11ae83
Source: V3.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x6f036
Source: tqco.32.dr	Static PE information: real checksum: 0x0 should be: 0x12550
Source: file.exe	Static PE information: real checksum: 0x33302 should be: 0x27fe33
Source: cfi.14.dr	Static PE information: real checksum: 0x0 should be: 0x12550

Source: V3.exe.9.dr

Static PE information: section name: .textbss

Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_00411C20 push eax; ret	7_2_00411C4E
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C96A80 push edx; ret	10_3_00C96A81
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C94C95 push es; retf	10_3_00C94C91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C95E69 push ebx; iretd	10_3_00C95E6A
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C94C62 push es; retf	10_3_00C94C91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C961E2 push eax; retf	10_3_00C961F1
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C947A2 push ebp; iretd	10_3_00C947A3
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C92F50 push eax; retf	10_3_00C92F51
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C94170 push ecx; iretd	10_3_00C9417C
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C96777 push esi; ret	10_3_00C96782
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C94130 pushad ; ret	10_3_00C94138
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C3C01A push ds; iretd	10_2_00C3C036
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C912F4 push ecx; ret	10_2_00C91307
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C31436 push ds; retf	10_2_00C3143B
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C3E5F8 push ebx; ret	10_2_00C3E5F9
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02724262 push eax; retf	13_3_02724271
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02722822 push ebp; iretd	13_3_02722823
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02722CE2 push es; retf	13_3_02722D11
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02723EE9 push ebx; iretd	13_3_02723EEA
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02722D15 push es; retf	13_3_02722D11
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02724B00 push edx; ret	13_3_02724B01
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_027221F0 push ecx; iretd	13_3_027221FC
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_027247F7 push esi; ret	13_3_02724802
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02720FD0 push eax; retf	13_3_02720FD1
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_027221B0 pushad ; ret	13_3_027221B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D451C8 pushad ; ret	25_2_00D451C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D45474 pushfd ; ret	25_2_00D45475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D439E8 push ebx; retf	25_2_00D43ADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 25_2_00D43A18 push ebx; retf	25_2_00D43ADA
Source: C:\Windows\System32\dllhost.exe	Code function: 27_2_00000213BBF50B44 push ss; ret	27_2_00000213BBF50B46

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cfi	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\vcl120.bpl	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\tqco	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\vclx120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\rtl120.bpl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	File created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\rtl120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\vcl120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\vclx120.bpl	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cfi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\tqco	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CFI
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TQCO

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	API/Special instruction interceptor: Address: 6D1F7C44
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\OpenWith.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\OpenWith.exe	API/Special instruction interceptor: Address: 4DDA83A
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	API/Special instruction interceptor: Address: 6D1F7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D1F3B54

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDP
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2200000 memory reserve \| memory write watch

Source: C:\Windows\System32\dllhost.exe

Code function: GetAdaptersInfo,

27_2_00000213BBF52AC4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6317			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3408			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cfi			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tqco			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2864	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1848	Thread sleep count: 6317 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1848	Thread sleep count: 3408 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	7_2_0040301A
Source: C:\Users\user\Desktop\file.exe	Code function: 7_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	7_2_00402B79
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C8A165 FindFirstFileExW,	10_2_00C8A165

Source: C:\Windows\System32\OpenWith.exe

Code function: 17_3_00007DF4218822DC GetSystemInfo,VirtualAlloc,

17_3_00007DF4218822DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: OpenWith.exe, 0000000D.00000002.1394291501.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: OpenWith.exe, 0000000D.00000002.1394291501.0000000002A98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: MSBuild.exe, 00000019.00000002.3765090379.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OpenWith.exe, 00000011.00000003.1444820986.000001F6663B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink)

Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe

Code function: 10_2_00C89AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00C89AB4

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

7_2_00406D5D

Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_3_00C92277 mov eax, dword ptr fs:[00000030h]	10_3_00C92277
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C92277 mov eax, dword ptr fs:[00000030h]	10_2_00C92277
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 13_3_02720283 mov eax, dword ptr fs:[00000030h]	13_3_02720283

Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe

Code function: 10_2_00C84E5A GetProcessHeap,RtlAllocateHeap,GetModuleFileNameW,_wcsrchr,lstrlenW,GetProcessHeap,RtlFreeHeap,MulDiv,

10_2_00C84E5A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C89AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00C89AB4
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C85A33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00C85A33
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Code function: 10_2_00C855A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00C855A9
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_2_000001F664381A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler,	17_2_000001F664381A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\wmplayer.exe

Memory allocated: C:\Windows\System32\dllhost.exe base: 213BBF50000 protect: page read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe

NtQuerySystemInformation: Direct from: 0x777563E1

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B7B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9A6008	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 213BBF50000	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF7D87314E0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B7B1000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 3C9008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_0040D72E cpuid

7_2_0040D72E

Source: C:\Users\user\Desktop\file.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

7_2_00401F9D

Source: C:\Windows\System32\OpenWith.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\SysWOW64\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Windows\System32\OpenWith.exe

Code function: 17_3_00007DF4218A1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,

17_3_00007DF4218A1B18

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

7_2_00401626

Source: C:\Users\user\Desktop\file.exe

Code function: 7_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

7_2_00404FAA

Source: C:\Windows\SysWOW64\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 10.2.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: OpenWith.exe, 00000011.00000003.1511323700.000001F6663D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Qtum-Electrum\config
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\OpenWith.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.default	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\startupCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing\google4	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser\newtab	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\doomed	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\thumbnails	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\entries	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: OpenWith.exe PID: 7724, type: MEMORYSTR

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 10.2.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED

Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218D4088 socket,bind,	17_3_00007DF4218D4088
Source: C:\Windows\System32\OpenWith.exe	Code function: 17_3_00007DF4218A1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,	17_3_00007DF4218A1B18
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Code function: 26_2_00000230766FCDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,	26_2_00000230766FCDF4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	13 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	312 Process Injection	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	149 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	31 Obfuscated Files or Information	NTDS	351 Security Software Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\cfi	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Local\Temp\tqco	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Local\Temp\cfi	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tqco	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\rtl120.bpl	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\vcl120.bpl	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\vclx120.bpl	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://www.digicert.c	0%	Avira URL Cloud	safe
https://www.iobit.com/en/privacy.phpOpenU	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91	0%	Avira URL Cloud	safe
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud(	0%	Avira URL Cloud	safe
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifudkernelbasentdllkernel32GetProcessMitigationP	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://c0rl.m%L	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.sea	0%	Avira URL Cloud	safe
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201691ad-216	0%	Avira URL Cloud	safe
https://pastebin.com/raw/jxfGm9Pc	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	104.20.4.235	true	true		unknown
time.windows.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud	true	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/jxfGm9Pc	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.digicert.c	SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91	OpenWith.exe, 00000011.00000003.1505283509.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
https://www.iobit.com/en/privacy.phpOpenU	file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud(	OpenWith.exe, 0000000D.00000002.1394086131.00000000026EC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502338268.000001F66667B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifudkernelbasentdllkernel32GetProcessMitigationP	OpenWith.exe, 0000000D.00000003.1393605091.0000000004F54000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1393605091.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000002.1394825096.0000000004F59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://c0rl.m%L	SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.sea	OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201691ad-216	OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.info-zip.org/	SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.00000000050BE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.216.19.149	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
104.20.4.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
85.209.133.150	unknown	Germany	33657	CMCSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499938
Start date and time:	2024-08-27 18:22:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@28/14@2/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 73% Number of executed functions: 207 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 4.231.128.59, 93.184.221.240, 40.126.32.140, 40.126.32.72, 20.190.160.14, 40.126.32.76, 40.126.32.133, 40.126.32.74, 20.190.160.22, 20.190.160.20, 20.101.57.9, 51.104.136.2, 51.124.78.146, 40.68.123.157, 13.95.31.18, 13.85.23.86, 52.165.164.15
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, settings-prod-neu-2.northeurope.cloudapp.azure.com, wu.azureedge.net, atm-settingsfe-prod-geo2.trafficmanager.net, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, settings-prod-weu-1.westeurope.cloudapp.azure.com, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, settings-prod-neu-3.northeurope.cloudapp.azure.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 2908 because it is empty
Execution Graph export aborted for target OpenWith.exe, PID 7560 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:00:59	API Interceptor	6272044x Sleep call for process: MSBuild.exe modified
14:00:59	API Interceptor	1x Sleep call for process: wmplayer.exe modified
20:00:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browserUninstall_x86.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.4.235	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
85.209.133.150	kr5u9eDLvb.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	French Group.js	Get hash	malicious	Remcos	Browse	104.20.4.235
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	French Group.js	Get hash	malicious	Remcos	Browse	104.20.3.235
	Mi_Documento.js	Get hash	malicious	AsyncRAT, DcRat	Browse	104.20.3.235
	French Group.js	Get hash	malicious	Unknown	Browse	172.67.19.24
	xnxx.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	sostener.vbs	Get hash	malicious	Remcos	Browse	104.20.3.235
	pxkGBmsm1Y.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	yyTqxbOXbF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.3.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	PRICE REQUEST RSM PQ24.docx.doc	Get hash	malicious	Remcos	Browse	154.216.19.222
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.21168.15147.rtf	Get hash	malicious	Remcos	Browse	154.216.19.222
	PQ2AUndsdb.exe	Get hash	malicious	Amadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	154.216.18.223
	ORDER PO 40192005315.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	154.216.20.37
	SecuriteInfo.com.NSIS.Runner.AV.tr.19719.14302.exe	Get hash	malicious	Unknown	Browse	154.216.20.190
	file.exe	Get hash	malicious	Python Stealer, Amadey, Cryptbot, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	154.216.18.223
	SecuriteInfo.com.Win32.MalwareX-gen.20431.17656.exe	Get hash	malicious	XWorm	Browse	154.216.18.213
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	154.216.18.223
	SecuriteInfo.com.Win32.PWSX-gen.17334.14366.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	154.216.20.211
	jasht.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	154.216.18.202
CLOUDFLARENETUS	instruction_3.pdf lnk.lnk	Get hash	malicious	LummaC	Browse	172.67.132.84
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	ATT09876.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.70.233
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	ocedures.msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	Smeg SignRequest.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	104.26.13.205
	RFQ-MR-24-09101 .xls	Get hash	malicious	Unknown	Browse	162.159.134.233
CMCSUS	M12_20240821.xls	Get hash	malicious	Remcos	Browse	45.90.89.98
	7jJ5MmlHbSHkdkHmvUSAjcUp2P2shzjYzN.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	5W1oMx0mvDdA5qxT1IJjtPL48vEFbOM1gh.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	b4JF06gZTMJpnYlsUOImGOM77xqMU1h8u3.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	FtxaQtUvjBYIMfEEaq6CUaPLqJCNXnjMDz.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	f4rgX4ruBw0IqdorzUGWIF1EBpCY4DpfH7.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	E2DOzYCJe9OYVW5SsJ2Jg6aTHfwMbZ7cur.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	g92VW6HmXFjoaY59hp7I27MOMpwpqH3P9p.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	KYt69aM0Jgz04AE6lMagZrayDAjhqRjmaW.elf	Get hash	malicious	Unknown	Browse	95.214.27.215
	jDompfBEAo5nBGaxxoiVa9alIryPld6eeh.elf	Get hash	malicious	Unknown	Browse	95.214.27.215

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	instruction_3.pdf lnk.lnk	Get hash	malicious	LummaC	Browse	104.20.4.235
	ATT09876.htm	Get hash	malicious	HTMLPhisher	Browse	104.20.4.235
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.20.4.235
	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse	104.20.4.235
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	104.20.4.235
	New_Order_Big_Bag_PDF.exe	Get hash	malicious	FormBook	Browse	104.20.4.235
	Faktura.vbs	Get hash	malicious	Remcos	Browse	104.20.4.235
	PAYMENT SV 31 FATURA.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	PAYMENT SV 31 FATURA.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	104.20.4.235
caec7ddf6889590d999d7ca1b76373b6	QIkZ7aeVBV.msi	Get hash	malicious	DanaBot, RHADAMANTHYS	Browse	154.216.19.149
	SensApi.dll	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	IrJIw2lsaB.msi	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	ptuNVk3HeK.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	uf0VrlE1bR.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	XaEvV3DPc7.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	TkeeN4qh4z.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.19.149
	qc.ps1	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	154.216.19.149
	yd2.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	154.216.19.149

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe	QvbimOZ2Ww.exe	Get hash	malicious	LummaC	Browse
	https://www.iobit.com/en/advanceduninstaller.php	Get hash	malicious	Unknown	Browse
	iobituninstaller.exe	Get hash	malicious	Unknown	Browse
	iobituninstaller.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\vcl120.bpl	Archivevalidv4.exe	Get hash	malicious	Remcos	Browse
	https://www.iobit.com/en/advanceduninstaller.php	Get hash	malicious	Unknown	Browse
	iobituninstaller.exe	Get hash	malicious	Unknown	Browse
	iobituninstaller.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.363435887027673
Encrypted:	false
SSDEEP:	6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
MD5:	A92E44C0313DAFEC1988D0D379E41A2F
SHA1:	C2F5644C418A81C1FB40F74298FF39D1420BFAC0
SHA-256:	F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
SHA-512:	4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1312792
Entropy (8bit):	6.788056062689588
Encrypted:	false
SSDEEP:	24576:NpzWZ5CkBgB9IxAr7BptfYfG1inqCi2BZbqvWmAUlddWdBMTvNisj273HY:85CkyBbr7vbgHi2HAYwT1H274
MD5:	58717509C1521EACFCC7CDA39E6BD45C
SHA1:	5102DC3A82E8A2710AC67521F85F43F5296B5045
SHA-256:	D76D0650B630FDB70756A446E0A43672B5DA1C2A74014118B02133923305DA9A
SHA-512:	C637C2960B8A0BC111B408AF05A0879D9A10F05D802EE7B8B9F115CB54606F76F4475375CECFA9FDB0518BE0340B2C5BD23F8FE100DC21DB88287A9227C0E69F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: QvbimOZ2Ww.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: iobituninstaller.exe, Detection: malicious, Browse Filename: iobituninstaller.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...{x.`............................$.............@..........................P...................@...................@..W........@... ..D!...............B...p...............................`.......................................................text...x........................... ..`.itext.............................. ..`.data...............................@....bss.....................................idata...@.......B..................@....edata..W....@......................@..@.tls.........P...........................rdata.......`......................@..@.reloc.......p......................@..B.rsrc...D!... ..."..................@..@.....................D..............@..@........................................................

C:\Users\user\AppData\Local\Temp\cfi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	33280
Entropy (8bit):	5.580843960508835
Encrypted:	false
SSDEEP:	384:OHxRXcrP31VZBELR1nvJff3cdiwOURJpkFTBLToOZwxJd2v99Ikuisk2VFxOjhXv:nPjgR5vJ3cdIUGF/9jmOjhXbr
MD5:	3C037C127FF204C10F15866F0A47ACD0
SHA1:	EB1736A2E311BC34B8BF2DC6768878E16731D5A1
SHA-256:	AEB211A2085D38ED9FBB863E8B492DEB8CBF911ACE382B1ECD3B2CCD01298A47
SHA-512:	41A0A0B8A60F492468CB5467B3F2D2991D7B503174D26E34E6C605CC1A0A5203506D0F283C833E9624041D3F4AFC2B74A30F894DAE5B5359DB14B78C8A493B9B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\cfi, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\cfi, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.M.................x..........~.... ........@.. ....................................@.................................(...S.................................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................`.......H.......,O...G............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Temp\d31d8958

Download File

Process:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
File Type:	data
Category:	modified
Size (bytes):	1201505
Entropy (8bit):	7.139167390831655
Encrypted:	false
SSDEEP:	24576:2TXn5v2ANwjrpcJEIODJiv/ksez0/GxF3pI+Wl4L90:2Tl2nplIOSM/3y4L90
MD5:	5E13641E6071805A61A25087D7C2FAD3
SHA1:	E3767A0B17F5F20010D79104231B5B74FE4F6578
SHA-256:	0410DE24162EFAED306F140FD7802D582833FF7D00B12C8539490D422B54904F
SHA-512:	5C65059371FA0F436614D5651A5E08A6EA5DFE7779D0CD1DA3CCBB6C04E18CFAF41E221FA4EF17AB47B19825548922F40F2C2AF71F171E1A6E90BAD3ABBBB029
Malicious:	false
Preview:	..+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...*...{......f...D..._...E...X...J..f...w...L...X...J...[...+...+...+...+...+...+...+...+...+...+...+...b...B...Q...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...h..._...X...H.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...b...y...B...X.......w...F...Y.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+..........+...+...+...+...+...+...+...+...+...+...+.

C:\Users\user\AppData\Local\Temp\e5b60341

Download File

Process:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
File Type:	data
Category:	modified
Size (bytes):	1201505
Entropy (8bit):	7.139172707256793
Encrypted:	false
SSDEEP:	24576:1TXn5v2ANwjrpcJEIODJiv/ksez0/GxF3pI+Wl4L90:1Tl2nplIOSM/3y4L90
MD5:	8EC1936C424DBB4C4F53522D4A6B8CED
SHA1:	65550DABD9971E94119333A36F5E5042878EF569
SHA-256:	04EA742EA18A0F107C0C66710B53DF4FA5EE36C90C3D1B3AC31BAE231AF5F6AA
SHA-512:	022CEC702282F49D4A66AE51F2A70976577EFFBEE64D6A8994A3DCEBE6E8F8B9AF93AC27303962CE26ACAAFEB86844D76CD7BC87B62587BE43E9309635CE8049
Malicious:	false
Preview:	..+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...*...{......f...D..._...E...X...J..f...w...L...X...J...[...+...+...+...+...+...+...+...+...+...+...+...b...B...Q...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...h..._...X...H.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...b...y...B...X.......w...F...Y.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+..........+...+...+...+...+...+...+...+...+...+...+.

C:\Users\user\AppData\Local\Temp\ec76b918

Download File

Process:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
File Type:	data
Category:	modified
Size (bytes):	1201505
Entropy (8bit):	7.1391711002032086
Encrypted:	false
SSDEEP:	24576:KTXn5v2ANwjrpcJEIODJiv/ksez0/GxF3pI+Wl4L90:KTl2nplIOSM/3y4L90
MD5:	FE4622D80D5F292A4B5EFE427CC0DB36
SHA1:	139A69BF1809160A42EEBC227840D7D4F887A708
SHA-256:	FE2AF8CD642848585F999D04EE4CA54E62CD965D40A5ED1BD671BD668B0815EE
SHA-512:	6D882798B46755E8EDEC3088C05AA85C239C2D970A8428A51F996B46EBB8665C9D007276662882425BA93911770832E3C90824253CE97C8DA503F02390C62AFB
Malicious:	false
Preview:	..+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...*...{......f...D..._...E...X...J..f...w...L...X...J...[...+...+...+...+...+...+...+...+...+...+...+...b...B...Q...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...h..._...X...H.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...b...y...B...X.......w...F...Y.+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+...+..........+...+...+...+...+...+...+...+...+...+...+.

C:\Users\user\AppData\Local\Temp\mvyvk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	983500
Entropy (8bit):	7.601895498001173
Encrypted:	false
SSDEEP:	24576:44RKraqOVA2HlEkR/iQugC20E8TsveTqu3:orabVj2kR/Oz5svemu3
MD5:	6FD4005525F3029CD0E664E5729F048D
SHA1:	BCDD6ED97C89C33E24F15CC76DDF6A8DB9136218
SHA-256:	20353143A20E7962473B12A4614B0874327C130A309F6D7B15AC5FD7214C2D13
SHA-512:	0CF2A9ABC6D92628C226E0D86203532105234BE5E0BB519F8A7F564F3C4B5514E6F3A682EC1EE16A61AFF34AFC2A26110B9E0B8BDFA191EE7C1F7F0A16D9EEB9
Malicious:	false
Preview:	uI..OZ..BP..Z..r..e.w].sFA...vM.C.`mdH.tpj..[e.G.f..c...y.lvE....WJ.h..H.w.f....GC.l....e.]\`TPG......Op..PQA.I..S..d.A..wdiXKl....DKT.Y...k.M.\..vDp..MJIfJ[\k.FKg.Hf..UB...].A.V.D..\.._.Ie..y..lH...B`ea..OjRk\..`.jqG......K.Eq..C\.WiL..g..TY_E.G]Pl.OY.C.....bSGBcR....m....Smbe^qK.Qvlj...........MSpB_.bB......hD.HC...sdYh..ht.Q.....V..wH.]yf..f.p.fJ...f..q.....W`.[.HPuj..vy.Ge.L..^.KF\..D.f..Jq._.K.nu....kK.g..Dkv.u._.V.m...c._y.PZ.PX^jGE.CV.t.[h_.........KcQ.i....].g..O..iqF.s......j.m^Oa.V.A.vEKlJc.vb.H.Q........YI.ss.FMY..VW`.....sQv..Y.N..`.Lv.vQ.uch..A...\R...xE...x.p.......Jd.oH.Y...NK.....mm.khZ..S.LbIK...F..UN..o.G.u.g.pcPpE...GJ.K.`.....JF...US..HI.nS..........umJN......QCb..gX...oxG.b]M.]..eq.Z..oY....C..E.U\.UA...tcp`MV.....Xv.k.lwg.X`..P..JE..yo....t.w.Zr.D..pR[nx..Ls.olPmF..ya.t..qjlC.y_T........h.ef^N.KpAv.B..Wk...F..X^.PP.HxV.I.YG..TLK...lQ.c...Z.sfsYH....yq..I..\....Wm...cM.k.O.K.^..u..........`Z.s.HiIC.Hh.t.t......F^.Os.Pj`..Q...eIU.Z.yD.....nl.WKL.....cV.ba.O.Q..c.C..

C:\Users\user\AppData\Local\Temp\nfsxtmg

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	31958
Entropy (8bit):	5.0852242171362665
Encrypted:	false
SSDEEP:	768:OsO+nY4JhielJ7K2hGqUY8sl+11QbQfVrWpnfuAFgF/9qTSRK:OsZY4JrE2Enuffcqmw
MD5:	8ADE14406162E1ACD567B99843AEAFB9
SHA1:	76886AB3D6C8C62A9B5FC9D3785B4395E0A75678
SHA-256:	A465457514E861E867729368E650B69861E4C8A3EC547A30E67B3AEC77599724
SHA-512:	BDE1333A1CD35CB3C24DB0055D1F761F966C68EF3A1B7060AA204F07813B0B697C6DC6700736804D05E41BE15367493A13E1A9897CC5AA5EF1BC831DC6618905
Malicious:	false
Preview:	....w....YN.c`.A.R.EPvb.Iq.rE^b.....p.._XWnUB.....`sk....q`_d`..G.FaIcBSP..b._M.t..MgkA..._..cU.U..MLIh.a..gr.L.ag`].^..e.ex..wB..hw..f..c.cB]\...f...F..uf.O...[xhoUP..kt.hx..ZYP\Q[d.n\...JRJ.f.PR.jEfR...U....G.o.x......pxUYhQ...C...cZ].xd.BDf....BQ[....r.C.pO._.YWo.x..C.sAr.tAxZsa._jm...nW.]x.X.\.j......x.ym.b...H\.jy.X.km.m..X......ujil....jPSl...xE.S..EBOACG.....oM.S.svEU...Db.jG...G..w.DVeWX..J.wwW.H.u...u........byl.oeMG.XOL^N.UwqN.\..i.G.b.CWW....[.D...i.`N.gb..I..q......cc..N.AX._I.c.x.p....X.h.Cv.O.e.u..Mh..kX..g..IG.ov.W``e.......xVXsvB......t.....u....ELZ..BDceRXr.b..k..g].....[.\if\.B.w.e.u...t.CQaF...HEq.k.N..DXs...Ce..H.qPy\L..Un..a.NY....b.a..`do.J..........VK.Now.^.b\gA..f..a..b...w.f.c...lR^CJ.E.aJ]...a.......aEY...M..t.j..U.y..QJ.g...KPc..kGP....w..i.....mSp..PPEB............jx.]SLw..v.....[C..X.D..jZIXld....J..F\nFQQW.....P]O.r.J...nx..c.qn.TN.F.m..F.C.e..uqC.F.L`o.i.^Y.b..\.wL.gJ]bv....^.v..nf.yk.A....PUx....Y.u...W_U.[OE.....q.N.OWr.[gq.gE.P....f...py^Vc..M..`..j.C.

C:\Users\user\AppData\Local\Temp\rtl120.bpl

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1095168
Entropy (8bit):	6.807406814721096
Encrypted:	false
SSDEEP:	24576:lbh75FWbA1msvIRzM7Rk5JZzSQ4+Is2jMTZ0rbo:W2gTyrbo
MD5:	C80F3B711D04C486CCDF3740689B3569
SHA1:	C8724122282A018F8FB9F8775D0615311DA4FD70
SHA-256:	A4DF6624A65C83002E97D81D96BD85C3B1370129C486BD43CB399E76A6E4D393
SHA-512:	E977A1118B3B94FDAC13073E9C60F8E43531CD8F0136F60774FD891175815C3839A316AEF496D6E5C3038CC119DD936356B1D01C521E3BC9C1C01F1BE998D4B7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\rtl120.bpl, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H...........................................P.........................`.................................................X$...p..........................H.......................................................x............................text.............................. ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@.......(...................idata..X$.......&...(..............@....edata...............N..............@..@.rdata...............0..............@..@.reloc...............2..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

C:\Users\user\AppData\Local\Temp\tqco

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	33280
Entropy (8bit):	5.580843960508835
Encrypted:	false
SSDEEP:	384:OHxRXcrP31VZBELR1nvJff3cdiwOURJpkFTBLToOZwxJd2v99Ikuisk2VFxOjhXv:nPjgR5vJ3cdIUGF/9jmOjhXbr
MD5:	3C037C127FF204C10F15866F0A47ACD0
SHA1:	EB1736A2E311BC34B8BF2DC6768878E16731D5A1
SHA-256:	AEB211A2085D38ED9FBB863E8B492DEB8CBF911ACE382B1ECD3B2CCD01298A47
SHA-512:	41A0A0B8A60F492468CB5467B3F2D2991D7B503174D26E34E6C605CC1A0A5203506D0F283C833E9624041D3F4AFC2B74A30F894DAE5B5359DB14B78C8A493B9B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\tqco, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tqco, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.M.................x..........~.... ........@.. ....................................@.................................(...S.................................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................`.......H.......,O...G............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Temp\uhlqevxks

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 27 15:23:32 2024, mtime=Tue Aug 27 15:23:32 2024, atime=Tue Aug 27 13:23:24 2024, length=1312792, window=hide
Category:	dropped
Size (bytes):	1111
Entropy (8bit):	5.065432251526404
Encrypted:	false
SSDEEP:	24:8ReB2XIRTgKfQrOART5c5CcnJDJUwqygm:8RK2XIR7QrVR1c5pJDJmyg
MD5:	D3C3167C32141463285DCCA9E1924422
SHA1:	26B3FA2192440C250E0DD9865E98DACE3AD2966A
SHA-256:	1AA70BD7E85B47F03EF64CD3503947A84AFE4165E68AF061BAA941351C39AB9B
SHA-512:	46A5002952913E0EDE9BEA9DB7658D4FAC39DCD281B86931DAFA40BBE453ED81E31EEFBF0A075BAAE5DEEB21F687B2ACA61606CCE2D7E3B3F60CF9ACD0E38B9F
Malicious:	false
Preview:	L..................F.... .....0u......gu....Ifs...............................:..DG..Yr?.D..U..k0.&...&......Qg._......p....w..~........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y...........................3N.A.p.p.D.a.t.a...B.P.1......Y...Local.<......EW.=.Y...........................w(P.L.o.c.a.l.....N.1......Y...Temp..:......EW.=.Y...........................J.).T.e.m.p.....v.2......Y.r .SENDBU~1.EXE..Z.......Y..Y.....S#.......................S.e.n.d.B.u.g.R.e.p.o.r.t.N.e.w...e.x.e.......i...............-.......h............C......C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe..=.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.S.e.n.d.B.u.g.R.e.p.o.r.t.N.e.w...e.x.e.........\|....I.J.H..K..:...`.......X.......134349...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.

C:\Users\user\AppData\Local\Temp\vcl120.bpl

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2015240
Entropy (8bit):	6.681879780616523
Encrypted:	false
SSDEEP:	24576:v2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6W:vRSf0Ww+NpPSyzYY8c8YEPI4+W
MD5:	9A438A75E68E88CDABC13074A17F8A52
SHA1:	97C94801D37D249ECE7BA9ACA05703303FD9CF06
SHA-256:	CCCCADDE7393F1B624CDE32B38274E60BBE65B1769D614D129BABDAEEF9A6715
SHA-512:	19D260505972B96C2E5AE0058A29F61E606E276779A80732DBEE70F9223DBFF51DCB1F5E4EFF19206C300EE08E6060987171F5B83AD87FDD8F797E0E2DB529FC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Archivevalidv4.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: iobituninstaller.exe, Detection: malicious, Browse Filename: iobituninstaller.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H.....................l............... .....P.................................8...............................P...'...`.......................t...L.......^.............."....................................y...............................text...4........................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P..........................idata.......`.....................@....edata...'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

C:\Users\user\AppData\Local\Temp\vclx120.bpl

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228872
Entropy (8bit):	6.587649015139548
Encrypted:	false
SSDEEP:	3072:f4af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sB65avEtAf:Qaf8kLWL7Xov8bNxdOmrfgYmHA6G
MD5:	8AAA3926885B3FA7AE0448F5E700CB79
SHA1:	47BD7D281DDDE5EBEF8599482212743BF2F7E67B
SHA-256:	47396C301FBE78BFAF9E344936A0F7A4E6D174C096F847E160D822E48012162D
SHA-512:	86D395CA89EC2A988F035ECB32640DDAC99247E2568673246388FE310E8C3A44807049E8F3482FAE86C453D5E3529A8F2DAF8614A1086B6D979E64FD917BBE3A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H..........................................1P.................................E...................................\|......&....P...>...........2...L... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...\|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	5.554218335234964
Encrypted:	false
SSDEEP:	6144:YAYM3ZEWqf/qwPF7LR5W8ZJ74zmRiOFBbMh9q/JSB3ChNeK06iiRzmi0F9:YWBqf/qq3R5W8ZB4zmRzbassViRUF9
MD5:	AE36397A23D16920DDFE4DFEC24F6B85
SHA1:	49F1EDAF5AF83457FC10D1E73680B59202057E28
SHA-256:	E36BBDF75E56C4D0562BA5ABA9E78D483A6196FE1EC891CC71EF9DB5556C9C81
SHA-512:	7642E0509969B1DE936F6F30A7A899BCEDA2DDA526759911F2FF47BD32002DC992322D02347D26DFD3EB0594922F068BF9BE20BB760CE08A006F64D78781D0C3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UP.\|.1@/.1@/.1@/ZIC..1@/ZIE..1@/ZID..1@/.NE.71@/.ND..1@/.NC..1@/ZIA..1@/.1A/v1@/+.D..1@/.1@/.1@/+../.1@/+.B..1@/Rich.1@/........................PE..L..._{_d...............%............5R....... ....@.......................................@.................................Ly..P...............................@...@n...............................m..@............ ..d............................text...3........................... ..`.textbss..... ...........................rdata...a... ...b..................@..@.data... ............l..............@....rsrc................v..............@..@.reloc..@...........................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.966606172288751
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'594'056 bytes
MD5:	61d31fb13c1dd46fcb03caf7f648508c
SHA1:	ecd46d1e09bdfa50c1587690e70262bc14ba751c
SHA256:	6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
SHA512:	c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
SSDEEP:	49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
TLSH:	D2C5334237C0D8FCDA22C132AF28EB974177D3A42B5A5F479ECA0F469D931B246471DA
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.............................

File Icon


Icon Hash:	d292fcd8f2f2fe1c

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F2DD10E5DC2h
cmp dword ptr [00417710h], ebx
jne 00007F2DD10E5CAEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F2DD10E5D94h
push 00417048h
push 00417044h
call 00007F2DD10E5D7Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F2DD10E5D4Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x18d04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x18d04	0x18e00	9dee09854e79aa987e5336a4defda540	False	0.2433358197236181	data	5.382874846103129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.6781914893617021
RT_ICON	0x1a658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.47068480300187615
RT_ICON	0x1b700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.41161825726141077
RT_ICON	0x1dca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.3213863958431743
RT_ICON	0x21ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.1865609842659411
RT_GROUP_ICON	0x326f8	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x32744	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x32a94	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-27T18:25:39.178331+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49742	154.216.19.149	192.168.2.7
2024-08-27T18:27:41.196133+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:34.785984+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:30.796640+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:20.764109+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:20.764109+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:57.630580+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:04.577640+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:26.866896+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:12.788465+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49738	154.216.19.149	192.168.2.7
2024-08-27T18:26:49.796937+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:57.626918+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:38.022006+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:47.874046+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49743	154.216.19.149	192.168.2.7
2024-08-27T18:25:06.198814+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49737	154.216.19.149	192.168.2.7
2024-08-27T18:26:26.349934+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:10.633780+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:26.009886+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49740	154.216.19.149	192.168.2.7
2024-08-27T18:26:49.692892+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:54.396979+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:10.629778+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:01.054684+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49745	154.216.19.149	192.168.2.7
2024-08-27T18:26:04.674425+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:50.775975+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:50.775975+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:32.243193+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:09.054842+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:33.370929+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:30.794802+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:47.100381+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:20.770041+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:20.770041+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:32.286779+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:26.868692+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:42.460464+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:23:55.617151+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	2047	49722	154.216.19.149	192.168.2.7
2024-08-27T18:23:55.617151+0200	TCP	2854824	ETPRO JA3 HASH Suspected Malware Related Response	2	2047	49722	154.216.19.149	192.168.2.7
2024-08-27T18:26:20.762189+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:20.762189+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:17.618090+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:20.760087+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:20.760087+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:27.456651+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49749	154.216.19.149	192.168.2.7
2024-08-27T18:26:50.765418+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:50.765418+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:56.694912+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:47.105103+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:26.168534+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:13.397343+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49724	154.216.19.149	192.168.2.7
2024-08-27T18:26:58.981890+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:20.847926+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49748	154.216.19.149	192.168.2.7
2024-08-27T18:25:32.600766+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49741	154.216.19.149	192.168.2.7
2024-08-27T18:26:04.628339+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:20.210101+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49757	154.216.19.149	192.168.2.7
2024-08-27T18:24:59.597331+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49736	154.216.19.149	192.168.2.7
2024-08-27T18:25:50.757178+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:50.757178+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:05.826678+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:26.348263+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:04.528278+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:29.788300+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:00.915808+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:33.268990+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:19.421341+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49739	154.216.19.149	192.168.2.7
2024-08-27T18:25:33.270765+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:58.985323+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:07.007597+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49755	154.216.19.149	192.168.2.7
2024-08-27T18:24:33.103498+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49732	154.216.19.149	192.168.2.7
2024-08-27T18:26:04.629665+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:38.024231+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:20.733952+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:39.764202+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49733	154.216.19.149	192.168.2.7
2024-08-27T18:25:54.412909+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49744	154.216.19.149	192.168.2.7
2024-08-27T18:27:41.194654+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:17.677745+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:40.707005+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49751	154.216.19.149	192.168.2.7
2024-08-27T18:27:33.412952+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49759	154.216.19.149	192.168.2.7
2024-08-27T18:25:54.399226+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:54.129729+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:57.543554+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:13.613289+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49756	154.216.19.149	192.168.2.7
2024-08-27T18:26:26.161543+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:17.538502+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:26.810973+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49758	154.216.19.149	192.168.2.7
2024-08-27T18:27:22.307659+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:04.514116+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:07.680138+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49746	154.216.19.149	192.168.2.7
2024-08-27T18:26:53.831904+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49753	154.216.19.149	192.168.2.7
2024-08-27T18:25:33.369248+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:00.917898+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:27:40.797989+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49760	154.216.19.149	192.168.2.7
2024-08-27T18:25:20.554917+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:26:17.536001+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:57.536064+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:22.311512+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:46.292252+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49734	154.216.19.149	192.168.2.7
2024-08-27T18:24:42.457944+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:48.876419+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:09.050707+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:48.879074+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:05.821094+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:26:14.309050+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49747	154.216.19.149	192.168.2.7
2024-08-27T18:25:20.493111+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:27:29.786129+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:26.490485+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49728	154.216.19.149	192.168.2.7
2024-08-27T18:26:47.223099+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49752	154.216.19.149	192.168.2.7
2024-08-27T18:27:00.478416+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49754	154.216.19.149	192.168.2.7
2024-08-27T18:26:34.056313+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49750	154.216.19.149	192.168.2.7
2024-08-27T18:25:58.629118+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:23:40.370278+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	2047	49706	154.216.19.149	192.168.2.7
2024-08-27T18:26:04.673062+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:25:34.788787+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:20.104509+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49727	154.216.19.149	192.168.2.7
2024-08-27T18:24:52.951046+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	443	49735	154.216.19.149	192.168.2.7
2024-08-27T18:24:07.411768+0200	TCP	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	2047	49723	154.216.19.149	192.168.2.7
2024-08-27T18:24:07.411768+0200	TCP	2854824	ETPRO JA3 HASH Suspected Malware Related Response	2	2047	49723	154.216.19.149	192.168.2.7
2024-08-27T18:25:58.631925+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:25:56.693091+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	6677	49726	85.209.133.150	192.168.2.7
2024-08-27T18:24:54.131663+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	49726	6677	192.168.2.7	85.209.133.150
2024-08-27T18:24:30.688337+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49726	6677	192.168.2.7	85.209.133.150

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:23:26.153641939 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:23:27.653712034 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:27.669332027 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:27.825567961 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:30.169683933 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:30.544250965 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:30.966125011 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:23:31.294337988 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:32.794246912 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:35.778656006 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:37.263047934 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:37.278733969 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:37.514588118 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:39.701059103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:39.706599951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:39.706670046 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:39.706784010 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:39.711581945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:39.852328062 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 27, 2024 18:23:39.852524996 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:40.361702919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.364922047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.370277882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.567555904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.575537920 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:23:40.577579975 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.582725048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910670996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910700083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910756111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910754919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.910797119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910809040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910820961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910832882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910839081 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.910886049 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.910926104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910938978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910949945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910960913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910974026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.910989046 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.911067009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.911145926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.916440010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.916512012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.916516066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.916523933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.916574001 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.916651011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.918426991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.918484926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.918488979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.918498993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.918574095 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.925957918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.925971031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.925981045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.926043987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.933468103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.933480978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.933491945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.933542013 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.933567047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.940859079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.940871954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.940882921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.940959930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.948159933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.948172092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.948184013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.948263884 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.948263884 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.955287933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.955300093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.955311060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.955360889 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.962342978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.962358952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.962369919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.962407112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.962445021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.969435930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.969472885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.969491005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.969575882 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.976514101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.976600885 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.976615906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.976627111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.976672888 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:40.983921051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.984210014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:40.984267950 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.001589060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.001640081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.001655102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.001733065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.001777887 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.001808882 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.021420956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.021445990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.021459103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.021516085 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.025036097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.025048018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.025058985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.025085926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.025181055 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.031666040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.031688929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.031704903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.031764984 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.037580013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.037604094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.037616014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.037647963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.037723064 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.043600082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.043641090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.043649912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.043694019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.049552917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.049566031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.049577951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.049609900 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.049668074 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.055382967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.055457115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.055469036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.055515051 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.055565119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.055743933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.061367035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.061445951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.061455011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.061537981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.067461967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.067481041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.067492008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.067533970 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.067534924 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.073576927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.073631048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.073640108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.073708057 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.079222918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.079268932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.079273939 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.079305887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.079371929 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.079435110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.088289976 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.088310957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.088327885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.088345051 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.088385105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.088392973 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.094166994 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.094199896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.094223022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.094274998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.094352007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.094372988 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.099881887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.099946022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.099967957 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.099982977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.100037098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.100060940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.105300903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.105331898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.105338097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.105384111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.105384111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.110404968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.110456944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.110466003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.110541105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.115541935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.115555048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.115565062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.115592003 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.115652084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.120198965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.120253086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.120287895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.120299101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.120321989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.120434999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.125036001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.125077963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.125210047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.125241995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.125394106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.125438929 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.129914045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.129996061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.130007029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.130048037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.134844065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.134882927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.134892941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.134938002 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.139941931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.139954090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.139966965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.140003920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.142884970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.142908096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.142919064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.142934084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.143009901 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.145792961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.145833015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.145899057 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.145922899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.145932913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.145971060 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.148808956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.148855925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.148866892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.148912907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.151760101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.151798964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.151808977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.151813030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.151870012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.154756069 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.154767990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.154859066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.154865026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.155018091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.155579090 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.157757998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.157769918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.157784939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.157898903 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.160586119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.160631895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.160641909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.160692930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.160692930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.163636923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.163659096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.163669109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.163707972 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.167471886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.167495966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.167505026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.167540073 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.169425011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.169471979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.169481993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.169526100 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.169526100 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.172516108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.172538042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.172548056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.172569036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.174578905 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.175139904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.175185919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.175194979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.175236940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.179349899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.179389954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.179546118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.179557085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.179573059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.179572105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.179639101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.179639101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.182281971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.182307005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.182316065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.182579041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.184998035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.185023069 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.185033083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.185094118 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.187787056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.187823057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.187832117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.187884092 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.190407991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.190453053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.190463066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.190511942 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.190511942 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.193131924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.193197966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.193207026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.193257093 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.195884943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.195928097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.195936918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.195974112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.199158907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.199229002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.199276924 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.199295998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.199948072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.200634003 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.201292992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.201356888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.201366901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.201407909 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.203959942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.203970909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.204073906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.204082966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.204097033 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.205240965 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.206657887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.206669092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.206721067 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.206751108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.206794977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.206954002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.209317923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.209342003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.209352016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.209395885 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.212142944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.212163925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.212171078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.212241888 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.214656115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.214669943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.214680910 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.214736938 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.217211008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.217236996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.217246056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.217292070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.220184088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.220195055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.220206022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.220249891 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.220266104 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.222373962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.222408056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.222421885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.222467899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.224922895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.224967003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.224972010 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.224977016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.225030899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.227417946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.227438927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.227448940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.227508068 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.230051041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.230063915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.230077982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.230112076 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.230132103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.232362032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.232402086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.232417107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.232498884 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.235388041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.235414028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.235424042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.235464096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.235481977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.237490892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.237541914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.237565041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.237592936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.241264105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.241317987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.241354942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.241367102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.241379023 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.241426945 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.243676901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.243719101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.243729115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.243766069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.243766069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.246100903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.246121883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.246185064 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.246212006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.246232033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.246284962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.248461008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.248472929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.248490095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.248547077 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.250694036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.250704050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.250742912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.250821114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.250830889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.250894070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.253212929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.253231049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.253242016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.253262997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.253293037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.255019903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.255026102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.255069017 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.255103111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.255111933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.255166054 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.256963968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.256973982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.257030010 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.257049084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.257508993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.257913113 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.259116888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.259139061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.259150028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.259215117 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.260741949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.260795116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.260806084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.260814905 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.260854959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.262554884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.262566090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.262624025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.262633085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.262651920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.262762070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.264333010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.264349937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.264360905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.264432907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.266078949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.266104937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.266114950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.266165018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.266165018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.267956018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.267970085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.267976999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.268035889 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.269572973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.269599915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.269608974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.269665956 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.269665956 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.271692038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.271728992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.271738052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.271903992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.273349047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.273372889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.273411989 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.273421049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.273463964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.273472071 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.274673939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.274739981 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.274770021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.274797916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.274811029 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.275904894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.277002096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.277025938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.277034998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.277059078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.277117014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.278021097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.278048992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.278058052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.278106928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.279946089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.280003071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.280013084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.280070066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.281428099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.281492949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.281503916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.281641006 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.282679081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.282730103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.282740116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.282793045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.282805920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.285130024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.285245895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.285257101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.285276890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.285286903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.285336018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.285389900 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.286530018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.286540031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.286592960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.286628962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.286757946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.286854029 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.288125038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.288166046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.288176060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.288186073 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.290616989 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.291697025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.291750908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.291763067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.291812897 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.291812897 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.291826010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.292301893 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.292707920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.292762041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.292771101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.292776108 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.294056892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.294075966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.294087887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.294126034 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.294126987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.295382977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.295396090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.295407057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.295439005 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.295479059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.296875000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.296915054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.296924114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.297856092 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.298180103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.298192024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.298230886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.298258066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.298307896 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.298702002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.299576044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.299588919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.299650908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.299676895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.299711943 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.300030947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.301032066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.301069975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.301079988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.301120043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.302340031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.302351952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.302381992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.302392006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.302423000 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.302581072 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.303685904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.303734064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.303742886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.303787947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.305174112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.305186033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.305213928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.305223942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.305239916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.306011915 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.306523085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.306566000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.306576014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.306586981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.306616068 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.307650089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.307697058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.307706118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.307738066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.309437037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.309488058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.309490919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.309498072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.310070992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.310280085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.310305119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.310345888 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.310372114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.310383081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.310425997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.311750889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.311773062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.311834097 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.311866045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.311876059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.311956882 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.314229965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314270973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314284086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314338923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.314410925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314421892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314435005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.314490080 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.314490080 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.319310904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319359064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319370985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319406986 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.319500923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319514036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319528103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.319550037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.320513964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.328071117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328099012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328162909 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.328195095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328250885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328265905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328278065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328313112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.328336000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328372002 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.328742027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.328986883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.333065987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333077908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333090067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333147049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333158016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333168983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333168983 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.333208084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.333209038 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.333492041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333513021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.333553076 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.340137005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340167046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340178013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340225935 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.340284109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340296984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340310097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.340382099 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.340382099 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.340437889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345694065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345733881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345746040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345824957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345839977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.345901966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345913887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345958948 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.345978975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.345990896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.346110106 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.351541996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351557016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351568937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351610899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.351630926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.351703882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351716042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351727962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351739883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.351809025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.351809025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.357019901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357048988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357059002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357170105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.357182980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357193947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357206106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357218027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.357234001 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.357254982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.362060070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362175941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362194061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362252951 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.362252951 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.362262964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362274885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362287045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362298012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.362334967 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.362368107 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.369853973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.369882107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.369894028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.369971991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.369982958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.369993925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.370007038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.370026112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.370026112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.370359898 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.372576952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372623920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372636080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372699022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.372704029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372725010 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.372730970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372868061 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.372905970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372917891 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372927904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.372963905 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.378218889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378232956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378243923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378253937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378267050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378269911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.378278017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378289938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.378318071 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.378318071 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.378334045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.380868912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.380899906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.380912066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.380943060 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.381048918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.381059885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.381071091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.381084919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.381128073 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.381128073 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.385118008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385143995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385159969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385185957 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.385241985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385266066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.385292053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385303020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385379076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385390997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.385401011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.385575056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.389348984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389374971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389386892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389400959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.389488935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389501095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389513016 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.389513016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389655113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.389661074 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.389751911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.395353079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395406961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395418882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395513058 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.395549059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395561934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395575047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395586014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.395622969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.395622969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.397218943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397265911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.397353888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397363901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397376060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397443056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.397479057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397490025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397500992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397511959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.397520065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.397563934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.401149035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401185989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401199102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401211977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.401269913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401290894 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.401324987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401336908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401349068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.401396036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.401396036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.406085968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406151056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406162977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406218052 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.406276941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406289101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406369925 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.406399012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406410933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.406505108 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.419943094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.419977903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.419989109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.420047998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.420047998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.420073986 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.420087099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.420101881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.420135021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.420393944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.420459032 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.420599937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432547092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432569981 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432581902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432594061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432626963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.432652950 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.432679892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432723999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.432758093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432770967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432780981 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.432811975 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.433098078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433110952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433123112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433144093 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.433166027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433178902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433192968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433203936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.433219910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.433768988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.433809042 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.443475008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443489075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443501949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443559885 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.443593025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443605900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443617105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443629026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443643093 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.443675041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.443742037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443830013 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.443892956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443953991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.443977118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.444010973 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.444046021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.444057941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.444094896 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.444938898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.444998980 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.448750019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.448829889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.448847055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.448887110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.448934078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.448934078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.448961973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.448978901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.449049950 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.449193001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.449537992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.449584961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.453751087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.453783035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.453795910 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.453844070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.453869104 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.453985929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.454041958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.454072952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.454091072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.454113960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.454240084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.454298019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.459673882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459741116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459753990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459805012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.459884882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459901094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459913015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459924936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.459928989 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.459968090 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.463416100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463470936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.463500977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463511944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463555098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463572979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463576078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.463587046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463601112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.463615894 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.463659048 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.463731050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467791080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467853069 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467865944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467905998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.467905998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.467940092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467952967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467966080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.467983961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.468029022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.468029022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.471985102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472187996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472198963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472210884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472223997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472235918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472243071 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.472281933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.472281933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.472449064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472505093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.472548962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.480196953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480282068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480292082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480345964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480345964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.480357885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480393887 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.480494022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480506897 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480519056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480531931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480540037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.480545998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.480591059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.480591059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.481337070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.481390953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.481404066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.481431961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.481507063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.481519938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.481549978 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.484142065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484184027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484194040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484230995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.484276056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.484374046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484448910 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484460115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484498024 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.484580994 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.484631062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.484723091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488163948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488176107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488193035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488207102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488214970 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.488262892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.488343954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488401890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488408089 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.488413095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488428116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.488456964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.492993116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493057966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493067026 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.493068933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493133068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493145943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493150949 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.493164062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493233919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.493242979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.493294001 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.506941080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.506953955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.506967068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.507066011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.507080078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.507117987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.507220030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.507230043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.507234097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.507258892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.519383907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519432068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519443989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519540071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519541979 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.519556999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519668102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519721985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.519727945 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.522624969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.531491995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531505108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531518936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531531096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531609058 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.531625986 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531658888 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.531814098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531831026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531842947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.531876087 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.531930923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.532111883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532124043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532135010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532146931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532171011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.532208920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.532232046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532867908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.532907963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.535743952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535815001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535830021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535880089 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.535921097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535933018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535945892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535957098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.535969973 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.536004066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.536124945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536164045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.536185026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536196947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536339045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536350965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536358118 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.536364079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536384106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.536458969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.536725998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.540632963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540668011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540685892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540720940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540822983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540860891 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.540924072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540935993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540946007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.540982962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.541167974 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.546397924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546408892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546427965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546488047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.546495914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546508074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546525002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546540976 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.546565056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.546858072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546895027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.546977043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.550442934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550456047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550468922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550502062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.550568104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550582886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550595045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550606966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.550623894 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.550671101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.554850101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.554899931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.554903030 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.554915905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.554964066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.554965019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.555080891 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.555135965 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.555144072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.555149078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.555186033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.555196047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.558878899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.558936119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.558948040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.558959007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.558985949 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.559067965 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.559078932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.559159040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.559170008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.559181929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.559206963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.559206963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.567169905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567231894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567245007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567260027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.567332983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567344904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567351103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.567404985 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.567476988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567490101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567523956 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.567543030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567559958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567572117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567581892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.567605019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.568105936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.568155050 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.568170071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.568182945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.568221092 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.568665981 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.569592953 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.571225882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571238041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571253061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571274042 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.571305037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571340084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.571353912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571425915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571438074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571449041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.571496964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.571496964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.577284098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577296019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577307940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577358007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.577411890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577429056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577441931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577455044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.577483892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.577483892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.579911947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.579969883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.579978943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.580030918 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.580082893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.580096006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.580111027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.580127001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.580142021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.580172062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.580529928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.593863964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.593900919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.593916893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.593945980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.594023943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.594048977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.594048977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.594109058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.594125032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.594129086 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.594136000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.594177961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.606431007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606487036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606498003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606508017 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.606542110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606583118 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.606642008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606653929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606698990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606705904 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.606710911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.606734037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617120028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617182016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617193937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617280006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617280960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617294073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617433071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617439032 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617501974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617513895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617513895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617593050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617604971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617619038 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617723942 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.617901087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.617990017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.618000031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.618032932 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.618046999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.618048906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.618058920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.618102074 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.622550964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622629881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622641087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622670889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622685909 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.622735977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622747898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622788906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.622788906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.622854948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622865915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622876883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622889042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.622925997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.622980118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.623698950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.623745918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.623758078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.623795033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.623832941 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.623832941 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.628070116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628082991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628093958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628195047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.628201962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628212929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628223896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628237009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.628251076 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.628281116 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.635725975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.636111021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.636207104 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.636250973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.636893034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.636905909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.636964083 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.637033939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.637047052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.637264967 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.638662100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638674974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638685942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638809919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638822079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638829947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.638834000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638968945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.638993025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.639162064 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.643029928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643043041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643055916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643100977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.643208027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643219948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643244982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.643418074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643429041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.643938065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.647178888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647191048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647202969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647274971 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.647317886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647327900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647341013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647479057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647491932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.647496939 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.647625923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.655313015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655327082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655339003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655349970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655360937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655373096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655392885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655404091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655415058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655416012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.655420065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655436039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655446053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655455112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.655492067 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.655492067 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.656794071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659678936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659691095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659703016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659786940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.659786940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.659825087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659836054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659847975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659857988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.659914017 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.659914017 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.666857004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.666904926 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.666913986 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.666982889 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.666994095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.667006016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.667017937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.667028904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.667068958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.667146921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.667195082 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.681962013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682097912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682107925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682121038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682140112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682152033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682153940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682324886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682324886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682379961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682549953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682560921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682573080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682584047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682595015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.682626963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682626963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682672024 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.682998896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.683152914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.683163881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.683176041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.683202028 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.683237076 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.693312883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693345070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693356991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693384886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693459988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693464041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.693543911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693555117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693564892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.693598986 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.693768024 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704061985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704121113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704133034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704191923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704231977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704242945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704255104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704266071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704325914 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704325914 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704430103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704441071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704509974 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704514980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704591990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704602957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704612970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.704655886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704655886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.704714060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.705002069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.705025911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709388971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709413052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709424973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709476948 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.709511995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.709537983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709588051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709602118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709656000 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.709675074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709686995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.709985971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710027933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710030079 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.710030079 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.710041046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710081100 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.710149050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710160971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710171938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710182905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.710201979 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.710325003 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.714917898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.714976072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.714987040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.715029955 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.715084076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.715100050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.715141058 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.715168953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.715181112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.715218067 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.720211029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720283031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720294952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720335960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.720375061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720386982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720429897 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.720429897 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.720510006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720521927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.720607996 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.728748083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728801966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728811979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728905916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728918076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728920937 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.728929043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728946924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.728956938 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.729027033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729048014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.729082108 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.729381084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729439020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729451895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729510069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.729582071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729593992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729604959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729617119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.729665041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.729665041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.731957912 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:41.733063936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733122110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733134031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733176947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.733257055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733273983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733283043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.733285904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733298063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.733361959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741147041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741307020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741317987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741331100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741405964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741417885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741425037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741444111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741444111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741497040 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741535902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741547108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741559029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741570950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741621017 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741730928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741740942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.741743088 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.741816998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.742382050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.742621899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.745290995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745335102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745345116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745402098 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.745445013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745456934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745560884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.745584011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.745624065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.745909929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753783941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753804922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753815889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753880978 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.753905058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753917933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.753977060 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.754012108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.754137993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.755494118 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.767643929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767657042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767668009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767719030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767730951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767736912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.767751932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.767781019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.767803907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.768045902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768100977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768111944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768168926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.768246889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768258095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768269062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768281937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768332005 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.768423080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768435001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.768498898 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.780222893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780234098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780313015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780316114 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.780380011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780390978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780401945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780420065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.780436039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:41.780513048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780524969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:41.780567884 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.107961893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.107980967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108001947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108014107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108025074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108036995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108053923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108099937 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108150005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108163118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108170986 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108212948 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108321905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108334064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108345032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108355999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108371973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108381987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108393908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108397961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108397961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108407021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108439922 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108834028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108844995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108855009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108865976 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108882904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108894110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108905077 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108915091 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108915091 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108916044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108927965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108937979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108944893 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108947992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108959913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108971119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108979940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.108983994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108984947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.108990908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109003067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109013081 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109014034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109054089 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109056950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109124899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109646082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109657049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109668970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109678030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109688044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109699011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109709978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109718084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109718084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109721899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109734058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109745979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109755993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109766006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109778881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109788895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109793901 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109793901 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109801054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109827995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.109869003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.109915018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.110318899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.110382080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.110424995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.343540907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343566895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343581915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343594074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343611956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343622923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343633890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343648911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343667984 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.343699932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343723059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.343739986 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343751907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343777895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.343924046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343935013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343946934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.343988895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.343988895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344153881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344208956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344224930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344258070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344356060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344368935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344379902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344392061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344420910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344420910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344530106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344542027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344590902 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344862938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344916105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344928026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.344976902 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.344976902 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.345057964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345068932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345078945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345092058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345149994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.345244884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345254898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345304012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.345304012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.345938921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345977068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.345988989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346043110 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.346127987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346138954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346148968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346162081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346185923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.346224070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.346273899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346286058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346340895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.346950054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346987963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.346998930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347037077 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.347088099 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.347119093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347130060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347141981 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347151995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347172976 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.347279072 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.347322941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347336054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347426891 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.347827911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347879887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347892046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.347981930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348014116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348025084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348036051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348046064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348104954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348104954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348212004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348222017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348278999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348683119 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348839045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348875046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348886967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.348941088 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.348941088 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.349009037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349023104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349033117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349044085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349071026 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.349104881 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.349139929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349152088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.349215984 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350393057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350403070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350414991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350466013 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350487947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350498915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350509882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350564957 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350564957 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350641966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350651979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350662947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350704908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350733995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350754023 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.350827932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.350946903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351027966 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.351108074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351120949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351131916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351176977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.351192951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351207018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351248980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351284027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.351327896 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.351743937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351830006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351927996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351963043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351972103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.351988077 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352031946 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352098942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352111101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352173090 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352557898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352569103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352571964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352571964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352581024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352616072 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352627993 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352653027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352664948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352674961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352686882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.352739096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.352739096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.353750944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.353797913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.353809118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.353898048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.353909969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.353936911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.353936911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354012966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354032993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354063988 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354340076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354391098 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354460955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354473114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354523897 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354546070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354619026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354631901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354700089 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354724884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354736090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354748011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354758024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354809999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354809999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.354897022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354908943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.354958057 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.355525017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355585098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355595112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355612993 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.355628014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.355871916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355926037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355937004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.355979919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.356065989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356077909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356089115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356100082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356118917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.356173992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.356189966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356200933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356241941 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.356901884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356942892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356954098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.356955051 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357055902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357067108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357076883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357088089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357131958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357131958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357268095 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357337952 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357696056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357708931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357721090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357733965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357765913 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357778072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357793093 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357809067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357820988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357870102 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357933998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357985973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.357988119 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.357996941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358072042 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358100891 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358112097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358123064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358134031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358175039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358175039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358381033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358392954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358402967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358413935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358424902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358436108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358445883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358449936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358449936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358458042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358469963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358503103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358503103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358683109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358695030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358705044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358717918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358736038 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358753920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358823061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358834028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358843088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358874083 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358880043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358892918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358902931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358913898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.358931065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358931065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.358949900 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359200954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359220028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359230995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359247923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359256029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359257936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359261036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359266043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359292984 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359473944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359474897 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359484911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359508991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359519958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359561920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359561920 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359627962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359639883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359651089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359668016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359678984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359683990 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359689951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359699965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359710932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359714985 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359720945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359731913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359735966 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359743118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359754086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.359755993 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359776020 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.359795094 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360116005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360176086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360188007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360249043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360280037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360291004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360304117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360315084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360343933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360343933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360541105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360552073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360563040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360574007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360584974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360595942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360605955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360615969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360622883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360622883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360630035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360680103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360680103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360872984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360884905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360896111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360905886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360915899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360929012 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360940933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.360950947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360963106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360972881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360984087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.360995054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361006975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361006975 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361018896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361042023 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361042023 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361057043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361299038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361445904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361463070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361474037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361484051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361494064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361505032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361515045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361521006 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361521006 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361526012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361536026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361547947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361552954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361552954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361603022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361776114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361820936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.361967087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361984015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.361994982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362005949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362015963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362025976 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362035990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362046957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362047911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.362056971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362067938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362067938 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.362078905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362082005 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.362088919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362098932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362138987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.362565994 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362577915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362588882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362600088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362611055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362622023 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362632036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362647057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362657070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362667084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362678051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362687111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362696886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362706900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362725019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.362788916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.362829924 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363244057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363255978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363265991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363276005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363286972 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363296032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363306046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363316059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363327026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363337040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363337994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363337994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363348007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363358974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363373995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363373995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363396883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363727093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363739014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363749027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363759041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363769054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363791943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363801956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363807917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363807917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363811970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363822937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363832951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363835096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363842964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363852978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363867998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363878012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363888979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363892078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363892078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363898039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363910913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363918066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363922119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363931894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363943100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363954067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363956928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363956928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.363965034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.363986969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364001989 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364682913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364696026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364706039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364717960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364733934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364734888 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364746094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364756107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364767075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364777088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364787102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364792109 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364792109 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364799976 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364810944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364814997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364820957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364831924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364842892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364852905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364862919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364862919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364875078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364883900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364888906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364891052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364897013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364898920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364901066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.364944935 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.364944935 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.365569115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365581989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365592003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365602970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365613937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365624905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365634918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365645885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365655899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365660906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.365660906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.365674973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365716934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.365716934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.365839005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365900040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365911961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.365943909 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366028070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366039038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366050959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366064072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366081953 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366094112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366178036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366189003 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366199017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366209984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366228104 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366245031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366255045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366255045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366266012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366276979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366288900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366308928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366308928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366344929 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366568089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366580963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366619110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366631031 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.366658926 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366668940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.366705894 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.376447916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.376543045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381441116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381493092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381503105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381504059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381572962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381576061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381587029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381597996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381608009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381628036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381664991 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381726980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381738901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381748915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381759882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381769896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381789923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381789923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381865978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381891012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381907940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381918907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.381922007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.381947994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382134914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382145882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382160902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382164001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382169008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382173061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382184029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382194996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382205963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382214069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382214069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382216930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382256985 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382441998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382452965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382463932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382473946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382502079 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382535934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382596970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382615089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382625103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382635117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382644892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382654905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382664919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382668018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382668018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382675886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382685900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382697105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382703066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382703066 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382708073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382719040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382729053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382739067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382755995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382761002 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382761002 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382767916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382777929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.382807016 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.382890940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383291006 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383301973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383311987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383322954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383339882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383351088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383362055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383364916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383364916 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383373022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383384943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383424997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383424997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383620977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383631945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383641958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383652925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383662939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383672953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383680105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383680105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383683920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383693933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383706093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383714914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383747101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383747101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383759022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383779049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383789062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383799076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383809090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383817911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383817911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383819103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383830070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383840084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383847952 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383851051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383861065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383871078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383881092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383882999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383882999 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383897066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383907080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383918047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.383919954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383965969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.383965969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384643078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384654999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384665012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384675980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384685040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384696960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384706020 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384706974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384716988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384727001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384737015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384747028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384747982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384747982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384763002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384773970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384783983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384793997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384810925 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384810925 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384818077 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384828091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384838104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384848118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384857893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384860039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384860039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384867907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384877920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384887934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384891033 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384897947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384907961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384918928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.384918928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384918928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384941101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.384970903 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385618925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385631084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385642052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385651112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385660887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385679007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385689020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385694981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385694981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385699034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385710955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385720968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385730982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385740042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385750055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385751963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385751963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385760069 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385770082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385780096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385787964 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385798931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385811090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385819912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385822058 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385832071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385833979 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385842085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385853052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385863066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385873079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.385874987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385874987 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.385911942 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386529922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386540890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386550903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386560917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386579990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386589050 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386593103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386619091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386621952 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386630058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386650085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386660099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386662960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386671066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386681080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386692047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386698961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386698961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386703014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386713028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386723995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386735916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386742115 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386742115 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386745930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386755943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386765957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386775970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386785984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386795998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386806011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386806965 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386806965 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386816025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386821985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.386822939 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.386884928 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387407064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387418032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387428045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387438059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387448072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387458086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387460947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387460947 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387468100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387478113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387486935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387496948 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387511015 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387520075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387530088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387540102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387543917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387550116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387561083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387569904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387579918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387582064 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387582064 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387589931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387600899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387610912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387619019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387622118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.387645006 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.387661934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415465117 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415504932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415515900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415528059 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415544987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415558100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415574074 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415576935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415633917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415633917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415663004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415673971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415683985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415694952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415710926 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415730953 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415730953 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415805101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415817022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415828943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415875912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415875912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.415946960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415957928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415967941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.415983915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416002989 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416013002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416017056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416017056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416024923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416034937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416044950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416055918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416084051 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416084051 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416264057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416275024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416285992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416296005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416311026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416321993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416328907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416330099 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416357040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416368008 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416371107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416383028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416393995 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416404009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416414022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416424036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416440964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416440964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.416695118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.416707039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.417442083 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.452594995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.452691078 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.457613945 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457627058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457638025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457700014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.457724094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457731962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.457736015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457751036 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457762957 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457842112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.457842112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.457895994 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457906961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457917929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457928896 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457935095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457941055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.457966089 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458096027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458123922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458133936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458144903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458162069 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458172083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458187103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458199978 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458199978 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458203077 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458214045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458225012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458234072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458245039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.458272934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458272934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.458365917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461118937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461164951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461174965 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461195946 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461236000 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461245060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461255074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461266041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461322069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461345911 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461361885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461373091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461405039 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461431980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461432934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461442947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461452961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461463928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461477995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461519003 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461601019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461615086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461626053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461636066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461647034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461657047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461668015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461673021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461673021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461679935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461705923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461705923 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461852074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461865902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461890936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461955070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.461977005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461987972 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.461998940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462008953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462028980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462040901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462044954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462044954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462070942 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462130070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462140083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462148905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462160110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462184906 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462203979 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462219954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462230921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462240934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462251902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462260962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462268114 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462272882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462281942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462291956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462312937 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462312937 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462383986 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462552071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462569952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462587118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462598085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462609053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462614059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462619066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462625027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462634087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462644100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462651014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462651014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462655067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462666035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.462673903 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462708950 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.462723970 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.502990007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503002882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503015041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503055096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503067017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503077984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503084898 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503109932 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503132105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503226042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503237009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503248930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503293037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503338099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503349066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503364086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503375053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503385067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503390074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503396034 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503401041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503424883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503595114 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503686905 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503699064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503712893 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503722906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503732920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503742933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503747940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503753901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503762007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503763914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503773928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503786087 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503786087 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503788948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503799915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503809929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503822088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503832102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503834009 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503844023 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.503870964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.503870964 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.504173040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504184008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504194975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504204035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504215002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504225016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504225016 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.504225016 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.504235029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504245043 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504256010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.504276037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.504276037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.504498959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.516658068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516681910 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516690016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516732931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516743898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516767025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.516767025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.516865969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516875982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516886950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516897917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516910076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.516935110 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.516935110 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.516985893 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517023087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517033100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517045975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517055988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517066956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517087936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517087936 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517098904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517144918 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517203093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517214060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517225027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517235041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517245054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517255068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.517276049 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517276049 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517335892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.517373085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.526791096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.526792049 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.547979116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548007011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548012018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548058033 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548058033 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548060894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548072100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548083067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548096895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548122883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548171997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548180103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548183918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548260927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548270941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548280954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548304081 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548304081 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548369884 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548379898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548389912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548399925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548450947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548459053 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548459053 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548499107 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548515081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548531055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548599958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548612118 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548623085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548634052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548650980 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548650980 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548738956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548748970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548758984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548777103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548777103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.548960924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548970938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.548989058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549002886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549009085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549010992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549015999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549021959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549032927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549057961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549057961 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549134970 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549150944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549318075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549329996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549340010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549350023 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549360991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549371958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549381971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549396992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549396992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549396992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549412966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549422979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549433947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549443007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549444914 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549444914 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549453020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549464941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.549489975 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.549489975 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.587249041 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589421988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589453936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589464903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589477062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589498997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589554071 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589561939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589574099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589586020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589597940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589608908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589620113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589663982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589698076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589708090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589719057 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589757919 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589771986 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589782953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589799881 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589811087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.589823008 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.589858055 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590015888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590029955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590039015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590049982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590060949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590066910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590071917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590081930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590087891 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590095997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590101004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590116978 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590137959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590280056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590291977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590302944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590320110 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590337992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590485096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590495110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590504885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590516090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590527058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590533018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590543985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590554953 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590559959 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590564966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590575933 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590580940 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590585947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590595961 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590610027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590626955 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590631962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.590678930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.590804100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.591284990 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.601309061 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.603710890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603723049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603733063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603787899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.603813887 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.603820086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603831053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603843927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603873014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.603965998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603977919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603987932 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.603998899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604008913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604010105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604038954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604062080 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604067087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604155064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604167938 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604177952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604192019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604228020 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604264975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604274988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604284048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604294062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604304075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604310036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604314089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604325056 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.604341030 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.604362011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.610783100 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.610804081 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635251045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635286093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635299921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635330915 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635361910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635376930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635387897 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635399103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635421991 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635458946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635468960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635483980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635497093 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635534048 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635540962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635555029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635593891 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635674000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635688066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635696888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635710001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635720968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635730982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635740995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635741949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635763884 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635772943 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.635941982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635951996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635962963 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635972977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635983944 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635988951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635999918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.635999918 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636015892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636033058 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636198044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636209011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636226892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636231899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636274099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636285067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636295080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636298895 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636306047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636317968 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636359930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636583090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636595011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636605978 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636615038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636624098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636634111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636640072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636651039 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636661053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636668921 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636671066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636682034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636692047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636693954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636697054 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636708021 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636708975 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636718988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636728048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636738062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636743069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636743069 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636749029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636759996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.636763096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636790037 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.636816025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.678742886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678778887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678791046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678922892 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678931952 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.678940058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678951979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678962946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678975105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678985119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.678997993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679011106 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679049015 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679055929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679068089 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679078102 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679088116 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679100037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679107904 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679135084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679295063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679306030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679316044 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679327011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679343939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679354906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679357052 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679366112 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679377079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679388046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679398060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679409027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679435015 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679542065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679585934 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679773092 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679784060 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679794073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679805040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679814100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679821014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679824114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679833889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679845095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679846048 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679862022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679872990 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679882050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679892063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679896116 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679903030 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679913998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679919958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679924011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679936886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679941893 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679946899 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.679963112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.679986000 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.690793037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690851927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690855026 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.690862894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690901995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.690903902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690915108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690927029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.690953970 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691458941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691508055 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691519022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691530943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691569090 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691750050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691761017 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691778898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691797018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691812992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691817045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691828012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691831112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691838980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691848040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691860914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691884995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.691910982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691924095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.691965103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722093105 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722136021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722157955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722170115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722209930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722266912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722284079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722295046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722306013 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722316980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722328901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722333908 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722352982 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722372055 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722460985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722477913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722491026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722502947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722513914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722517967 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722526073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722537994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722573996 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722764015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722774982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722785950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722801924 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722814083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722824097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722824097 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722836018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722846031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722851992 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722858906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722868919 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722871065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722879887 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722887993 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722889900 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722901106 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.722918034 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.722945929 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723108053 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723119020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723129988 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723140955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723151922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723156929 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723161936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723172903 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723175049 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723186016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723192930 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723207951 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723293066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723371983 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723511934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723522902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723535061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723546982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723557949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723563910 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723567009 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723578930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723584890 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723589897 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723601103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723618031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723623991 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723628998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723639011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723644018 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723649979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723660946 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723669052 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.723675966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.723694086 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763164997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763190985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763200998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763222933 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763246059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763262033 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763273001 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763283014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763293028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763303041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763312101 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763334990 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763461113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763472080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763483047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763493061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763503075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763511896 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763519049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763545990 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763587952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763607979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763623953 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763688087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763699055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763710022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763736963 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763761997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763837099 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763849020 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763859034 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763869047 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763880014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763884068 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763890028 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763901949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.763915062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.763936043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764091015 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764101982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764111996 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764123917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764141083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764143944 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764154911 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764185905 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764199018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764277935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764288902 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764342070 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764364958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764375925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764385939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764398098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764409065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764432907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764512062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764523029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764533997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764544010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.764561892 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.764575005 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.777932882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.777964115 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.777977943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.777990103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778028011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778070927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778078079 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778080940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778091908 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778104067 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778110981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778145075 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778264046 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778275967 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778285980 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778296947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778306007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778311968 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778322935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778332949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778337002 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778342962 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778356075 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778379917 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778388977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.778543949 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778554916 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778567076 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.778605938 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.808991909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809031010 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809041977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809061050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809072018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809083939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809097052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809107065 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809164047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809170008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809180021 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809191942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809227943 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809274912 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809287071 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809319019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809401035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809412956 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809422970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809433937 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809443951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809448004 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809456110 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809474945 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809537888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809573889 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809575081 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809587002 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809621096 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809710026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809720993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809731960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809741974 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809746027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809752941 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809765100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809775114 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809793949 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809828997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809873104 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809935093 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809937000 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809947014 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809957027 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809967041 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809977055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809978962 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.809988022 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.809995890 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810024977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810194969 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810205936 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810215950 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810226917 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810244083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810255051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810256004 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810266018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810281992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810292959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810302019 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810303926 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810313940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810323954 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810333014 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810358047 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.810581923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810594082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.810640097 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.852958918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.852987051 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.852998972 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853040934 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853051901 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853061914 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853070974 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853096008 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853101969 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853187084 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853197098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853208065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853219032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853230000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853240013 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853270054 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853334904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853346109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853352070 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853363037 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853379011 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853385925 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853398085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853408098 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853414059 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853419065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853436947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853449106 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853487015 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853669882 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853681087 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853696108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853702068 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853713036 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853740931 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853925943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853944063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853954077 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853964090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853976011 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853986025 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.853991032 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.853996992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854007959 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854017019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.854017973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854027987 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854038954 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.854039907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854049921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854055882 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.854059935 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854069948 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854075909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854082108 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.854094028 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.854104996 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.854125977 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.864717007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864739895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864751101 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864794016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864806890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864808083 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.864818096 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864833117 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.864864111 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.864959955 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864970922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864983082 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.864993095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865004063 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865015984 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865025997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865031958 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.865061045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.865235090 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865252018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865262985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865273952 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865281105 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.865284920 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865297079 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865309000 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865310907 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.865345955 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.865358114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.865360022 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.895812035 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895827055 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895839930 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895893097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895904064 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895912886 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.895915031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895925999 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895936966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.895946980 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.895967960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896086931 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896095991 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896106958 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896117926 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896126032 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896127939 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896138906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896142960 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896166086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896178007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896207094 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896214008 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896310091 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896321058 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896332026 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896347046 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896368027 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896452904 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896464109 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896475077 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896492004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896502972 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896503925 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896512985 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896527052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896536112 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896569967 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896596909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896625042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896635056 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896712065 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896723032 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896728992 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896778107 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896878004 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896888018 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896898031 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896908998 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896919012 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896928072 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896936893 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.896939993 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.896965981 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.897147894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897167921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897180080 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897190094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897191048 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.897201061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897212029 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897222042 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897228956 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.897238970 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897252083 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897259951 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.897263050 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897274971 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.897303104 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.897326946 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937282085 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937452078 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937468052 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937479973 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937491894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937501907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937513113 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937515974 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937537909 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937563896 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937571049 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937582016 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937592983 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937602997 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937611103 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937614918 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937625885 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937632084 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937659025 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937849045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937860966 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937870979 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937881947 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937890053 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937891960 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937902927 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937913895 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937916994 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937925100 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937935114 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937944889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937951088 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937957048 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937973976 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.937975883 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.937993050 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938149929 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938286066 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938302040 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938313007 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938313007 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938324928 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938334942 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938338995 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938345909 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938355923 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938361883 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938366890 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938391924 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938410997 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938476086 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938528061 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938539982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938564062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938625097 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938635111 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938644886 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938657045 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.938673019 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.938707113 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951353073 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951390982 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951410055 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951432943 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951457977 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951469898 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951472998 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951505899 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951587915 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951603889 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951615095 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951626062 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951643944 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951664925 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951726913 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951738119 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951747894 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951770067 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951921940 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951932907 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951942921 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951953888 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951962948 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951965094 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951975107 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951986074 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.951992035 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.951996088 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.952012062 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.952033043 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.952107906 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.952155113 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.982842922 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982894897 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982906103 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982918024 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982928038 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982939005 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:42.982940912 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.982985973 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.986901045 CEST	49706	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:42.991817951 CEST	2047	49706	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:48.359644890 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:48.364514112 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 27, 2024 18:23:48.768277884 CEST	49718	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:48.768333912 CEST	443	49718	104.98.116.138	192.168.2.7
Aug 27, 2024 18:23:48.768409967 CEST	49718	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:48.832766056 CEST	49718	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:23:48.832787991 CEST	443	49718	104.98.116.138	192.168.2.7
Aug 27, 2024 18:23:53.638124943 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:23:54.920506001 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:54.925529003 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:54.926682949 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:54.926840067 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:54.931678057 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:55.603768110 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:55.603786945 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:55.603862047 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:55.612368107 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:55.617151022 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:55.821029902 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:55.821299076 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:55.826101065 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.025404930 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.028038979 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:56.032886028 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.032972097 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:56.037817001 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.645421982 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.645657063 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.645693064 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:56.648384094 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:56.654439926 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:56.654540062 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:56.660687923 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.011516094 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.011538029 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.011581898 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.186060905 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.186198950 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.186388016 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.186574936 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191019058 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191035032 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191040993 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191060066 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191148996 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191153049 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191153049 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191184044 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191248894 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191327095 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191417933 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191421032 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191430092 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191438913 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191457987 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191484928 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191515923 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191525936 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.191557884 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191581011 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.191611052 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196114063 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196126938 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196136951 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196259975 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196269035 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196279049 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196288109 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196393967 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196427107 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196434975 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.196525097 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.237179041 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.237473011 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.237580061 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.237685919 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.237766027 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238060951 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238111019 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238293886 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238365889 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238533974 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238641977 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238770008 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.238837957 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.242161989 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242290974 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.242338896 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242351055 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242383003 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242405891 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:57.242650032 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242666960 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242695093 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242819071 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242933989 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.242944002 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243143082 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243308067 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243367910 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243424892 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243530989 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243614912 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243650913 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243733883 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243772984 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.243822098 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244070053 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244075060 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244112968 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244175911 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244227886 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244307995 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244316101 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244366884 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244385958 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244501114 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.244508982 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.246956110 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247066975 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247165918 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247230053 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247239113 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247371912 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247375011 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247412920 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247421980 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.247442007 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.718719006 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:57.763134956 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.442790031 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.442908049 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.442985058 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.443116903 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.447695017 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447721004 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447730064 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447762012 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:58.447848082 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447858095 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447925091 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447932959 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447942972 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.447951078 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.448071957 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.448110104 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.452830076 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.452841997 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.453140974 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.754339933 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:58.794362068 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:23:59.004709005 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:23:59.005157948 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.008517027 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.008651972 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.008738995 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.008848906 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.008980989 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.009085894 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:00.013987064 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014003992 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014018059 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014028072 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014107943 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014117956 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014126062 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014197111 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014206886 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014215946 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.014229059 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018625021 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018747091 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018750906 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018774986 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018784046 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018791914 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018800020 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.018807888 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.321521044 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:00.372529984 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.328721046 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.333693981 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:01.334669113 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.339461088 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:01.680942059 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:01.681029081 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:01.681061029 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.681097031 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.681199074 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:01.681217909 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.681236982 CEST	49722	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:01.685863018 CEST	2047	49722	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:06.673877001 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:06.692763090 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:06.692873955 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:06.694833040 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:06.699634075 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.396794081 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.396816969 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.396936893 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:07.405541897 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:07.411767960 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.615776062 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.616081953 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:07.621844053 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.820475101 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.823230982 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:07.828104973 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:07.828161001 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:07.833100080 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.180143118 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.182959080 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.188714981 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.188813925 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.193711042 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.537856102 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.540102005 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.540143013 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.540154934 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.540208101 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.540236950 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.540301085 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.543797016 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.543807983 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.543818951 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.543876886 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.551075935 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.551145077 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.551155090 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.551186085 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.558783054 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.558828115 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.558836937 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.558857918 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.558929920 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.566565990 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.566603899 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.566612959 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.566679955 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.628448009 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.628957033 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.629112005 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.648132086 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.648176908 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.648185968 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.648353100 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.652241945 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.652260065 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.652271986 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.652360916 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.660036087 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.660123110 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.660155058 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.660177946 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.660218000 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.660250902 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.667128086 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.667143106 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.667154074 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.667167902 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.667226076 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.675857067 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.675915956 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.675925016 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.676088095 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.682682991 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.682703018 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.682714939 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.682775021 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.682888985 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.689958096 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.689994097 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.690006971 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.690073013 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.698389053 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.698409081 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.698421955 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.698468924 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.698501110 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.707192898 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.707210064 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.707221985 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.707298040 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.711782932 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.711796045 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.711807966 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.711865902 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.711880922 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:08.736190081 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:08.778822899 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:10.815602064 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:10.820487022 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:10.820549965 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:10.825376987 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.199701071 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.199718952 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.199729919 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.199737072 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.199935913 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.207004070 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.207016945 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.207081079 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.207134962 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.207146883 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.207179070 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.211364985 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.211498976 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.211508036 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.211544037 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.215895891 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.215909004 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.215918064 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.215949059 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.215977907 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.220765114 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.220896006 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.220938921 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.221060038 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.221069098 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.221101999 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.228058100 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.228070021 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.228080988 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.228108883 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.229940891 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.229953051 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.229964018 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.229981899 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.230001926 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.233572006 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.233620882 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.233629942 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.233660936 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.237489939 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.237503052 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.237513065 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.237540960 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.237560034 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.248120070 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.248131990 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.248141050 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.248179913 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.251921892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.251933098 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.251946926 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.252105951 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.253036976 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.253201008 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.253210068 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.253248930 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.257589102 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.257635117 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.257721901 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.257731915 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.257767916 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.262094975 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.262265921 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.262274981 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.262315989 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.266777039 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.266792059 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.266803980 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.266824961 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.266861916 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.273480892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.273492098 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.273500919 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.273525953 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.278588057 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.278722048 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.278729916 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.278738976 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.278780937 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.280842066 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.280853033 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.280863047 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.280888081 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.284075975 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.284087896 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.284099102 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.284122944 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.284148932 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.289978981 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.290127993 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.290137053 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.290147066 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.290169001 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.290196896 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.294378996 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.294687986 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.294698954 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.294738054 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.294830084 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.294872046 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.299319029 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.299330950 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.299340963 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.299386024 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.303922892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.303982973 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.304081917 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.304090977 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.304127932 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.308490992 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.308502913 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.308514118 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.308556080 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.313127995 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.313141108 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.313152075 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.313188076 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.313226938 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.317821026 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.317832947 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.317846060 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.317899942 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.317964077 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.318005085 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.322442055 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.322577953 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.322587967 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.322619915 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.327423096 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.327435017 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.327493906 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.329387903 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.329400063 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.329411030 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.329427958 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.329458952 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.334705114 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.334717989 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.334727049 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.334758043 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.338654995 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.338673115 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.338682890 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.338733912 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.338757038 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.343456984 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.343468904 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.343478918 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.343524933 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.347675085 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.347687006 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.347737074 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.347959995 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.347970009 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.348001003 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.352339029 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.352385044 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.352507114 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.352515936 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.352550030 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.356489897 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.356502056 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.356512070 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.356523037 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.356534958 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.356571913 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.361571074 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.361583948 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.361593962 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.361645937 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.366297007 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.366353989 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.366405010 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.366415024 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.366446018 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.370769024 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.370779991 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.370790958 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.370826960 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.370910883 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.370949030 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.375015020 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.375026941 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.375039101 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.375082970 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.375161886 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.375197887 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.380747080 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.380759954 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.380772114 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.380795956 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.383052111 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.383064985 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.383074999 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.383095980 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.383124113 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.386621952 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.386759996 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.386770010 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.386780024 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.386802912 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.386832952 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.390537024 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.390549898 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.390559912 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.390595913 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.394896984 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.394937992 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.395036936 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.395051956 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.395087004 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.400410891 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.400423050 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.400434017 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.400497913 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.402730942 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.402776957 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.402883053 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.402893066 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.402929068 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.406184912 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.406197071 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.406207085 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.406250954 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.407486916 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.407526016 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.407664061 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.407672882 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.407685995 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.407710075 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.410742044 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.410779953 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.410933018 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.410943031 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.410983086 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.414093971 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.414232016 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.414242983 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.414273024 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.414378881 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.414427042 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.417454958 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.417469978 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.417479992 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.417490959 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.417510986 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.417526960 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.420819998 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.420830965 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.420847893 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.420850992 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.420867920 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.420895100 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.423269987 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.423281908 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.423291922 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.423321962 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.426291943 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.426306963 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.426316977 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.426342964 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.426362038 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.429670095 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.429682016 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.429692984 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.429728031 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.430851936 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.430862904 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.430872917 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.430891037 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.430922031 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.432462931 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.432501078 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.432509899 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.432558060 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.434175014 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.434186935 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.434192896 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.434218884 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.434243917 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.435669899 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.435679913 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.435689926 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.435710907 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.437113047 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.437124014 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.437134981 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.437151909 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.437175035 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.438710928 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.438720942 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.438766956 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.438817024 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.438827038 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.438853979 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.440392017 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.440413952 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.440423012 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.440443039 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.442008972 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.442054987 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.442085028 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.442094088 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.442105055 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.442128897 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.443615913 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.443636894 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.443645954 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.443655968 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.443671942 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.445242882 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.445262909 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.445275068 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.445307016 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.446981907 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.447024107 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.447027922 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.447036982 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.447062969 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.448544979 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.448559046 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.448570013 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.448606968 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.450119019 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.450145006 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.450160027 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.450221062 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.450249910 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.450263977 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.451808929 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.451842070 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.451849937 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.451853991 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.451881886 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.453232050 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.453243017 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.453253031 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.453274965 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.454785109 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.454828978 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.454833984 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.454843998 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.454873085 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.456433058 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.456449032 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.456459999 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.456501007 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.458127975 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.458139896 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.458149910 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.458174944 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.458198071 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.459712982 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.459723949 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.459733009 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.459759951 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.461587906 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.461599112 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.461648941 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.461986065 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.462019920 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.462028980 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.462030888 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.462059021 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.463757038 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.463768959 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.463779926 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.463809967 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.465625048 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.465637922 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.465647936 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.465691090 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.465715885 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.466772079 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.466788054 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.466840982 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.466969013 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.466979027 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.467010975 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.468519926 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.468533039 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.468543053 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.468574047 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.469923019 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.469933987 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.469945908 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.469970942 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.469996929 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.473134995 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.513160944 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.686142921 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.691001892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:11.691054106 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:11.695852041 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.041321039 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.041522026 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.041534901 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.041544914 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.041568041 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.041603088 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.043107986 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.043173075 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.043184042 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.043195963 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.043212891 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.043234110 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.044442892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044455051 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044466019 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044503927 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.044543028 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044578075 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.044804096 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044814110 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044831038 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.044853926 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.045358896 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.045386076 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.045394897 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.045396090 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.045425892 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.046294928 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.046305895 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.046317101 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.046353102 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.047157049 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.047168970 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.047178984 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.047194958 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.047224045 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.050762892 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.050775051 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.050786018 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.050823927 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.129452944 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.185026884 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.198601961 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.203527927 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.203574896 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.209155083 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.551067114 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.551610947 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.551660061 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.551765919 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.551805019 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.556889057 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.556932926 CEST	49723	2047	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.561717987 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.563596010 CEST	2047	49723	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.639569044 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.639616966 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.639683008 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.639776945 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:12.639785051 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:12.673469067 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:12.673502922 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:12.673578978 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:12.682384968 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:12.682399035 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:13.145940065 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:13.146182060 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:13.148276091 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:13.148293972 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:13.148549080 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:13.205852032 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:13.340753078 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:13.340898037 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:13.397313118 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:13.397342920 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:13.397723913 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:13.399317026 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:13.440511942 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:13.817842007 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:13.864492893 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:14.310713053 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:14.310820103 CEST	443	49725	104.20.4.235	192.168.2.7
Aug 27, 2024 18:24:14.310887098 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:14.317126036 CEST	49725	443	192.168.2.7	104.20.4.235
Aug 27, 2024 18:24:18.236326933 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:18.236433029 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:18.238900900 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:18.244652987 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:18.244652987 CEST	49724	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:18.244680882 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:18.244692087 CEST	443	49724	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:18.756669998 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:18.763448954 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:18.763555050 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:19.006820917 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:19.232054949 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:19.234683990 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:19.234764099 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:19.234889030 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:19.235095978 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:19.235116005 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:19.241883039 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:19.241900921 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:20.022939920 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:20.023114920 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:20.104470015 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:20.104509115 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:20.104842901 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:20.105600119 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:20.148504019 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:20.770040989 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:20.825731039 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:24.824734926 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:24.824819088 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:24.824901104 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:24.825001001 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:24.825021982 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:24.825054884 CEST	49727	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:24.825061083 CEST	443	49727	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:25.810605049 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:25.810664892 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:25.810767889 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:25.810847998 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:25.810858011 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:26.483541012 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:26.483617067 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:26.490472078 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:26.490484953 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:26.490684986 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:26.491851091 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:26.532509089 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:30.688337088 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:30.693365097 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:30.794801950 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:30.796639919 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:30.801484108 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:31.392355919 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:31.392447948 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:31.392498970 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:31.392535925 CEST	49728	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:31.392553091 CEST	443	49728	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:31.604523897 CEST	443	49718	104.98.116.138	192.168.2.7
Aug 27, 2024 18:24:31.604727983 CEST	49718	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:24:32.404337883 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:32.404386044 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:32.404488087 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:32.404670954 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:32.404681921 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:33.098236084 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:33.098314047 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:33.103490114 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:33.103497982 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:33.103732109 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:33.104988098 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:33.152497053 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:38.003839016 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:38.003932953 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:38.003998041 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:38.004067898 CEST	49732	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:38.004081964 CEST	443	49732	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:38.998069048 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:38.998115063 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:38.998182058 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:38.998275995 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:38.998285055 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:39.682416916 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:39.682619095 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:39.764148951 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:39.764202118 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:39.764553070 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:39.776878119 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:39.824511051 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:42.357800007 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:42.363244057 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:42.457943916 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:42.460464001 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:42.465348005 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:44.589236975 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:44.589323997 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:44.589519978 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:44.589556932 CEST	49733	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:44.589584112 CEST	443	49733	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:45.591815948 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:45.591881037 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:45.591968060 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:45.592118979 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:45.592129946 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:46.287913084 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:46.288091898 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:46.292228937 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:46.292252064 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:46.292593002 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:46.293406010 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:46.340497971 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:50.775974989 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:50.825922966 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:51.250683069 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:51.250767946 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:51.250924110 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:51.250925064 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:51.257730007 CEST	49734	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:51.257745028 CEST	443	49734	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.248239040 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.248291969 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.248379946 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.248492002 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.248502016 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.946446896 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.946557045 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.951033115 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.951045990 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.951293945 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:52.952090025 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:52.992492914 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:54.029412031 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:54.034306049 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:54.129729033 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:54.131663084 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:24:54.137856960 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:24:57.860893011 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:57.860990047 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:57.861057043 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:57.861090899 CEST	49735	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:57.861107111 CEST	443	49735	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:58.873161077 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:58.873203993 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:58.873292923 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:58.873383999 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:58.873398066 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:59.592746973 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:59.592885971 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:59.597323895 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:59.597331047 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:59.597553015 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:24:59.598347902 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:24:59.640532970 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:04.480051041 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:04.480144024 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:04.480210066 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:04.480298996 CEST	49736	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:04.480313063 CEST	443	49736	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:05.486434937 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:05.486474037 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:05.486568928 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:05.486679077 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:05.486687899 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:05.718863010 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:05.726372004 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:05.821094036 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:05.826678038 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:05.832727909 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:06.187060118 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:06.187199116 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:06.198796988 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:06.198813915 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:06.199053049 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:06.209722042 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:06.252496958 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:11.093286037 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:11.093391895 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:11.093559027 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:11.093970060 CEST	49737	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:11.093993902 CEST	443	49737	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.107711077 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.107745886 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.107865095 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.108000994 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.108015060 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.783773899 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.784069061 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.788454056 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.788465023 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.788759947 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:12.790093899 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:12.836496115 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:17.518611908 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:17.524321079 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:17.618089914 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:17.674782991 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:17.677745104 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:17.682564020 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:17.694241047 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:17.694325924 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:17.694377899 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:17.697113991 CEST	49738	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:17.697138071 CEST	443	49738	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:18.701472998 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:18.701529026 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:18.701761007 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:18.701936007 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:18.701956987 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:19.416502953 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:19.416749001 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:19.421317101 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:19.421340942 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:19.421653032 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:19.455898046 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:19.500505924 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:20.393665075 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:20.398627996 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:20.493110895 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:20.544742107 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:20.554917097 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:20.733952045 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:20.734050989 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:20.734167099 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:20.764108896 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:20.810389042 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:24.299900055 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:24.299987078 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:24.300082922 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:24.300703049 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:24.300719976 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:24.300754070 CEST	49739	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:24.300760984 CEST	443	49739	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:25.295228004 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:25.295280933 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:25.295352936 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:25.295476913 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:25.295489073 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:26.005002022 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:26.005247116 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:26.009869099 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:26.009886026 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:26.010149956 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:26.011208057 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:26.052510977 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:30.903776884 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:30.903872013 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:30.903951883 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:30.904009104 CEST	49740	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:30.904030085 CEST	443	49740	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:31.888961077 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:31.889029980 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:31.889106989 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:31.889260054 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:31.889276028 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:32.136220932 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:32.185751915 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:32.243192911 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:32.286778927 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:32.291793108 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:32.570280075 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:32.573139906 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:32.600735903 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:32.600765944 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:32.601056099 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:32.601974010 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:32.648499966 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:33.154540062 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:33.164139986 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:33.170036077 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:33.176891088 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:33.268990040 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:33.270765066 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:33.285078049 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:33.369247913 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:33.370929003 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:33.375863075 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:34.686238050 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:34.691131115 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:34.785984039 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:34.788786888 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:34.797981977 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:37.481826067 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:37.481909990 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:37.481969118 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:37.482054949 CEST	49741	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:37.482068062 CEST	443	49741	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:38.467058897 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:38.467116117 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:38.467191935 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:38.467312098 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:38.467322111 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:39.170229912 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:39.170382023 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:39.178319931 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:39.178330898 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:39.178564072 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:39.214939117 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:39.260510921 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:44.074467897 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:44.074561119 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:44.074678898 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:44.074744940 CEST	49742	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:44.074762106 CEST	443	49742	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:45.061120987 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:45.061191082 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:45.061666965 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:45.061777115 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:45.061789036 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:46.357922077 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:46.591670990 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:46.904165983 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:47.007255077 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:47.007266998 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:47.007277966 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:47.100380898 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:47.105103016 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:47.109989882 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:47.869256020 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:47.869390965 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:47.874031067 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:47.874046087 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:47.874289989 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:47.877917051 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:47.924500942 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:48.748328924 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:48.753233910 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:48.876419067 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:48.879074097 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:48.884251118 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:50.757178068 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:50.810602903 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:52.720073938 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:52.720177889 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:52.720242977 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:52.720289946 CEST	49743	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:52.720309973 CEST	443	49743	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:53.717505932 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:53.717557907 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:53.717749119 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:53.717868090 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:53.717885971 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:54.295782089 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:54.302658081 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:54.396979094 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:54.399225950 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:54.402163982 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:54.402242899 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:54.404120922 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:54.412893057 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:54.412909031 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:54.413165092 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:54.414385080 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:54.456500053 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:56.592192888 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:56.598097086 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:56.693090916 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:56.694911957 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:56.699897051 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:58.529470921 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:58.534537077 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:58.629117966 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:58.631925106 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:25:58.637166977 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:25:59.312815905 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:59.312917948 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:25:59.313132048 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:59.313132048 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:59.505718946 CEST	49744	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:25:59.505768061 CEST	443	49744	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:00.311083078 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:00.311124086 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:00.311197042 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:00.311336040 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:00.311357021 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:00.811096907 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:00.816246986 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:00.915807962 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:00.917897940 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:00.922940016 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:01.049012899 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:01.054651976 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:01.054651976 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:01.054683924 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:01.054919958 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:01.060478926 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:01.104506016 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:04.373301029 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.434159994 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.514116049 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.519387960 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.528278112 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.530606031 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.577598095 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.577640057 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.582442999 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.628339052 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.629664898 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.635324001 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.673062086 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:04.674424887 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:04.721657038 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:05.953838110 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:05.953915119 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:05.954046965 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:05.954098940 CEST	49745	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:05.954119921 CEST	443	49745	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:06.951504946 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:06.951580048 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:06.951699972 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:06.951812029 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:06.951822996 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:07.640393972 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:07.641496897 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:07.680094004 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:07.680138111 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:07.680417061 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:07.732707024 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:07.888345957 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:07.928507090 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:08.951505899 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:08.956417084 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:09.050707102 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:09.054841995 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:09.059856892 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:12.550406933 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:12.550498009 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:12.550678968 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:12.550678968 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:12.550795078 CEST	49746	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:12.550808907 CEST	443	49746	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:13.560946941 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:13.560998917 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:13.561074972 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:13.561142921 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:13.561156988 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:14.243946075 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:14.244925976 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:14.309034109 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:14.309050083 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:14.309272051 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:14.324975014 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:14.368499994 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:17.435878992 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:17.441014051 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:17.536000967 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:17.538501978 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:17.543374062 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:19.155669928 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:19.155751944 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:19.155844927 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:19.155888081 CEST	49747	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:19.155906916 CEST	443	49747	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.170607090 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.170665979 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.170734882 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.170869112 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.170877934 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.762188911 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:20.810549974 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:20.843197107 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.843275070 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.847907066 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.847925901 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.848227978 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:20.849422932 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:20.892504930 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:25.758690119 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:25.758793116 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:25.758882046 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:25.758971930 CEST	49748	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:25.758991957 CEST	443	49748	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:26.060863018 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:26.067374945 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.161542892 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.168534040 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:26.176362991 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.248362064 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:26.253134012 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.348263025 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.349934101 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:26.354837894 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:26.764287949 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:26.764348030 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:26.764447927 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:26.764509916 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:26.764518023 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:27.452030897 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:27.452152014 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:27.456629992 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:27.456650972 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:27.456948042 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:27.459706068 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:27.504501104 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:32.355004072 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:32.355093956 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:32.355200052 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:32.355321884 CEST	49749	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:32.355344057 CEST	443	49749	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:33.343422890 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:33.343476057 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:33.343584061 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:33.343806982 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:33.343821049 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:34.050540924 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:34.050626993 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:34.056303024 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:34.056313038 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:34.056557894 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:34.057638884 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:34.104501009 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:37.920358896 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:37.925789118 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:38.022006035 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:38.024230957 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:38.029241085 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:38.954061985 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:38.954154968 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:38.954382896 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:38.954540014 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:38.954565048 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:38.954595089 CEST	49750	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:38.954601049 CEST	443	49750	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:39.951627970 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:39.951688051 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:39.951759100 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:39.951828957 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:39.951841116 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:40.639318943 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:40.639724970 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:40.706974030 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:40.707005024 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:40.707319021 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:40.722903013 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:40.768501997 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:45.542799950 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:45.542967081 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:45.543034077 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:45.543075085 CEST	49751	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:45.543097019 CEST	443	49751	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:46.545542002 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:46.545613050 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:46.545686007 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:46.545819044 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:46.545836926 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:47.218585968 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:47.218674898 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:47.223086119 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:47.223098993 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:47.223346949 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:47.224147081 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:47.268500090 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:49.592731953 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:49.598288059 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:49.692892075 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:49.796936989 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:49.801866055 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:50.765418053 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:50.810817957 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:52.130117893 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:52.130204916 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:52.130259991 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:52.130371094 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:52.130400896 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:52.130434990 CEST	49752	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:52.130440950 CEST	443	49752	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.129446030 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.129503965 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.129601955 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.131200075 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.131216049 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.824412107 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.824496984 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.831881046 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.831903934 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.832228899 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:53.833621025 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:53.876507044 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:57.436306953 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:57.441174984 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:57.483131886 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:57.487981081 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:57.536063910 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:57.543554068 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:57.548463106 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:57.626918077 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:57.630579948 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:57.635473013 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:58.732386112 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:58.732469082 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:58.732877970 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:58.732916117 CEST	49753	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:58.732934952 CEST	443	49753	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:58.858067989 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:58.866318941 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:58.981889963 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:58.985322952 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:26:58.990159035 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:26:59.748631954 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:59.748686075 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:26:59.748785973 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:59.748835087 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:26:59.748850107 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:00.422755003 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:00.422863960 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:00.478399038 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:00.478415966 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:00.478710890 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:00.479530096 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:00.520507097 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:05.335004091 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:05.335170031 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:05.335241079 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:05.335279942 CEST	49754	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:05.335300922 CEST	443	49754	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:06.327508926 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:06.327565908 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:06.327692032 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:06.327857018 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:06.327866077 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:07.003084898 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:07.003181934 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:07.007582903 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:07.007596970 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:07.007972956 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:07.011821032 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:07.056488991 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:10.529889107 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:10.534832001 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:10.629777908 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:10.633780003 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:10.638870955 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:11.911753893 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:11.911840916 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:11.913038015 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:11.913125992 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:11.913125992 CEST	49755	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:11.913151026 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:11.913161039 CEST	443	49755	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:12.920851946 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:12.920888901 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:12.920960903 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:12.921062946 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:12.921070099 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:13.605700016 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:13.606193066 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:13.613279104 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:13.613289118 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:13.613534927 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:13.617106915 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:13.660512924 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:18.504672050 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:18.504774094 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:18.504839897 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:18.508825064 CEST	49756	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:18.508860111 CEST	443	49756	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:19.514341116 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:19.514413118 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:19.514493942 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:19.514591932 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:19.514600992 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:20.205560923 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:20.205672026 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:20.210081100 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:20.210100889 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:20.210349083 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:20.211020947 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:20.252506971 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:20.760087013 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:20.935831070 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:22.204720974 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:22.209830046 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:22.307658911 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:22.311511993 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:22.316701889 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:25.112026930 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:25.112126112 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:25.112309933 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:25.112351894 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:25.112375975 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:25.112387896 CEST	49757	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:25.112392902 CEST	443	49757	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.124125004 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.124187946 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.124257088 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.124311924 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.124317884 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.764350891 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:26.769265890 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:26.803425074 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.803603888 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.810956955 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.810972929 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.811187029 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.814961910 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:26.860505104 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:26.866895914 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:26.868691921 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:26.892616987 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:29.686402082 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:29.691493988 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:29.786128998 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:29.788300037 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:29.793209076 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:31.715590954 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:31.715684891 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:31.715820074 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:31.715909958 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:31.715939045 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:31.715955019 CEST	49758	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:31.715960979 CEST	443	49758	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:32.724570990 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:32.724632025 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:32.724714041 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:32.724777937 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:32.724786997 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:33.404331923 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:33.404438019 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:33.412930012 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:33.412951946 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:33.413234949 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:33.414551020 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:33.456509113 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:38.315381050 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:38.315476894 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:38.315654993 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:38.320231915 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:38.320250988 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:38.320266962 CEST	49759	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:38.320271969 CEST	443	49759	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.102405071 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.102446079 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.103037119 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.103101015 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.103111029 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.793354034 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.793425083 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.797977924 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.797988892 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.798242092 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:40.798830032 CEST	49760	443	192.168.2.7	154.216.19.149
Aug 27, 2024 18:27:40.844504118 CEST	443	49760	154.216.19.149	192.168.2.7
Aug 27, 2024 18:27:41.092448950 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:41.097719908 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:41.194653988 CEST	6677	49726	85.209.133.150	192.168.2.7
Aug 27, 2024 18:27:41.196132898 CEST	49726	6677	192.168.2.7	85.209.133.150
Aug 27, 2024 18:27:41.200968981 CEST	6677	49726	85.209.133.150	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:23:35.015795946 CEST	61665	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:24:12.659607887 CEST	49602	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:24:12.666712999 CEST	53	49602	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 27, 2024 18:23:35.015795946 CEST	192.168.2.7	1.1.1.1	0x35e5	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:24:12.659607887 CEST	192.168.2.7	1.1.1.1	0xb98f	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 27, 2024 18:23:35.023037910 CEST	1.1.1.1	192.168.2.7	0x35e5	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 18:24:12.666712999 CEST	1.1.1.1	192.168.2.7	0xb98f	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:24:12.666712999 CEST	1.1.1.1	192.168.2.7	0xb98f	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:24:12.666712999 CEST	1.1.1.1	192.168.2.7	0xb98f	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49725	104.20.4.235	443	1196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:24:13 UTC	74	OUT	GET /raw/jxfGm9Pc HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-08-27 16:24:14 UTC	388	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:24:14 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Tue, 27 Aug 2024 16:24:14 GMT Server: cloudflare CF-RAY: 8b9d691eaec572a7-EWR
2024-08-27 16:24:14 UTC	25	IN	Data Raw: 31 33 0d 0a 38 35 2e 32 30 39 2e 31 33 33 2e 31 35 30 3a 36 36 37 37 0d 0a Data Ascii: 1385.209.133.150:6677
2024-08-27 16:24:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	7
Start time:	12:23:31
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	2'594'056 bytes
MD5 hash:	61D31FB13C1DD46FCB03CAF7F648508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000003.1286758641.00000000026C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:23:32
Start date:	27/08/2024
Path:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe"
Imagebase:	0x400000
File size:	1'312'792 bytes
MD5 hash:	58717509C1521EACFCC7CDA39E6BD45C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000002.1405996378.0000000050001000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:23:32
Start date:	27/08/2024
Path:	C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe
Imagebase:	0xc30000
File size:	433'152 bytes
MD5 hash:	AE36397A23D16920DDFE4DFEC24F6B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:23:35
Start date:	27/08/2024
Path:	C:\Windows\SysWOW64\OpenWith.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x630000
File size:	107'368 bytes
MD5 hash:	0ED31792A7FFF811883F80047CBCFC91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:23:38
Start date:	27/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:23:38
Start date:	27/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:23:42
Start date:	27/08/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x7ff790560000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:00:51
Start date:	27/08/2024
Path:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Imagebase:	0x400000
File size:	1'312'792 bytes
MD5 hash:	58717509C1521EACFCC7CDA39E6BD45C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:00:52
Start date:	27/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1720054061.0000000003440000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 8168, Parent PID: 8160

General

Target ID:	24
Start time:	14:00:52
Start date:	27/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:00:52
Start date:	27/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x6f0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	14:00:56
Start date:	27/08/2024
Path:	C:\Program Files\Windows Media Player\wmplayer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\wmplayer.exe"
Imagebase:	0x7ff70d790000
File size:	171'008 bytes
MD5 hash:	89DCD2D4C0EC638AADC00D3530E07E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	14:00:59
Start date:	27/08/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\dllhost.exe"
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	14:01:03
Start date:	27/08/2024
Path:	C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Imagebase:	0x400000
File size:	1'312'792 bytes
MD5 hash:	58717509C1521EACFCC7CDA39E6BD45C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:01:03
Start date:	27/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Analysis Process: conhost.exePID: 4016, Parent PID: 744

General

Target ID:	33
Start time:	14:01:03
Start date:	27/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:01:23
Start date:	27/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x50000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1474
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT(-00000002,00000000,?,00000000), ref: 0040509F
??3@YAXPAX@Z.MSVCRT ref: 004050F1
??3@YAXPAX@Z.MSVCRT ref: 00405102
??3@YAXPAX@Z.MSVCRT ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT(-00000002,?,00000000), ref: 00405217
??2@YAPAXI@Z.MSVCRT ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT ref: 00402953

??3@YAXPAX@Z.MSVCRT ref: 00405453
??3@YAXPAX@Z.MSVCRT ref: 0040545B
??3@YAXPAX@Z.MSVCRT ref: 00405463
??3@YAXPAX@Z.MSVCRT ref: 004054DD
??3@YAXPAX@Z.MSVCRT ref: 004054E5
??3@YAXPAX@Z.MSVCRT ref: 004054ED
??3@YAXPAX@Z.MSVCRT ref: 00405509
??3@YAXPAX@Z.MSVCRT ref: 00405511
??3@YAXPAX@Z.MSVCRT ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT ref: 00403347

??3@YAXPAX@Z.MSVCRT ref: 00405559
??3@YAXPAX@Z.MSVCRT ref: 00405561
??3@YAXPAX@Z.MSVCRT ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 004057DE
??3@YAXPAX@Z.MSVCRT ref: 0040587B
??3@YAXPAX@Z.MSVCRT ref: 00405883
??3@YAXPAX@Z.MSVCRT ref: 0040588B
??3@YAXPAX@Z.MSVCRT ref: 00405913
??3@YAXPAX@Z.MSVCRT ref: 00405938
??3@YAXPAX@Z.MSVCRT ref: 004059AA
??3@YAXPAX@Z.MSVCRT ref: 004059B2
??3@YAXPAX@Z.MSVCRT ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT ref: 00405A30
??3@YAXPAX@Z.MSVCRT ref: 00405A38
??3@YAXPAX@Z.MSVCRT ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT ref: 00405BCD
??3@YAXPAX@Z.MSVCRT ref: 00405BDB
??3@YAXPAX@Z.MSVCRT ref: 00405BE3
??3@YAXPAX@Z.MSVCRT ref: 00405C16
??3@YAXPAX@Z.MSVCRT ref: 00405C1E
??3@YAXPAX@Z.MSVCRT ref: 00405C26
??3@YAXPAX@Z.MSVCRT ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT ref: 004061D4
??3@YAXPAX@Z.MSVCRT ref: 004061DC
??3@YAXPAX@Z.MSVCRT ref: 004061E4
??3@YAXPAX@Z.MSVCRT ref: 004061EA
??3@YAXPAX@Z.MSVCRT ref: 004061FD
??3@YAXPAX@Z.MSVCRT ref: 00406205
??3@YAXPAX@Z.MSVCRT ref: 00406222
??3@YAXPAX@Z.MSVCRT ref: 0040622A
??3@YAXPAX@Z.MSVCRT ref: 00406232
??3@YAXPAX@Z.MSVCRT ref: 0040623A
??3@YAXPAX@Z.MSVCRT ref: 00406242
??3@YAXPAX@Z.MSVCRT ref: 0040624A
??3@YAXPAX@Z.MSVCRT ref: 00406252
??3@YAXPAX@Z.MSVCRT ref: 0040626E
??3@YAXPAX@Z.MSVCRT ref: 00406276
??3@YAXPAX@Z.MSVCRT ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT ref: 00405C4A
??3@YAXPAX@Z.MSVCRT ref: 00405C52
??3@YAXPAX@Z.MSVCRT ref: 00405C5A
??3@YAXPAX@Z.MSVCRT ref: 00405C62
??3@YAXPAX@Z.MSVCRT ref: 00405C94
??3@YAXPAX@Z.MSVCRT ref: 00405CD4
??3@YAXPAX@Z.MSVCRT ref: 00405D41
??3@YAXPAX@Z.MSVCRT ref: 00405D49
??3@YAXPAX@Z.MSVCRT ref: 00405D51
??3@YAXPAX@Z.MSVCRT ref: 00405D59
??3@YAXPAX@Z.MSVCRT ref: 00405E20
??3@YAXPAX@Z.MSVCRT ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT ref: 00405EEC
??3@YAXPAX@Z.MSVCRT ref: 00405EF4
_wtol.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00417788), ref: 00405F65
??3@YAXPAX@Z.MSVCRT ref: 00406294
??3@YAXPAX@Z.MSVCRT ref: 0040629C
??3@YAXPAX@Z.MSVCRT ref: 004062A4
??3@YAXPAX@Z.MSVCRT ref: 004062AA
??3@YAXPAX@Z.MSVCRT ref: 004062B2
??3@YAXPAX@Z.MSVCRT ref: 004062BA
??3@YAXPAX@Z.MSVCRT ref: 004062C2
??3@YAXPAX@Z.MSVCRT ref: 004062CA
??3@YAXPAX@Z.MSVCRT ref: 004062D2
??3@YAXPAX@Z.MSVCRT ref: 004062F1
??3@YAXPAX@Z.MSVCRT ref: 004062F9
??3@YAXPAX@Z.MSVCRT ref: 00406301
??3@YAXPAX@Z.MSVCRT ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT ref: 0040636D
??3@YAXPAX@Z.MSVCRT ref: 004063E6
??3@YAXPAX@Z.MSVCRT ref: 0040643D
??3@YAXPAX@Z.MSVCRT ref: 00406445
??3@YAXPAX@Z.MSVCRT ref: 0040644D
??3@YAXPAX@Z.MSVCRT ref: 00406455
??3@YAXPAX@Z.MSVCRT ref: 0040646A
??3@YAXPAX@Z.MSVCRT ref: 0040647B
??3@YAXPAX@Z.MSVCRT ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

hidcon, xrefs: 00405E5E
sfxconfig, xrefs: 0040527C, 00405488
HelpText, xrefs: 0040595E
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
x64, xrefs: 00405FF7
OverwriteMode, xrefs: 004056BB
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
4DA, xrefs: 00406034
x86, xrefs: 00405FBE
@DA, xrefs: 00405699
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
FinishMessage, xrefs: 00406399
amd64, xrefs: 00405FE4
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
shc, xrefs: 00405F7A
;!@InstallEnd@!, xrefs: 00405431
sfxversion, xrefs: 004050D6
;!@Install@!UTF-8!, xrefs: 00405436
MiscFlags, xrefs: 0040573F
7ZipSfx.%03x, xrefs: 00405C77
GUIFlags, xrefs: 0040571F
GUIMode, xrefs: 004056FF
BeginPrompt, xrefs: 00405A71
SetEnvironment, xrefs: 0040586E, 0040591F
forcenowait, xrefs: 00405F25
4AA, xrefs: 0040504C
7-Zip SFX, xrefs: 00406490
Delete, xrefs: 00406352
Shortcut, xrefs: 0040632A
7zSfxString%d, xrefs: 0040558F
i386, xrefs: 00405FD1
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
IA, xrefs: 004055D2, 004058FB
SelfDelete, xrefs: 0040577C, 0040640B
ExecuteParameters, xrefs: 0040605D
InstallPath, xrefs: 004059F3
del, xrefs: 00405F9A
nowait, xrefs: 00405F03
XpA, xrefs: 00405581

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: 3be643ecf8404ee700b098a2c7f6930903e00dea054e3d68a5ef5f2141237405
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 3be643ecf8404ee700b098a2c7f6930903e00dea054e3d68a5ef5f2141237405
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a01739e731db22ce718ae52e31260c022a55456e0f16d2664a2019743a4110
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: 04a01739e731db22ce718ae52e31260c022a55456e0f16d2664a2019743a4110
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 0040B1C5
memmove.MSVCRT ref: 0040B289
??3@YAXPAX@Z.MSVCRT ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 8d89568e7704e25c3decf5065bc3033c009c8e5cfc7e61473a81ed2ccd4f7586
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 8d89568e7704e25c3decf5065bc3033c009c8e5cfc7e61473a81ed2ccd4f7586
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT ref: 00401171

memcpy.MSVCRT ref: 0040342F
??3@YAXPAX@Z.MSVCRT ref: 0040346C
??3@YAXPAX@Z.MSVCRT ref: 004034B2

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 2b46add0d83989d6d2bf919775794c273d74a5e0ae406f9f13f2ee8c83144718
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 2b46add0d83989d6d2bf919775794c273d74a5e0ae406f9f13f2ee8c83144718
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT(?), ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408F0F
??2@YAPAXI@Z.MSVCRT ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,00417680), ref: 00410D0D

Strings

4KA, xrefs: 00410CF0
$KA, xrefs: 00410CF7
\KA, xrefs: 00410CE2
HKA, xrefs: 00410CE9

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT ref: 0040986E
??2@YAPAXI@Z.MSVCRT ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT ref: 004028E4
memcmp.MSVCRT ref: 00402921
memmove.MSVCRT ref: 00402953

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00404A5A
??2@YAPAXI@Z.MSVCRT ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
memmove.MSVCRT ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT ref: 0040AE00

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2a1df2c838f774f5723b140544c26346904bf29780928bc3aea3ff829463cf7e
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2a1df2c838f774f5723b140544c26346904bf29780928bc3aea3ff829463cf7e
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT ref: 0040AE00

??3@YAXPAX@Z.MSVCRT ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT ref: 0040CC4A

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: b4709de1ce440f23b29a0467ae8f3e1c9749f8dd4dfeb424c3c7a10a23baf9b3
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: b4709de1ce440f23b29a0467ae8f3e1c9749f8dd4dfeb424c3c7a10a23baf9b3
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT ref: 0040A729

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 9bf62e70a86b2daa707f33c5fec657fee0fc0e4427214617184cae491fdd6d85
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 9bf62e70a86b2daa707f33c5fec657fee0fc0e4427214617184cae491fdd6d85
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040114B
??3@YAXPAX@Z.MSVCRT ref: 00401171

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 35698c06e785c0e27dab92e99477b030fbb2bea1ee5e00fe14fdbb6f72c2c7f4
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 35698c06e785c0e27dab92e99477b030fbb2bea1ee5e00fe14fdbb6f72c2c7f4
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004022C0
??3@YAXPAX@Z.MSVCRT ref: 004022E4

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 48754dcb46d30000a161653d4b442f09f3969e34d9d7226318d7ba3c54d6dfdb
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: 48754dcb46d30000a161653d4b442f09f3969e34d9d7226318d7ba3c54d6dfdb
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: FindCloseChangeNotification.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040D985 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 0040E959 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040E946

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e2884d5c4436d752aeb19b459afcf7a21ebda84ca54877994c053e4b1708ebbb
Instruction ID: 4f8625dd4754cd58134d11a263ca8d259b443881af5e9d09f346c6a8c73fbf37
Opcode Fuzzy Hash: e2884d5c4436d752aeb19b459afcf7a21ebda84ca54877994c053e4b1708ebbb
Instruction Fuzzy Hash: 38D092B15197108EC3A4EF7AA8014867BE0AB04324321C97FA05AE3A60E679E8919B48

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D91A

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT(?), ref: 0040F446

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402F71

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?), ref: 0040F400

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT(00404F9B,00000000,00417794), ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT ref: 004035F9
??3@YAXPAX@Z.MSVCRT ref: 00403601
??3@YAXPAX@Z.MSVCRT ref: 00403609
??3@YAXPAX@Z.MSVCRT ref: 00403611
??3@YAXPAX@Z.MSVCRT ref: 00403619
??3@YAXPAX@Z.MSVCRT ref: 00403621
??3@YAXPAX@Z.MSVCRT ref: 00403629
_wtol.MSVCRT(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?), ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT ref: 004037B8
??3@YAXPAX@Z.MSVCRT ref: 004037C0
??3@YAXPAX@Z.MSVCRT ref: 004037C8
??3@YAXPAX@Z.MSVCRT ref: 004037D0
??3@YAXPAX@Z.MSVCRT ref: 004037D8
??3@YAXPAX@Z.MSVCRT ref: 004037E0
??3@YAXPAX@Z.MSVCRT ref: 004037E8
??3@YAXPAX@Z.MSVCRT ref: 004037EE
??3@YAXPAX@Z.MSVCRT ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: e80c2c7c9c30337434ae202b9345f2bbae47067eadd3a6865f328b5d077d7d03
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: e80c2c7c9c30337434ae202b9345f2bbae47067eadd3a6865f328b5d077d7d03
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT ref: 00402071
??3@YAXPAX@Z.MSVCRT ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT(?), ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

7zSfxString%d, xrefs: 00401FF7
\3A, xrefs: 00401FDB
XpA, xrefs: 00401FB4

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 00d9f3dbaef60b25cb29ca3c9b71c285db7f1e31c7e22736623b1f08098a1b6c
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 00d9f3dbaef60b25cb29ca3c9b71c285db7f1e31c7e22736623b1f08098a1b6c
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
%04X%c%04X%c, xrefs: 00401C8F
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT ref: 00407817
lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
??3@YAXPAX@Z.MSVCRT ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: ee3daf165df888f8cf12417ee57ec6736150a746ec063280ed1601aaee350fdd
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: ee3daf165df888f8cf12417ee57ec6736150a746ec063280ed1601aaee350fdd
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT ref: 00402C6E
??3@YAXPAX@Z.MSVCRT ref: 00402C79

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: cbe64e3294a226f75371eeebbcc0df377dd8d0393181b43033399503c37d4d64
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: cbe64e3294a226f75371eeebbcc0df377dd8d0393181b43033399503c37d4d64
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

uxtheme, xrefs: 00406D5E
SetWindowTheme, xrefs: 00406D70
\EA, xrefs: 00406D98

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT ref: 00404C72
??3@YAXPAX@Z.MSVCRT ref: 00404C7E
??3@YAXPAX@Z.MSVCRT ref: 00404C84
??3@YAXPAX@Z.MSVCRT ref: 00404CB2

Strings

:Repeat, xrefs: 00404B92
7ZSfx%03x.cmd, xrefs: 00404B58
if exist ", xrefs: 00404BC7
del ", xrefs: 00404B9F, 00404BA4, 00404BED
open, xrefs: 00404C63
", xrefs: 00404BB9, 00404BBE, 00404C02
" goto Repeat, xrefs: 00404BE0

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: d701faffb96b70708956d7dcad1a35af3dd98bc2c1ad9aac87790182f52bc143
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: d701faffb96b70708956d7dcad1a35af3dd98bc2c1ad9aac87790182f52bc143
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT(00000000), ref: 004047DC
_wtol.MSVCRT(00000000), ref: 004047F8

Strings

WarningTitle, xrefs: 00404697
CancelPrompt, xrefs: 00404831
|wA, xrefs: 0040464B
ErrorTitle, xrefs: 0040467F
OverwriteMode, xrefs: 00404721
Progress, xrefs: 004046C7
ExtractPathTitle, xrefs: 00404801
ExtractPathText, xrefs: 00404819
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractPathWidth, xrefs: 004047E5
ExtractDialogText, xrefs: 004047AD
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
ExtractCancelText, xrefs: 004047A1
GUIMode, xrefs: 004046F4
Title, xrefs: 00404611
ExtractDialogWidth, xrefs: 004047BE
ExtractTitle, xrefs: 004046AF

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT ref: 00402EFA
??3@YAXPAX@Z.MSVCRT ref: 00402F02

Strings

{\rtf, xrefs: 00402E09
riched20, xrefs: 00402E3D
STATIC, xrefs: 00402DDD
RichEdit20W, xrefs: 00402E8C

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 03bc8aed1f2fd14e0796ec378d4e1603c9b22b1f4049b08112cc7c601d8becca
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 03bc8aed1f2fd14e0796ec378d4e1603c9b22b1f4049b08112cc7c601d8becca
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004030F6
??3@YAXPAX@Z.MSVCRT ref: 004030FE
strncmp.MSVCRT(0040414C,{\rtf,00000005,00000000,00000000,hAA,00000000), ref: 004031F1
??3@YAXPAX@Z.MSVCRT ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT ref: 00403347

Strings

SetEnvironment, xrefs: 0040326B
hAA, xrefs: 0040309E
MiscFlags, xrefs: 004032C0
{\rtf, xrefs: 004031D6, 004031EB
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 37b83b528cee5bff266f161597e1daa105c3eade906d836347b77139c21a9d55
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 37b83b528cee5bff266f161597e1daa105c3eade906d836347b77139c21a9d55
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,771B0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C603

Strings

IA, xrefs: 0040C65E
IA, xrefs: 0040C4AF
IA, xrefs: 0040C4D9
IA, xrefs: 0040C74D
IA, xrefs: 0040C66E
IA, xrefs: 0040C4C6

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 7bf6366eaeb9bbf76c532100fed42691efd9f5029ef601207ee84b3e2d581991
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 7bf6366eaeb9bbf76c532100fed42691efd9f5029ef601207ee84b3e2d581991
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00408479

Strings

SetEnvironment, xrefs: 004083BC
WarningTitle, xrefs: 0040853A
HelpText, xrefs: 00408598
ErrorTitle, xrefs: 00408511
FinishMessage, xrefs: 00408417, 00408433
BeginPrompt, xrefs: 004084A4, 004084A9

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: ae15d440c4b3d9e9647c267e6cb73c3fb3bce30d1f7753c80179b2736dd90873
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: ae15d440c4b3d9e9647c267e6cb73c3fb3bce30d1f7753c80179b2736dd90873
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 2bd2451f76b80849c6418f82676d6df1705c30d3159f35cfb992603c3dda1804
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 2bd2451f76b80849c6418f82676d6df1705c30d3159f35cfb992603c3dda1804
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT ref: 00404156
??3@YAXPAX@Z.MSVCRT ref: 0040415E
??3@YAXPAX@Z.MSVCRT ref: 0040416D
??3@YAXPAX@Z.MSVCRT ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: 7b402cfd4295d74016b5bb06b24dac46c55acb133b38499d32aec029f1527224
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: 7b402cfd4295d74016b5bb06b24dac46c55acb133b38499d32aec029f1527224
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00404D3E
??3@YAXPAX@Z.MSVCRT ref: 00404DA0
??3@YAXPAX@Z.MSVCRT ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT ref: 0040349D

Strings

03A, xrefs: 00404CCF
;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 0c97e79e0e479b0f1639f596d6500e2484b74b374b2f73479e45b6ab58c67410
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 0c97e79e0e479b0f1639f596d6500e2484b74b374b2f73479e45b6ab58c67410
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000298), ref: 004075CD
ResumeThread.KERNEL32(00000298), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT ref: 004043B6

??3@YAXPAX@Z.MSVCRT ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
:Language:%u!, xrefs: 00404EB6
;!@Install@!UTF-8!, xrefs: 00404E4A

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b4eeade62b7bdf8fd6b73ce6cbeef51f2d63b9a6d8460ee019c94cdb70226998
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b4eeade62b7bdf8fd6b73ce6cbeef51f2d63b9a6d8460ee019c94cdb70226998
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004038C6
??3@YAXPAX@Z.MSVCRT ref: 00403904
??3@YAXPAX@Z.MSVCRT ref: 0040392A
??3@YAXPAX@Z.MSVCRT ref: 00403932

Strings

%%T/, xrefs: 004038E4
%%T\, xrefs: 004038A6

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 8304f33198ffb4682febe5eeee520fc38561a9ca8bcc59281fe4561157fed553
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 8304f33198ffb4682febe5eeee520fc38561a9ca8bcc59281fe4561157fed553
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403981
??3@YAXPAX@Z.MSVCRT ref: 004039BF
??3@YAXPAX@Z.MSVCRT ref: 004039E5
??3@YAXPAX@Z.MSVCRT ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c3772fe1aa1df8e3f102d6bd155878a24c20079af850fd37df3a213335787ddc
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c3772fe1aa1df8e3f102d6bd155878a24c20079af850fd37df3a213335787ddc
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403A3C
??3@YAXPAX@Z.MSVCRT ref: 00403A7A
??3@YAXPAX@Z.MSVCRT ref: 00403AA0
??3@YAXPAX@Z.MSVCRT ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 4bf28155caf3c0e3e70e3806f95481066414134a08221828c68301312901f378
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 4bf28155caf3c0e3e70e3806f95481066414134a08221828c68301312901f378
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

TJA, xrefs: 0040E4A1
4JA, xrefs: 0040E4AF
hJA, xrefs: 0040E49A
$JA, xrefs: 0040E4B6
DJA, xrefs: 0040E4A8
xJA, xrefs: 0040E493

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT ref: 0040AE00

??2@YAPAXI@Z.MSVCRT ref: 0040C245

Strings

IA, xrefs: 0040C11B
IA, xrefs: 0040C12D
IA, xrefs: 0040C0EC

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 25bd9c5d11500a263ce70e904d3ee1b17a650f17d05f8e34950ac6ada3abf85e
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 25bd9c5d11500a263ce70e904d3ee1b17a650f17d05f8e34950ac6ada3abf85e
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT ref: 0040E864
memcpy.MSVCRT ref: 0040E88D
??3@YAXPAX@Z.MSVCRT ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: b4a8c25ace2405613e396bab0ea8aa047c3f3994b68221911c6374fa7b748fe4
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: b4a8c25ace2405613e396bab0ea8aa047c3f3994b68221911c6374fa7b748fe4
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: a6d46403d3ab7c93de890dee3a90e086962fb6a60ba4a888f869f1a3a2cd4496
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: a6d46403d3ab7c93de890dee3a90e086962fb6a60ba4a888f869f1a3a2cd4496
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: d8d3263f117d054de406d40740ab212d70496f94eda5c21348b34193b536a31f
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: d8d3263f117d054de406d40740ab212d70496f94eda5c21348b34193b536a31f
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

kernel32, xrefs: 00402193
Wow64RevertWow64FsRedirection, xrefs: 0040218E

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT ref: 00402ADC
??3@YAXPAX@Z.MSVCRT ref: 00402AF7
??3@YAXPAX@Z.MSVCRT ref: 00402AFF

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: 50b584c12c0549c181a405badd4e291d8d0af70559505291a0452ef1c321a8e8
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: 50b584c12c0549c181a405badd4e291d8d0af70559505291a0452ef1c321a8e8
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT ref: 00402839

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: ea11be91e446348d531786061001a4dbe4b0a50377fce726b76dd95ab74a305a
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: ea11be91e446348d531786061001a4dbe4b0a50377fce726b76dd95ab74a305a
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT ref: 00403AFD
??3@YAXPAX@Z.MSVCRT ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT ref: 00403B1D

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 75fbe4f14149e316190ba2f6ce587c2ecc1a033a2c447ca3c193c20f3dddf7fa
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 75fbe4f14149e316190ba2f6ce587c2ecc1a033a2c447ca3c193c20f3dddf7fa
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT([G@,GUIFlags,00000000,00403CF4,00000000,0041734C,0040475B,00000000), ref: 00403C89

Strings

GUIFlags, xrefs: 00403C68
[G@, xrefs: 00403C64, 00403C88

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000007.00000002.1407693664.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1407677693.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407713915.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407730153.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1407746255.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: V3.exePID: 7404, Parent PID: 7368COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	1714
Total number of Limit Nodes:	21

Executed Functions

Function 00C84E5A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,3B9ACA00), ref: 00C84E6D
RtlAllocateHeap.NTDLL(00000000), ref: 00C84E74
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C84EA5
_wcsrchr.LIBVCRUNTIME ref: 00C84EB8
lstrlenW.KERNEL32(-00000002), ref: 00C84EDD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C84F14
RtlFreeHeap.NTDLL(00000000), ref: 00C84F1B
MulDiv.KERNEL32(00000001,80000000,80000000), ref: 00C84F30

Strings

@, xrefs: 00C84F04
, xrefs: 00C84EFA
(, xrefs: 00C84EFF

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFileFreeModuleName_wcsrchrlstrlen
String ID: $($@
API String ID: 443335681-2581157662
Opcode ID: f572c1157a40fc79fb1e3378acdf66bb6eb54ce023bfa7fd48d1129143011883
Instruction ID: 31653608bbe2e733ee5052eb89c65844150127c5ce14f85305215a88bb4c4cf3
Opcode Fuzzy Hash: f572c1157a40fc79fb1e3378acdf66bb6eb54ce023bfa7fd48d1129143011883
Instruction Fuzzy Hash: F421D472900312AEE73973A8AC4EB6F26689F0636DF210059FA16D71D1EA648E40C76D

Function 00C8C146 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00C8C255,00C8CAD9,?,00000000,00000000,00000000,?,00C8C3CE,00000022,FlsSetValue,00CA4078,00CA4080,00000000), ref: 00C8C207

Strings

ext-ms-, xrefs: 00C8C1B1
api-ms-, xrefs: 00C8C19D

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: bd9fd0d3a6cd147285edde4e9d5680331a2c7931fb2ea0ca725024f1fa39553c
Instruction ID: ebe723da7224d1c711086bee3dce5b37ab1ee528aa231b8f4bfef491a51f52a4
Opcode Fuzzy Hash: bd9fd0d3a6cd147285edde4e9d5680331a2c7931fb2ea0ca725024f1fa39553c
Instruction Fuzzy Hash: CC21A131A41121ABCB21AB65DCC9B6E7769EB427ACF250114ED25A7291D730EF00C7F5

Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00C92314

Part of subcall function 00C92098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
Part of subcall function 00C92098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00C92366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00C923C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C923F3

Strings

,, xrefs: 00C92344

Memory Dump Source

Source File: 0000000A.00000003.1322581708.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_c92000_V3.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: f89365abc64248be6907363aa4133c029b2b2ca6de5e108b616e42768d0fb864
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: D851F875900609AFCF10DFA9C885B9EBBF8FF08354F10851AF969A7240D370EA54CBA4

Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00C92314

Part of subcall function 00C92098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
Part of subcall function 00C92098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00C92366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00C923C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C923F3

Strings

,, xrefs: 00C92344

Memory Dump Source

Source File: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: f89365abc64248be6907363aa4133c029b2b2ca6de5e108b616e42768d0fb864
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: D851F875900609AFCF10DFA9C885B9EBBF8FF08354F10851AF969A7240D370EA54CBA4

Function 00C88946 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00C88A50,?,00C88940,00000000,?,?,00C88A50,A355C656,?,00C88A50), ref: 00C88957
TerminateProcess.KERNEL32(00000000,?,00C88940,00000000,?,?,00C88A50,A355C656,?,00C88A50), ref: 00C8895E
ExitProcess.KERNEL32 ref: 00C88970

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 56262cb792c6fdd98c077115b6689c564131978597db5e011687864d158f5382
Instruction ID: 20f952248a779c669fa9eeace5f259a24847aef6b6a204224a65aca7c7649906
Opcode Fuzzy Hash: 56262cb792c6fdd98c077115b6689c564131978597db5e011687864d158f5382
Instruction Fuzzy Hash: 3BD06731000214ABCF017F64DC0DB6D3F26EA41349B544010F91996421CF319955DB85

Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

Memory Dump Source

Source File: 0000000A.00000003.1322581708.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_c92000_V3.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 58d33a2286b1307ecf43942fa3a2943298be9470f27338292b4d4f4598374a42
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: ED718B71E0464AEFDF41CF98C985BEEBBF0AB09314F244095E5A5FB241C234AA91DF64

Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

Memory Dump Source

Source File: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 58d33a2286b1307ecf43942fa3a2943298be9470f27338292b4d4f4598374a42
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: ED718B71E0464AEFDF41CF98C985BEEBBF0AB09314F244095E5A5FB241C234AA91DF64

Function 00C8C211 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fe14b98b23b8db0bb6fca18f9a539814e89bf25d3200e81a8ae399b90e825c
Instruction ID: fc45c73e1f580a86bdcc59890c5a85c16fbf34c80725604f2d5be0a665bb746b
Opcode Fuzzy Hash: 06fe14b98b23b8db0bb6fca18f9a539814e89bf25d3200e81a8ae399b90e825c
Instruction Fuzzy Hash: 8F01F9332002105B9F15ABEDECC1F5B7365E7C63687204124F9159B194DA30D94597A4

Non-executed Functions

Function 00C855A9 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C855B5
IsDebuggerPresent.KERNEL32 ref: 00C85681
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C856A1
UnhandledExceptionFilter.KERNEL32(?), ref: 00C856AB

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c5aea1ab9153def1fcddbfcc968378f4eb72c29dd8123e1ffab48f73ddc6f173
Instruction ID: 2621a481be625396b0170af640a470487484e39ef7e9f30e54605e376c9e7dce
Opcode Fuzzy Hash: c5aea1ab9153def1fcddbfcc968378f4eb72c29dd8123e1ffab48f73ddc6f173
Instruction Fuzzy Hash: A0311A75D05318DBDB10EF64D989BCDBBB8AF04304F10419AE40DAB250EB719A84DF48

Function 00C89AB4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C89BAC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C89BB6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C89BC3

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2f7bcc6a0a35ab72832932ec57ee5cf5bd1641e78e10547bb3ccacbd88eda1b8
Instruction ID: 4eab6468faac5f437fbbc9a7dbdaef36719ecf545970a0ab1efea1fa5907f6ef
Opcode Fuzzy Hash: 2f7bcc6a0a35ab72832932ec57ee5cf5bd1641e78e10547bb3ccacbd88eda1b8
Instruction Fuzzy Hash: DC31D2749012289BCB21EF28D889BDDBBB8FF08314F5041EAE41DA7250E7709B85CF48

Function 00C92277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.1322581708.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_c92000_V3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: a038c646b6034cfeac575c1a50066f44b59d435e7a24f5f0d8d45ffb79ec1308
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 25F06D79A00A00EF8F24CF0AC54CC95B7F6FB9573076545A5E414DB221D3B0EE44DBA1

Function 00C92277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: a038c646b6034cfeac575c1a50066f44b59d435e7a24f5f0d8d45ffb79ec1308
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 25F06D79A00A00EF8F24CF0AC54CC95B7F6FB9573076545A5E414DB221D3B0EE44DBA1

Function 00C872D1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00C873F0
___TypeMatch.LIBVCRUNTIME ref: 00C874FE
CatchIt.LIBVCRUNTIME ref: 00C8754F
_UnwindNestedFrames.LIBCMT ref: 00C87650
CallUnexpected.LIBVCRUNTIME ref: 00C8766B

Strings

csm, xrefs: 00C8737B
csm, xrefs: 00C87427
csm, xrefs: 00C8730E

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 7491a99dfacc17c0c41d9b646fce20c1fc267aaef62a45dfa597410e0385ad7d
Instruction ID: 694fc79b722ea21ba920f02c7764915414563fbc587242b3ecffcccd08f6936a
Opcode Fuzzy Hash: 7491a99dfacc17c0c41d9b646fce20c1fc267aaef62a45dfa597410e0385ad7d
Instruction Fuzzy Hash: A9B1BF71804209DFCF24FFA4C8419AEBB75FF14318B204269F8246B251E334DA11DFA9

Function 00C863D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00C86407
___except_validate_context_record.LIBVCRUNTIME ref: 00C8640F
_ValidateLocalCookies.LIBCMT ref: 00C86498
__IsNonwritableInCurrentImage.LIBCMT ref: 00C864C3
_ValidateLocalCookies.LIBCMT ref: 00C86518

Strings

csm, xrefs: 00C864AD

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 447855caa1277fb177eee459a27caa4790849fc0b4788bd38c7e5f682fae6ed4
Instruction ID: ea661366727beb88e9c0a4e6659ca3dae7a5dd08f6ec930108a4268d45529dc3
Opcode Fuzzy Hash: 447855caa1277fb177eee459a27caa4790849fc0b4788bd38c7e5f682fae6ed4
Instruction Fuzzy Hash: 60419634A00219ABCF10EF68C845A9EBBB5AF4532CF148165ED296B392D731EB05CB94

Function 00C86921 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00C86918,00C8674C,00C8578C), ref: 00C8692F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C8693D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C86956
SetLastError.KERNEL32(00000000,00C86918,00C8674C,00C8578C), ref: 00C869A8

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eb0fd206248edcb3d0302f75c16a04e22fda446412fc59ecd2141ef351897a91
Instruction ID: eb89008400b4b31f1101200ac41d5a2965c9c7f5f6f6ca98b58679617ba03924
Opcode Fuzzy Hash: eb0fd206248edcb3d0302f75c16a04e22fda446412fc59ecd2141ef351897a91
Instruction Fuzzy Hash: FD0184336093125EAA1537B9AC8A72F26A5EB0A7BD7200229F230571E0FF715C01E35D

Function 00C8A6EB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, xrefs: 00C8A707

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe
API String ID: 0-534682801
Opcode ID: 0d3c1cfc3d7d9ffdcb951bb60ac7f1608307b94cfa9b34714442ada13a4d3144
Instruction ID: cb23736f3d6854e2e4664a3421116ed3207319f86fbde57d1990837fe4581140
Opcode Fuzzy Hash: 0d3c1cfc3d7d9ffdcb951bb60ac7f1608307b94cfa9b34714442ada13a4d3144
Instruction Fuzzy Hash: FC216D31600605BFAB20BF65DC80A6B77B9EF4036D7108526F826D7151DB30FD50B7AA

Function 00C88990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A355C656,?,?,00000000,00C914CF,000000FF,?,00C8896C,00C88A50,?,00C88940,00000000), ref: 00C889C5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C889D7
FreeLibrary.KERNEL32(00000000,?,?,00000000,00C914CF,000000FF,?,00C8896C,00C88A50,?,00C88940,00000000), ref: 00C889F9

Strings

CorExitProcess, xrefs: 00C889CF
mscoree.dll, xrefs: 00C889BE

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: aad7742f132fdc104d78733f28345abd61d5ce404dc3ac297db873fce620011e
Instruction ID: 7f7893b85bc82dda9c73d063ae449f11ea7bf2773d2c07c2e0113082af6bdaa8
Opcode Fuzzy Hash: aad7742f132fdc104d78733f28345abd61d5ce404dc3ac297db873fce620011e
Instruction Fuzzy Hash: 4C016232A40626AFDB159B54CC05BAEBBB9FB05B18F000625ED21A2690DF749904CB95

Function 00C87676 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00C8769B
CatchIt.LIBVCRUNTIME ref: 00C87781

Strings

RCC, xrefs: 00C876B5
MOC, xrefs: 00C876AD

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 3334fffe365c5eeb709bed31fc5bd8739038e84d69b4937c470b4dd4699a7406
Instruction ID: 4316c5717da21b5c997a0ffefe8c1cb4dfdf84f404fae175c209b1ddea877ea7
Opcode Fuzzy Hash: 3334fffe365c5eeb709bed31fc5bd8739038e84d69b4937c470b4dd4699a7406
Instruction Fuzzy Hash: 16416072900109AFDF16EF98CD81AEEBBB5FF48308F244199F914A7251E335DA50DB58

Function 00C86B43 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00C86AF4,00000000,?,00CA9C78,?,?,?,00C86C97,00000004,InitializeCriticalSectionEx,00CA2CC0,InitializeCriticalSectionEx), ref: 00C86B50
GetLastError.KERNEL32(?,00C86AF4,00000000,?,00CA9C78,?,?,?,00C86C97,00000004,InitializeCriticalSectionEx,00CA2CC0,InitializeCriticalSectionEx,00000000,?,00C86A17), ref: 00C86B5A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00C86B82

Strings

api-ms-, xrefs: 00C86B67

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a4a6416243f0acdeef67e6444b1f917fe2c90c6be497611e1dc0b4305b13b15f
Instruction ID: 5a3ba4c341144544088c439c31b643791dc48272bce2bc46341893ff5235ab7f
Opcode Fuzzy Hash: a4a6416243f0acdeef67e6444b1f917fe2c90c6be497611e1dc0b4305b13b15f
Instruction Fuzzy Hash: BDE04830240215FBEF202B65DC06F6D3A55AB11B9DF104020FD0DE61E1D772D950DB59

Function 00C8DF81 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A355C656,00000000,00000000,?), ref: 00C8DFE4

Part of subcall function 00C8B2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8DC5F,?,00000000,-00000008), ref: 00C8B31A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C8E236
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C8E27C
GetLastError.KERNEL32 ref: 00C8E31F

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 06411595a482694df0d698daa8f7aa2d3f9b34d90dd930c06644d3dcc885027b
Instruction ID: cd2cd2446b5adb3e234bb96c357330282338d8d72e5b472a0828f4e9e1ecb48e
Opcode Fuzzy Hash: 06411595a482694df0d698daa8f7aa2d3f9b34d90dd930c06644d3dcc885027b
Instruction Fuzzy Hash: A9D18A71D002589FCB15DFA8C880AEDBBB5FF09308F24452AE866EB251D730A941CB54

Function 00C8707A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00C87141
___AdjustPointer.LIBCMT ref: 00C87164
___AdjustPointer.LIBCMT ref: 00C87200

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 035ab2966dd2c68f163c85f2a051aa424f347b2d05d80397a1ee1c7d23434513
Instruction ID: b16fc600604a7108474670f66450c27c4f1d5f08d0ba924144b6eee535c8cde6
Opcode Fuzzy Hash: 035ab2966dd2c68f163c85f2a051aa424f347b2d05d80397a1ee1c7d23434513
Instruction Fuzzy Hash: A751E572608602AFDB28AF15D849B7EB7A5EF4030CF34422DE819475A1F731ED80D798

Function 00C89F05 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00C8B2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8DC5F,?,00000000,-00000008), ref: 00C8B31A

GetLastError.KERNEL32 ref: 00C89F69
__dosmaperr.LIBCMT ref: 00C89F70
GetLastError.KERNEL32(?,?,?,?), ref: 00C89FAA
__dosmaperr.LIBCMT ref: 00C89FB1

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 89f8b8a7287b480e136eabc3bb80545ac4cf6efe3ab8cefbe2667a069bdc8eaa
Instruction ID: 09181a2a71afddd6ce67027a66fd3b1a03ff58c8ee10a15291ea8edaaa0ed705
Opcode Fuzzy Hash: 89f8b8a7287b480e136eabc3bb80545ac4cf6efe3ab8cefbe2667a069bdc8eaa
Instruction Fuzzy Hash: C321F631604615BFDB24BFA6C88097BB7A9FF403AC7098529FA69C7200E730ED409769

Function 00C8B35C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C8B364

Part of subcall function 00C8B2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8DC5F,?,00000000,-00000008), ref: 00C8B31A

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C8B39C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C8B3BC

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f95d842ec72af4efbe7b8f74f6b6e5a592a5e24904ceb612784aadbfcac56394
Instruction ID: 0e05af10d78dfa830e3b5a7cda759d45345fc2c74d7a6f9f60901d276bf6e1bb
Opcode Fuzzy Hash: f95d842ec72af4efbe7b8f74f6b6e5a592a5e24904ceb612784aadbfcac56394
Instruction Fuzzy Hash: 6511C0B2609616BFA61137B69CCAD7F696CDE853AC3110024FA01D2111EF60DE00A3B8

Function 00C8F756 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C8EF14,00000000,00000001,00000000,?,?,00C8E373,?,00000000,00000000), ref: 00C8F76D
GetLastError.KERNEL32(?,00C8EF14,00000000,00000001,00000000,?,?,00C8E373,?,00000000,00000000,?,?,?,00C8E916,00000000), ref: 00C8F779

Part of subcall function 00C8F73F: CloseHandle.KERNEL32(FFFFFFFE,00C8F789,?,00C8EF14,00000000,00000001,00000000,?,?,00C8E373,?,00000000,00000000,?,?), ref: 00C8F74F

___initconout.LIBCMT ref: 00C8F789

Part of subcall function 00C8F701: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C8F730,00C8EF01,?,?,00C8E373,?,00000000,00000000,?), ref: 00C8F714

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00C8EF14,00000000,00000001,00000000,?,?,00C8E373,?,00000000,00000000,?), ref: 00C8F79E

Memory Dump Source

Source File: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C30000, based on PE: true

Associated: 0000000A.00000002.1327818880.0000000000C30000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327880482.0000000000C92000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327897453.0000000000CA2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327912247.0000000000CA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1327928478.0000000000CAB000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c30000_V3.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 765d86b939dfce0fc6eed3f71abef189f308bd2f22499bb22f6645d8da45bdc7
Instruction ID: 5119cf6c6ff4aea32c5e8aed2c40b5444eb4883bc538e341b8b29ca843860150
Opcode Fuzzy Hash: 765d86b939dfce0fc6eed3f71abef189f308bd2f22499bb22f6645d8da45bdc7
Instruction Fuzzy Hash: FEF01C36001128BBCF222F96DC09B8E3F66FB0A3A8F114024FA1886120D6328921EB94

Analysis Process: OpenWith.exePID: 7560, Parent PID: 6120COMMON

Executed Functions

Function 027202D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 02720326

Part of subcall function 027200A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027200CD
Part of subcall function 027200A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02720279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 02720378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 027203E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02720407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 0272042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02720456
FindCloseChangeNotification.KERNELBASE(?), ref: 02720471

Strings

,, xrefs: 02720356

Memory Dump Source

Source File: 0000000D.00000003.1327127370.0000000002720000.00000040.00000001.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2720000_OpenWith.jbxd

Similarity

API ID: Virtual$Alloc$Free$ChangeCloseFileFindNotificationProtectView
String ID: ,
API String ID: 2870039258-3772416878
Opcode ID: 34919759cab89c45596a3336aca0d90db3a2564f30e7825e5c793611e7351f71
Instruction ID: 87aaf5334d7315dade746424b3f0b7bbbb3da8ed1472b65f6cab41f3b729bbaa
Opcode Fuzzy Hash: 34919759cab89c45596a3336aca0d90db3a2564f30e7825e5c793611e7351f71
Instruction Fuzzy Hash: 79611AB5900219EFDB20DFA9C984ADEBBB9FF18354F14C42AE959A7240D730E954CF60

Function 027200A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027200CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02720279

Memory Dump Source

Source File: 0000000D.00000003.1327127370.0000000002720000.00000040.00000001.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2720000_OpenWith.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: ac5fa2144b5f9463c6d062c705db67bebeab23e09a61ad3b38609ae2b78110f1
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 90719971E0425ADFDB41CF98C881BEEBBF0AB19314F284096E465FB241C334AA95CF64

Analysis Process: OpenWith.exePID: 7724, Parent PID: 6120COMMON

Execution Graph

Execution Coverage:	34.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	73.3%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007DF4218AB498 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 544nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AB56E
_calloc_dbg.MSVCRT ref: 00007DF4218AB58B
DuplicateHandle.KERNELBASE ref: 00007DF4218AB620
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB6CB
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB724
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB763
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB7AA
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB7E7
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB86D
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB8CC
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB9B2
NtAcceptConnectPort.NTDLL ref: 00007DF4218AB9EC
NtAcceptConnectPort.NTDLL ref: 00007DF4218ABA19

Strings

H, xrefs: 00007DF4218AB94F
,, xrefs: 00007DF4218AB59E
H, xrefs: 00007DF4218AB934

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$DuplicateHandle_calloc_dbg
String ID: ,$H$H
API String ID: 2166852705-438696205
Opcode ID: 9fb62eb4d8959293fc2d40b19de36242d3d29fe68d1ba52932dcd9bec1ad6912
Instruction ID: 7f24081f1a051586425b28dfa20fbf69650cef5226eb57821f81074d02f2297c
Opcode Fuzzy Hash: 9fb62eb4d8959293fc2d40b19de36242d3d29fe68d1ba52932dcd9bec1ad6912
Instruction Fuzzy Hash: BB02723061CA889BD768DF58D8856AAB7E1FFD8301F50453FE58FC3291DA74A9418B82

Function 00007DF4218ABCC0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL ref: 00007DF4218ABD18
NtAcceptConnectPort.NTDLL ref: 00007DF4218ABD8F
NtAcceptConnectPort.NTDLL ref: 00007DF4218ABE50
??3@YAXPEAX@Z.MSVCRT ref: 00007DF4218ABE55

Strings

@, xrefs: 00007DF4218ABD48
, xrefs: 00007DF4218ABD7F
0, xrefs: 00007DF4218ABD32

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPathPort$??3@NameName_
String ID: $0$@
API String ID: 2039965879-2347541974
Opcode ID: d8fdb236a247b9205c502de8d0d979f89367b2180e7993cbf521bb03780d7e1e
Instruction ID: 4ad5cad61c48608c1ef6e791c9cf9a5bcbe8920bde35e5cdb481f2fa664fd290
Opcode Fuzzy Hash: d8fdb236a247b9205c502de8d0d979f89367b2180e7993cbf521bb03780d7e1e
Instruction Fuzzy Hash: 0B514D70528B889FD764DF28D8857AA77E0FF89714F10452FE58EC6241DB74E4858B83

Function 000001F665D830C7 Relevance: 10.9, APIs: 7, Instructions: 390memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001F665D83810
RtlAllocateHeap.NTDLL ref: 000001F665D8386D
NtAcceptConnectPort.NTDLL ref: 000001F665D83957
NtAcceptConnectPort.NTDLL ref: 000001F665D839E4
NtAcceptConnectPort.NTDLL ref: 000001F665D83AA3
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001F665D83AC0
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001F665D83AD2

Memory Dump Source

Source File: 00000011.00000003.1431623286.000001F665D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F665D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_1f665d80000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$AllocateBoundaryDeleteDescriptorHeap
String ID:
API String ID: 3472209132-0
Opcode ID: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
Instruction ID: 58c0920b26298e81344ac014f07e0ba7206bb82c95b10629b20dcefd28170439
Opcode Fuzzy Hash: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
Instruction Fuzzy Hash: 90C15430618B499FDB58EF18D885BA9B7E1FBD8310F00562DE48EC7296DB34E845C786

Function 00007DF4218ABE6C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218ABF3A

Strings

0, xrefs: 00007DF4218ABED8
, xrefs: 00007DF4218ABF2A
@, xrefs: 00007DF4218ABEEE

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID: $0$@
API String ID: 1658770261-2347541974
Opcode ID: e038bc6975502a75aa15522c9d2aad796b46013016ac9629b0cf3dc02c1d6b17
Instruction ID: dcff11d0a0becf6e0c750c829e373bbbd451fc6a5a939130048135fade140711
Opcode Fuzzy Hash: e038bc6975502a75aa15522c9d2aad796b46013016ac9629b0cf3dc02c1d6b17
Instruction Fuzzy Hash: 4351293060CB899FE764DB68C894BABB7E4EFD8301F10452EE58AC2250DB79D4448B42

Function 000001F664381CD0 Relevance: 4.8, APIs: 3, Instructions: 278
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 000001F664381E6B
NtAcceptConnectPort.NTDLL ref: 000001F664381F6E
FindCloseChangeNotification.KERNELBASE ref: 000001F664381F77

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: AcceptAllocateChangeCloseConnectFindHeapNotificationPort
String ID:
API String ID: 3171316915-0
Opcode ID: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
Instruction ID: ec9478fb73ce4f0de96cc5cd2e4b8460ef5a343edf851cfa665398ec6b077522
Opcode Fuzzy Hash: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
Instruction Fuzzy Hash: 64910730508E099FDB64EF1DC4817F5B7E1FB94320F14466EE49BD3296DA34E8868B81

Function 000001F664381A90 Relevance: 4.6, APIs: 3, Instructions: 150
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 000001F664381AD5

Part of subcall function 000001F66438185C: GetProcessMitigationPolicy.KERNELBASE ref: 000001F66438192F

NtAcceptConnectPort.NTDLL ref: 000001F664381BCF
RtlAddVectoredExceptionHandler.NTDLL ref: 000001F664381BEA

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$ExceptionHandlerMitigationPolicyProcessVectored
String ID:
API String ID: 1453854198-0
Opcode ID: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
Instruction ID: c1f00eb18d0c222a5bc9136956226498b987a5cca9654eb38f3fba95cca84879
Opcode Fuzzy Hash: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
Instruction Fuzzy Hash: 8741E230208B498FDB44DF2C98897E57BD1FB59320F0443AEE8AACB2D7DA34D9058795

Function 00007DF4218A1B18 Relevance: 4.6, APIs: 3, Instructions: 110pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE ref: 00007DF4218A1BCF
BindIoCompletionCallback.KERNEL32 ref: 00007DF4218A1C06
ConnectNamedPipe.KERNELBASE ref: 00007DF4218A1C17

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: NamedPipe$BindCallbackCompletionConnectCreate
String ID:
API String ID: 2502124517-0
Opcode ID: 584620923d8bee05c4cd2b55fbc688861300e251001a2660cae9de72a1f183dd
Instruction ID: 64b8bb67e79c3d72e16fa9ff115de49c8366427fd1cbc6ff9b5fd4f55434d9c6
Opcode Fuzzy Hash: 584620923d8bee05c4cd2b55fbc688861300e251001a2660cae9de72a1f183dd
Instruction Fuzzy Hash: 96316070608A888FD794EF28D8D87AA77E5FF94310F50463AD09BC61D0DF78D9858B81

Function 00007DF4218AC7CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

0, xrefs: 00007DF4218AC82B

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d4dd2c9ec2e40b847152b417cb6d645fdeafd31ca8a11a7a04321dd5438b40c0
Instruction ID: 0a16067baa0cfda69170228bd0d7fe656eef65cb563b3f7caea63be36071dc7a
Opcode Fuzzy Hash: d4dd2c9ec2e40b847152b417cb6d645fdeafd31ca8a11a7a04321dd5438b40c0
Instruction Fuzzy Hash: BB218E31A0CA8C9FD754DE6988C476A76E1FFD8365F50093FE64AC3290D738A8848741

Function 00007DF4218AC70C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

0, xrefs: 00007DF4218AC764

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 47ebd45c6b9b16ee77b28bcb10b07460bf5cba96d3288197dd2caf634787b8b3
Instruction ID: c8da03868d6437232c992927b5192eb6ac5cceb1f9f2d687622aac6bfa74ec3c
Opcode Fuzzy Hash: 47ebd45c6b9b16ee77b28bcb10b07460bf5cba96d3288197dd2caf634787b8b3
Instruction Fuzzy Hash: C9216031B1C98C5FE7949E9C98C867B7AE0EFD8351F60053FE64EC3250DB68A9848781

Function 00007DF421882634 Relevance: 3.3, APIs: 2, Instructions: 293threadinjectionCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007DF42188273A
SuspendThread.KERNELBASE ref: 00007DF42188277C

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ChangeCloseFindNotificationSuspendThread
String ID:
API String ID: 186804629-0
Opcode ID: ee8ed1484b309d5b480d9ed41d064abcb8b4e034361352156597246fbc6f772d
Instruction ID: 8a86c96654bc11ec4274cb1fb9ed9dcef36183e497c816d4b2a9390665e8f2d5
Opcode Fuzzy Hash: ee8ed1484b309d5b480d9ed41d064abcb8b4e034361352156597246fbc6f772d
Instruction Fuzzy Hash: B291C430A1CA599BEB68AB18DCD557A73E2FF85350B15417EE04FC7585CA38EC42CB82

Function 00007DF4218822DC Relevance: 3.2, APIs: 2, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007DF4218822F4
VirtualAlloc.KERNELBASE ref: 00007DF4218823C0

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 10974d638571623cb466fc5259723849182c6a649d453933aa228a33d07da908
Instruction ID: 2b7407fcada0607c5a85d6fa85a24d705a3bd514f1840473474b38f60778b389
Opcode Fuzzy Hash: 10974d638571623cb466fc5259723849182c6a649d453933aa228a33d07da908
Instruction Fuzzy Hash: CD51B33061CE5D5FE755AA6C98D876A72E2FB98340F05013AD44FC31A5EA68EC85C782

Function 000001F664380AC8 Relevance: 3.2, APIs: 2, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 000001F664380BFD
NtAcceptConnectPort.NTDLL ref: 000001F664380C47

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
Instruction ID: 529b1f3278966b73b0e3478e8bc785bbce7651bc811b9ad45704ff92938c05ac
Opcode Fuzzy Hash: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
Instruction Fuzzy Hash: B7417E30919A150EE338E62E88866BDFBE2F7D6319F30457EE4E7C6192D939C6438741

Function 00007DF4218D4088 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF4218D41A9), ref: 00007DF4218D40B5

Part of subcall function 00007DF4218D3C98: ioctlsocket.WS2_32 ref: 00007DF4218D3CC4

bind.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF4218D41A9), ref: 00007DF4218D413A

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: bindioctlsocketsocket
String ID:
API String ID: 3555158474-0
Opcode ID: 1cbeedcb49cdd83f56073e3a9aa9cf65c2d138516cd5c7d59cce1983b39e0131
Instruction ID: e5571def06fb92fda6c82c017af66a03a9d489c2af5869dc7a9057e6070b630a
Opcode Fuzzy Hash: 1cbeedcb49cdd83f56073e3a9aa9cf65c2d138516cd5c7d59cce1983b39e0131
Instruction Fuzzy Hash: CE21D630708A444FEB4CAF78ECC966633E1EBA5325F10067AD82FC76D5DA289C058651

Function 00007DF4218AD2F4 Relevance: 3.1, APIs: 2, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AD361
NtAcceptConnectPort.NTDLL ref: 00007DF4218AD3B8

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 98531d878e0ad7d3d6690ce9736b63ba0a61470b6d8d195234036ffb9fe9491b
Instruction ID: 4f908b113eb82b0a6dafa4f7f01130a1368abbd4f328af3e9d12caf753a91fde
Opcode Fuzzy Hash: 98531d878e0ad7d3d6690ce9736b63ba0a61470b6d8d195234036ffb9fe9491b
Instruction Fuzzy Hash: 2E21EF3051CE489FDB49EB58D884B6677F1FBAD341F00462AE44AC36A4EBB5E984CB41

Function 00007DF4218AD3C0 Relevance: 3.1, APIs: 2, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AD42D
NtAcceptConnectPort.NTDLL ref: 00007DF4218AD481

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 9166209b5f367574360b80d64ced2ea26e8fa752ef609ccd6263efb912702e76
Instruction ID: e0e2e66ba520bb9bb29ee18aa622c33f2e4a549b83833a4ac1ad260c9ec5cd5f
Opcode Fuzzy Hash: 9166209b5f367574360b80d64ced2ea26e8fa752ef609ccd6263efb912702e76
Instruction Fuzzy Hash: C921123151CA498FDB55EF58D888BA673F1FBE9341F00452EE44AC36A0DBB5E884CB41

Function 00007DF4218DB104 Relevance: 1.8, APIs: 1, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6300fb348d49a47f7ce5e25661db4a1277b3c7de01d4304b532d2da97ee81cb4
Instruction ID: 675b4bc7042c5a46ac9862ce4d67122b0c09aee3b20f2a93eb0a9e4cd746f719
Opcode Fuzzy Hash: 6300fb348d49a47f7ce5e25661db4a1277b3c7de01d4304b532d2da97ee81cb4
Instruction Fuzzy Hash: 70C18130608A549FDB68EF28C8C57AA77E0FB89700F14467ED84FCB696D734A851CB91

Function 00007DF4218AC47C Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AC53C

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1a40425d81a0dda3cd82788b19327da5a379df3b5c3bd351d49e58af76a5eeec
Instruction ID: 223ff4ab5996e9e7c2aeb8e5df67d68c105b0cbb58bf77d84fe167e61c3b0fb6
Opcode Fuzzy Hash: 1a40425d81a0dda3cd82788b19327da5a379df3b5c3bd351d49e58af76a5eeec
Instruction Fuzzy Hash: 6C817231A1CB8D9BEB65DA58989466BB3E0FFD4340F50563BF58BC7190EB68F8408681

Function 00007DF4218D4520 Relevance: 1.7, APIs: 1, Instructions: 167networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007DF4218D45BF

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 7916fdf4d3e942b440d7f5c412e90116e139ebed5d60f444feec34680a904e5a
Instruction ID: 433af34013b0f5ff40f37bcfc74de91a638b0cd20f7a01f94af9edd6466b4334
Opcode Fuzzy Hash: 7916fdf4d3e942b440d7f5c412e90116e139ebed5d60f444feec34680a904e5a
Instruction Fuzzy Hash: 29512770508B899FEBA8EF29D8C8B9677E0FF94314F50056AD44BC7961DB39E844CB41

Function 00007DF4218AC10C Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AC187

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 5c97c20283281d0f686864c64b2abe35391f7ab31688f0fa8af160c1736108da
Instruction ID: fa8061214311007d8179a54196288c3e3787311b3af9fae363fcf3e16f18b404
Opcode Fuzzy Hash: 5c97c20283281d0f686864c64b2abe35391f7ab31688f0fa8af160c1736108da
Instruction Fuzzy Hash: 9531A131B1CE4D6FEB585E189CC557A73E0EF89325F20463FEA4FC3291DA18B8028681

Function 00007DF4218A2258 Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007DF4218A22E1

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a07a12428c7964199d363ccabf4b149c9f1c56c6408fd6f078d364f4c66a6574
Instruction ID: fe076b2313c9a1fd04698ed2d963bfd7d4941b83a9826ce29d5b36ba59d79cdf
Opcode Fuzzy Hash: a07a12428c7964199d363ccabf4b149c9f1c56c6408fd6f078d364f4c66a6574
Instruction Fuzzy Hash: A931723071CA885FD758DB58D88966BB7E2EFC9341F50453EE58AC3251DA74D8418B42

Function 000001F6643815AC Relevance: 1.6, APIs: 1, Instructions: 76
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,00000000,000001F664381E16), ref: 000001F664381640

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
Instruction ID: 68d5deb407fe26c1f082026f4cec096c6c80b1f8e2b3070a69941fcfb9d662c5
Opcode Fuzzy Hash: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
Instruction Fuzzy Hash: D5219371508B098FEB54DF58C4C96AAFBE1FB68305F040A3EE49AD7260D730D884CB41

Function 00007DF4218AAC0C Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAC70

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: d99824a7b56689602d55d9b975c23b4966fb1dfc1a28fa016acf5b8b83f0fdf8
Instruction ID: d841494474a3f5a558d0f5f5493a6b40fd9f932b1f5fe8231cd50afa829c4412
Opcode Fuzzy Hash: d99824a7b56689602d55d9b975c23b4966fb1dfc1a28fa016acf5b8b83f0fdf8
Instruction Fuzzy Hash: 66F0623491C7C49FDBA0EB688480B9ABBF0BBAA350F544A1EE8CCC3211D73595848B43

Function 00007DF4218AADD4 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAE23

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: af3340e2b301fb20eba4bd36f70d30fdbe005acca17dd1e0c445e9428843075b
Instruction ID: 5973225f19a5277b416901d33b7d8b37b483e83b1efc55eda5b3186287b169d0
Opcode Fuzzy Hash: af3340e2b301fb20eba4bd36f70d30fdbe005acca17dd1e0c445e9428843075b
Instruction Fuzzy Hash: 86F0D070A1CB848FDBA4EF2CD4C5B5977E1FB98300F50451AE44CC3245DB3498848B46

Function 00007DF4218AAF60 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,00000000,?,?,00000000,00007DF42189341C), ref: 00007DF4218AAF8A

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1d9a6f3c19fc3a1664a9a6811ff4ba6c27299ee4e4794d390710366357d59dbc
Instruction ID: 3ce863771c24511ec9815e8a9d4627af9eafbc55e5dcd6b5797b555e9f226877
Opcode Fuzzy Hash: 1d9a6f3c19fc3a1664a9a6811ff4ba6c27299ee4e4794d390710366357d59dbc
Instruction Fuzzy Hash: 83E09271618A488FDB04DF98CCC186AB3F4FBD9300F004D7BE88AC7164D274E698CA82

Function 00007DF4218AAD14 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAD2F

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 4927af5c10e17f27f2edd3b7dd4d43612d79bd47543f67f71f12626d98bff908
Instruction ID: 44ad22ff6b71b5a1d1d8ac20430f073337ca410c781d782f28102146b08b1aad
Opcode Fuzzy Hash: 4927af5c10e17f27f2edd3b7dd4d43612d79bd47543f67f71f12626d98bff908
Instruction Fuzzy Hash: FED05E38E68AC94BE610A728894021A36E2FFD5308F904625D889C2250D23CE4018382

Function 00007DF4218AACE8 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAD03

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: a9327488733b823840a3f29582a089392b2a1446868cb63a967a810240f58cb8
Instruction ID: 6c853213fabd2d7a89a8ca7a0a5108db0716eda2e29dbb407cf80726018a3741
Opcode Fuzzy Hash: a9327488733b823840a3f29582a089392b2a1446868cb63a967a810240f58cb8
Instruction Fuzzy Hash: 19D0A730D6CB894BD610B728CC8061637F1FFD4305F944625D88EC3240D23CE44183C6

Function 00007DF4218AAE5C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAE77

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: eb8f498348e5c7f372421b27a3827434041340d731fc3728b954386bc4ea4cc4
Instruction ID: 97d99beb0c9a37cb07dcfb3822d3cf69b2440984d44853db4e8168537db0ea0c
Opcode Fuzzy Hash: eb8f498348e5c7f372421b27a3827434041340d731fc3728b954386bc4ea4cc4
Instruction Fuzzy Hash: 1FD05E20A28A894BD650A728898030637E2FBD9304F914625E44EC2200D23CE41143C2

Function 00007DF4218AACC8 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AACD8

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 333093483b5b65ac6ab85e83ccc52a142bbc301cae1d85d61a22b47e66de8b6c
Instruction ID: 4be0369c48b7e8e74d6f64da04f8ef67aafbff305c5419e040d9616c22706dbd
Opcode Fuzzy Hash: 333093483b5b65ac6ab85e83ccc52a142bbc301cae1d85d61a22b47e66de8b6c
Instruction Fuzzy Hash: DDC08C20A2C80B2BF92462B94CC065520A0AF8C304F820022E80AC2580E42CE4E09392

Function 00007DF4218AAF40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF4218AAF50

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 953671860da08bf31fab518e05a010f803d920f951da2702e38e3d0cf3acdea6
Instruction ID: f0f5aa8286fc66391b883e00b05d637c5091485ad3ee71221f9181c118e8e90a
Opcode Fuzzy Hash: 953671860da08bf31fab518e05a010f803d920f951da2702e38e3d0cf3acdea6
Instruction Fuzzy Hash: 99C08C00AA980BABE90C62AAACC035920A4AF88300F800022E40EC29C0E42EE4D44392

Function 00007DF4218965E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF421896640
VirtualProtect.KERNELBASE ref: 00007DF421896669
VirtualProtect.KERNELBASE ref: 00007DF421896685
VirtualProtect.KERNELBASE ref: 00007DF4218966B0

Strings

rE\, xrefs: 00007DF4218965FE

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID: rE\
API String ID: 544645111-988334199
Opcode ID: dc7abe3753608a406b2e8c4677f2e3e348cb1d8b9abc271147da51083885c1c3
Instruction ID: edffda9bb1467faf4408997dc313cfae8510db6a3579cb8050d219e8e3253def
Opcode Fuzzy Hash: dc7abe3753608a406b2e8c4677f2e3e348cb1d8b9abc271147da51083885c1c3
Instruction Fuzzy Hash: 84217F317189485FEB45F758E8D1AAB72E6FBD8740F10003AE84BC3285DE28ED4587C2

Function 000001F665D833B0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001F665D83527
RtlAllocateHeap.NTDLL ref: 000001F665D8367A
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001F665D836F9

Strings

l, xrefs: 000001F665D833D6

Memory Dump Source

Source File: 00000011.00000003.1431623286.000001F665D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F665D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_1f665d80000_OpenWith.jbxd

Similarity

API ID: AllocateHeap$BoundaryDeleteDescriptor
String ID: l
API String ID: 2279964584-2517025534
Opcode ID: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction ID: ab3d3daedbf78520becf6715b6bd08b6073b5bf7b7f64d5ab14cc96a4b0f0932
Opcode Fuzzy Hash: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction Fuzzy Hash: B0A1F1316186595AE729AA2C88837FE77D1FBD5310F20167EE4CBC32C3E924DD468686

Function 00007DF421893178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF4218931FA
VirtualProtect.KERNELBASE ref: 00007DF421893224

Strings

, xrefs: 00007DF4218931DB

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 45ee73fde44b844a7982fd6fa2bb9a274e67d6e904138dbe31d6ae3e461be495
Instruction ID: 367a69104559c4b46e80f94264a1b244cc2b60130d1c0cbfeee853616ab18060
Opcode Fuzzy Hash: 45ee73fde44b844a7982fd6fa2bb9a274e67d6e904138dbe31d6ae3e461be495
Instruction Fuzzy Hash: D9115931A08C9A1BE718A768EC946B773F0FBC4311F544176E85BC32E0DA1CE852C785

Function 00007DF4218972D0 Relevance: 5.2, APIs: 3, Instructions: 746COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF421884BE4: _malloc_dbg.MSVCRT ref: 00007DF421884C0D

_calloc_dbg.MSVCRT ref: 00007DF421897551
??3@YAXPEAX@Z.MSVCRT ref: 00007DF4218975BD
??3@YAXPEAX@Z.MSVCRT ref: 00007DF421897AB3

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@$_calloc_dbg_malloc_dbg
String ID:
API String ID: 3423559903-0
Opcode ID: 6cebd9367394abf21773eb1584d65681aa51e4210b0eb886ea29ebe4f46530e1
Instruction ID: 9d2c49c115992e4282ff6a540ac0df78824d20530ceb8597dbec5bc75800a5c6
Opcode Fuzzy Hash: 6cebd9367394abf21773eb1584d65681aa51e4210b0eb886ea29ebe4f46530e1
Instruction Fuzzy Hash: 51421D31518E489FEB95EF28D8C9AAAB7E1FB98300F104A2AD45FC7251DB34A545CB81

Function 00007DF421884BE4 Relevance: 4.6, APIs: 3, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007DF421884C0D
_malloc_dbg.MSVCRT ref: 00007DF421884C6C
??3@YAXPEAX@Z.MSVCRT ref: 00007DF421884CD0

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg$??3@
String ID:
API String ID: 2216462316-0
Opcode ID: f833b09acc7dcda6218a08ced81fc052c99920b07a41f041528abf3627ace0e1
Instruction ID: 57e9ba68f2a4e18469a4c98be4bc3329781083e0261b36114588390415665c03
Opcode Fuzzy Hash: f833b09acc7dcda6218a08ced81fc052c99920b07a41f041528abf3627ace0e1
Instruction Fuzzy Hash: 57317131608A0D6FAB58EE64DC85A76B3E5FF90390701423AD41BC6591EF74F85187C1

Function 00007DF4218D3C98 Relevance: 4.6, APIs: 3, Instructions: 117COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007DF4218D3CC4
CreateIoCompletionPort.KERNELBASE ref: 00007DF4218D3CFA
SetFileCompletionNotificationModes.KERNEL32 ref: 00007DF4218D3D40

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPortioctlsocket
String ID:
API String ID: 1455841399-0
Opcode ID: b0ef64daf23010be4df91d754ff29401ba7eeb6e21b37df906d22bfb74ec9eab
Instruction ID: 4917041bf6e07e963e43226c923fcbff43ff2bc70e561cad6733882da0973339
Opcode Fuzzy Hash: b0ef64daf23010be4df91d754ff29401ba7eeb6e21b37df906d22bfb74ec9eab
Instruction Fuzzy Hash: 5C31A27060CB985BFBA89B389CC563732F5FF95315F50007AEC0FD2192DA2AEC418A91

Function 00007DF4218995F8 Relevance: 3.4, APIs: 2, Instructions: 397COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4218AAF60: NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,00000000,?,?,00000000,00007DF42189341C), ref: 00007DF4218AAF8A

CreateFileMappingW.KERNELBASE ref: 00007DF4218998AE
_calloc_dbg.MSVCRT ref: 00007DF4218999E8

Part of subcall function 00007DF421899478: CreateFileW.KERNELBASE ref: 00007DF4218994D0

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: CreateFile$AcceptConnectMappingPort_calloc_dbg
String ID:
API String ID: 3868319652-0
Opcode ID: d1b445dc56701135788b0dc920e68535db059dd4faca11d9a453a424e093dfee
Instruction ID: 2b31e26b8ac075e2c09a6085c48f7fb8e012bcedb06ccc159202e036878b4f22
Opcode Fuzzy Hash: d1b445dc56701135788b0dc920e68535db059dd4faca11d9a453a424e093dfee
Instruction Fuzzy Hash: 27D14E71A1CB889BD765EF28D8856ABB7E1FF94300F14453EE48FC2291DF34A5058B86

Function 00007DF421884774 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007DF42188494C
??3@YAXPEAX@Z.MSVCRT ref: 00007DF4218849F3

Part of subcall function 00007DF421884620: _malloc_dbg.MSVCRT ref: 00007DF4218846EF

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg$??3@
String ID:
API String ID: 2216462316-0
Opcode ID: 352f2f2cecbb3e27f866ef48949e4e4dcfd5ee98b9eced5f0af6e5ea8a5601e0
Instruction ID: 16ad07965c4c074274bce08fa4352359e213b5db57f2b454fba8a96fb3733b4e
Opcode Fuzzy Hash: 352f2f2cecbb3e27f866ef48949e4e4dcfd5ee98b9eced5f0af6e5ea8a5601e0
Instruction Fuzzy Hash: EA71AF31A1C9D85AE339A7189CD56EBB2E1FFD5341F50467FE08FC2183DD38A9498682

Function 00007DF4218ADDA4 Relevance: 3.2, APIs: 2, Instructions: 238fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4218ADADC: _malloc_dbg.MSVCRT ref: 00007DF4218ADAE6

CreateFileW.KERNELBASE ref: 00007DF4218ADEBA
ReadFile.KERNELBASE ref: 00007DF4218ADFA2

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: File$CreateRead_malloc_dbg
String ID:
API String ID: 2554620077-0
Opcode ID: b879bc7b5dc6143657be184a8553957d82cf9a437ba6bdf4bbb2c4680e42a6eb
Instruction ID: 32059aee2c60bd7f4efb37e8eabfaca51860500356be3dac3ed187d883952e59
Opcode Fuzzy Hash: b879bc7b5dc6143657be184a8553957d82cf9a437ba6bdf4bbb2c4680e42a6eb
Instruction Fuzzy Hash: 88716371618B844FD7589F1898C576AB6E1FFD8301F500A3FE5CFC3292EE79A8458642

Function 00007DF421899478 Relevance: 3.2, APIs: 2, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007DF4218994D0
ReadFile.KERNELBASE ref: 00007DF421899585

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 73db5555d885fd7ea61d85234132b183eb459049274d5711c35081ec0b7aef7a
Instruction ID: c608e45405a51a9e1215cc5f3cac443792e4dc294b19440fc4b2fa7589d7ec37
Opcode Fuzzy Hash: 73db5555d885fd7ea61d85234132b183eb459049274d5711c35081ec0b7aef7a
Instruction Fuzzy Hash: BD417F716086884FEB58EF289CC566B77E9FBD9701F10453EE98FC3291EE24D8418786

Function 00007DF42189CC5C Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4218AACC8: NtAcceptConnectPort.NTDLL ref: 00007DF4218AACD8

_malloc_dbg.MSVCRT ref: 00007DF42189CD0D
??3@YAXPEAX@Z.MSVCRT ref: 00007DF42189CD94

Part of subcall function 00007DF4218A3848: _malloc_dbg.MSVCRT(?,?,?,?,?,FFFFFFFF,-00000001,-00000002,-00000001,00007DF4218C2CFA), ref: 00007DF4218A3867

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg$??3@AcceptConnectPort
String ID:
API String ID: 82011185-0
Opcode ID: 694a03a6a0a341675988201f7685504af8169e7f1b53cb1e5f9007a100a90dea
Instruction ID: 9e07c4a4bb69f35c6fe1a30247fddded5c9f3ecb4fa4c6ad6ab72afcac3645d3
Opcode Fuzzy Hash: 694a03a6a0a341675988201f7685504af8169e7f1b53cb1e5f9007a100a90dea
Instruction Fuzzy Hash: F1412B71508A4C8FEB54EF19D8C5AA677E5FF98311F00057AE84EC7292DB34E985CB82

Function 00007DF4218AD974 Relevance: 3.1, APIs: 2, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007DF4218AD9AB
ReadFile.KERNELBASE ref: 00007DF4218AD9E1

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 6dcf9cfff2eacf5cd94369649f002897bcffdea66228e64647734ab7a70026dd
Instruction ID: 018c7a6dad6bb9b8c556769ac709774cd59a991eaf5cf609e3c5e16f1061034d
Opcode Fuzzy Hash: 6dcf9cfff2eacf5cd94369649f002897bcffdea66228e64647734ab7a70026dd
Instruction Fuzzy Hash: 5621C47070C7485FE7689E59ACC627B73E5EBC9711F10023FE98FC2242EE75A8064686

Function 00007DF421882980 Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF4218829BF
VirtualProtect.KERNELBASE ref: 00007DF421882A25

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e54d32ce24f4b710544f648fa16c64d8d7f0589b34fc61474f65512f49413183
Instruction ID: 600987e0b944acf96462405b32b311ee825fbd30c747401d888a0bdd8eb20064
Opcode Fuzzy Hash: e54d32ce24f4b710544f648fa16c64d8d7f0589b34fc61474f65512f49413183
Instruction Fuzzy Hash: 1E31E52060CA894BE7149B6C9CD87667BD1EF99350F1602B6E88EC72C6CB589C42C382

Function 00007DF42197ABFC Relevance: 3.1, APIs: 2, Instructions: 89COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF42197AC91
??3@YAXPEAX@Z.MSVCRT ref: 00007DF42197AC9C

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction ID: 6cb86869c840f45b480f4e0488377137ac8bc3ccbf12f6c6c54f13390cc1126d
Opcode Fuzzy Hash: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction Fuzzy Hash: A8212FB0E088586FDF98EB1CC8C495977A2EFD831576D02B2D81ACB199D625EC81C780

Function 00007DF42189CA08 Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF42189D046), ref: 00007DF42189CA30

Part of subcall function 00007DF4218ABCC0: RtlDosPathNameToNtPathName_U.NTDLL ref: 00007DF4218ABD18
Part of subcall function 00007DF4218ABCC0: NtAcceptConnectPort.NTDLL ref: 00007DF4218ABD8F

??3@YAXPEAX@Z.MSVCRT ref: 00007DF42189CA66

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Path$??3@AcceptConnectNameName_Port_calloc_dbg
String ID:
API String ID: 494811334-0
Opcode ID: 1c81860f17a6367f43a2a94f10a5d32e0a9fa92ddff0a1d18b0803ced88c0a31
Instruction ID: 77b6461aba8761bf9d20ee185b586929c99f888ac7d610a458b2c87d77ab3d4b
Opcode Fuzzy Hash: 1c81860f17a6367f43a2a94f10a5d32e0a9fa92ddff0a1d18b0803ced88c0a31
Instruction Fuzzy Hash: 6AF02831214D0C4FD758AB1C9CC8AB637E1EB94726714463BE00BC3360DE79DD408780

Function 000001F6643819A0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 000001F6643819AD
VirtualFree.KERNELBASE ref: 000001F6643819E5

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: ExceptionFreeHandlerRemoveVectoredVirtual
String ID:
API String ID: 3082376348-0
Opcode ID: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
Instruction ID: 02026bc356e89282f3c942f81462682de7a9386523a97217c89960ec493d73b7
Opcode Fuzzy Hash: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
Instruction Fuzzy Hash: 80F03A31214A098FDF9CEF95C8D5EF137A4EB28301F0401B9CC0ACB15ADA21E885C791

Function 00007DF4218A6720 Relevance: 2.4, APIs: 1, Instructions: 947COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007DF4218A6956

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _calloc_dbg
String ID:
API String ID: 1170608187-0
Opcode ID: 4c67779dd63165b43659fab8fd510d9b574d13d676e16a29e3859926c8de3004
Instruction ID: 2e77f6c2954b3fafc5dc254a135aa084aef511de3f35319ef0bc16eff7b9569f
Opcode Fuzzy Hash: 4c67779dd63165b43659fab8fd510d9b574d13d676e16a29e3859926c8de3004
Instruction Fuzzy Hash: 8572523051CA889BDB69EB18C8D5ADEB3E1FFD4300F50466EE48F83296DE34E5458786

Function 00007DF4218A8F84 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF4218A93FA

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 2b200ceb4e4cc9f035faf7b6c1b247c7413155f6bad845cc72cf0ce4a6dd00dc
Instruction ID: f8ed0b99ab0be99488c7011ce1fb6598d2a9018693b8e51bc1eba1975a4fd70d
Opcode Fuzzy Hash: 2b200ceb4e4cc9f035faf7b6c1b247c7413155f6bad845cc72cf0ce4a6dd00dc
Instruction Fuzzy Hash: 04D13D31A1CB885BEB65EF2888D56EB73F1FFD4340F50153BD44FC2192EA78A9458682

Function 00007DF42189913C Relevance: 1.8, APIs: 1, Instructions: 316COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 00007DF421899372

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 090a60165b6d81dbbef6ccd1718067ffa9bcceaffdfa6db13320491a5d5642c1
Instruction ID: c1ec2bedeedb6bc9ff8f34ba3a02174760f78d38025e3c1a9df208219c7265b4
Opcode Fuzzy Hash: 090a60165b6d81dbbef6ccd1718067ffa9bcceaffdfa6db13320491a5d5642c1
Instruction Fuzzy Hash: FEA12C3160CA889FDB55EF58C8C5AAAB7F1FB94300F504A7EE04FC7291DA34A945CB85

Function 00007DF421963354 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007DF421963387

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _calloc_dbg
String ID:
API String ID: 1170608187-0
Opcode ID: eb07f6567f13b0bb31f14b250f796744979e63487f4f542db19a2ba65ce8570a
Instruction ID: 36150e177aa22013b754a7ceca6e1e1a97a40d16fa070458ea83428300278600
Opcode Fuzzy Hash: eb07f6567f13b0bb31f14b250f796744979e63487f4f542db19a2ba65ce8570a
Instruction Fuzzy Hash: 65918231A1CAC87BEB59A7589C525AB72E1EFD4348F40453AE41FC3287EE18FE01C695

Function 00007DF4218D4D8C Relevance: 1.8, APIs: 1, Instructions: 281networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007DF4218D4EF2

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 653fe3a6da9e8edf6d7f9aad963387fd79a7ca64ce6bed9a03fbf4fad2203229
Instruction ID: 61bb3539fc355fe00dfa97529dc57498630c906175467e43e98fb57cb044b97f
Opcode Fuzzy Hash: 653fe3a6da9e8edf6d7f9aad963387fd79a7ca64ce6bed9a03fbf4fad2203229
Instruction Fuzzy Hash: 37A19131A18B856FE798DB28C8C86A6B3F0FF95324F50057BD45FC6991DB38E8518B81

Function 00007DF421895DE4 Relevance: 1.8, APIs: 1, Instructions: 266COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007DF421895F85

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _calloc_dbg
String ID:
API String ID: 1170608187-0
Opcode ID: 2479110834a0a50aa720895a2966e0087a87a39eabe9dff41225e0602a7593e9
Instruction ID: 90805f7f4886f380d76c9ba50580d7f421b2ea7ddabbb0df5a71967676c7faef
Opcode Fuzzy Hash: 2479110834a0a50aa720895a2966e0087a87a39eabe9dff41225e0602a7593e9
Instruction Fuzzy Hash: 8581713061CA489FDB58EF18D8C19A6B3E1FF98710F51427AD44BC7696EA34E842CBC5

Function 00007DF4218A5004 Relevance: 1.7, APIs: 1, Instructions: 245registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 00007DF4218A5225

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e8d5d7329d2320a05d82013e26ca3d8c66ee9948d03da3e8e50157f1609a8dd5
Instruction ID: d7197e316cb63c34e868b29da431a2f3cb702cd1ca7363d8d5413594b9b52506
Opcode Fuzzy Hash: e8d5d7329d2320a05d82013e26ca3d8c66ee9948d03da3e8e50157f1609a8dd5
Instruction Fuzzy Hash: 81919D3161DB889FE765EB24C889B9AB7E1FF98301F10492BE58AC3251DB34D544CB42

Function 00007DF4218D4B28 Relevance: 1.7, APIs: 1, Instructions: 227networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32 ref: 00007DF4218D4BDF

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: d8e018eafecf73722f3cfd2108c578dd3fd3213e6426fbbfe5b50f999653df9c
Instruction ID: 8906996e89897d5a08ab117b54a2a2e9b53e3ebcdec3bfac80b267b674734290
Opcode Fuzzy Hash: d8e018eafecf73722f3cfd2108c578dd3fd3213e6426fbbfe5b50f999653df9c
Instruction Fuzzy Hash: 8C815A70608B499FEB98DF28C8887A6B7E0FF94314F10467AD44EC7A91DB35E854CB81

Function 00007DF421895960 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 00007DF421895B1D

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 458a1419ed12d8a3c2e86420f2914f8409b820493848f008ec8053e1bf8f0b77
Instruction ID: 05517699b928691bd64d9543f2999ee40ea0243be67719ecbae3e00cdce5f0e9
Opcode Fuzzy Hash: 458a1419ed12d8a3c2e86420f2914f8409b820493848f008ec8053e1bf8f0b77
Instruction Fuzzy Hash: 63614B7150C7889BE765EF64D8D56EBB7E1FB98300F400A2EE08BC2191DE39A545CB46

Function 00007DF42189D698 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007DF42189D703

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _calloc_dbg
String ID:
API String ID: 1170608187-0
Opcode ID: 432e0892bdd6e9e5754dca25717e4c9921a6f544cc56197876346fab22609208
Instruction ID: 55da3f15ce6f1624be2bc9917bfca8942962dd08b72da999ffb2fb341e8a426d
Opcode Fuzzy Hash: 432e0892bdd6e9e5754dca25717e4c9921a6f544cc56197876346fab22609208
Instruction Fuzzy Hash: 6051C33150CE489FDB08EF58D8C59AA77E0FBA8310F04466EE44EC7252DA75F981CB85

Function 00007DF4218AD6FC Relevance: 1.7, APIs: 1, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00007DF4218AD7F5

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e9169745a3f5c8f3addee9eb58fc29d082d9d243fdbbd28d7b824531286ef21a
Instruction ID: ba029921198e9e5a770e7e948c71fcf7bc67f889eecb6eb9b26acc01da738dd0
Opcode Fuzzy Hash: e9169745a3f5c8f3addee9eb58fc29d082d9d243fdbbd28d7b824531286ef21a
Instruction Fuzzy Hash: A7512D3061DB885BE768DB58989576BB7E5FFD4310F000A3FE48AC3191EE78E8018B52

Function 00007DF421895CC3 Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF421895D10

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 903acddc3c2cbd21899d181af60d2020bd4c0d22b9f6ec9809e98e44769c02c6
Instruction ID: 29321a41f6f6ec8f0e8d088489e9ba28cebdb875a7c55474a62900263e955bb9
Opcode Fuzzy Hash: 903acddc3c2cbd21899d181af60d2020bd4c0d22b9f6ec9809e98e44769c02c6
Instruction Fuzzy Hash: 22412031618A489FDB94EF18C8C1AA6B3E1FFD8310F64467AD44EC7296DA35F841CB85

Function 00007DF421897B7C Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4218965E0: VirtualProtect.KERNELBASE ref: 00007DF421896640
Part of subcall function 00007DF4218965E0: VirtualProtect.KERNELBASE ref: 00007DF421896669
Part of subcall function 00007DF4218965E0: VirtualProtect.KERNELBASE ref: 00007DF421896685
Part of subcall function 00007DF4218965E0: VirtualProtect.KERNELBASE ref: 00007DF4218966B0

TlsFree.KERNELBASE(?,?,?,?,?,?,?,00000000,?,?,00000000,00007DF42189341C), ref: 00007DF421897CB7

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual$Free
String ID:
API String ID: 3841229516-0
Opcode ID: 9454607179550a56fcb25c77309fc397396c8818e949c4bf6b88fbdfb1fa50f0
Instruction ID: 5e030d711f00168657515857071568856da5feffe976601b7fe37e4fe869c2f9
Opcode Fuzzy Hash: 9454607179550a56fcb25c77309fc397396c8818e949c4bf6b88fbdfb1fa50f0
Instruction Fuzzy Hash: 5241A330B08A985FEB54EB2898C556A73A1FF89704B004977E41BC7286DE28FC408B96

Function 00007DF421884620 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007DF4218846EF

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg
String ID:
API String ID: 1527718024-0
Opcode ID: c3b5330ba83a094f7bad87bbcfda8b7898b28b22e9f53235a9dbd9f71cfcc7c9
Instruction ID: 91eab42907a5a3a60b0b1d31daab7222bd1e13cc860c563dfa6e4068f78f9c69
Opcode Fuzzy Hash: c3b5330ba83a094f7bad87bbcfda8b7898b28b22e9f53235a9dbd9f71cfcc7c9
Instruction Fuzzy Hash: 45411931A0849C5BEB68EE288CD417B37F1EFC5349715817BD86BCB186DA28E946C790

Function 00007DF421962390 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,000000EE,?,00007DF4219595EF), ref: 00007DF421962482

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: a9683185239d0d4a7a56ce16b1c41f8a860c91c23b889e5507fec3a698ee7d2e
Instruction ID: 28dcef5dec6c8efba66bfb0bbbfb13d16eda5168049fd0ed3d4afc11d67e3ac1
Opcode Fuzzy Hash: a9683185239d0d4a7a56ce16b1c41f8a860c91c23b889e5507fec3a698ee7d2e
Instruction Fuzzy Hash: 5D418F30719E8E6FEA98FB58889476AB6B5FF98744F50007AD50FC3282DE28EC51C750

Function 00007DF42195B260 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT(?,?,?,?,?,?,?,00007DF4218A5770), ref: 00007DF42195B2A6

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _calloc_dbg
String ID:
API String ID: 1170608187-0
Opcode ID: 1510f62e4c51649cb4b3fc6bb3479c9fee78b3cdc066acf53db6694c8fe85d1c
Instruction ID: ffd59b02ac7369363e6d020df3a16f60b1d591e72bafab15eb96a0c53ad4f61f
Opcode Fuzzy Hash: 1510f62e4c51649cb4b3fc6bb3479c9fee78b3cdc066acf53db6694c8fe85d1c
Instruction Fuzzy Hash: A541DB70908A189FDBA1DF1894887D57BE1FB68701F1842BBDC4ECF25ADB749885CB90

Function 00007DF421893320 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF421883DD8: RtlAddFunctionTable.KERNEL32 ref: 00007DF421883E05

SetErrorMode.KERNELBASE ref: 00007DF421893408

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ErrorFunctionModeTable
String ID:
API String ID: 928017140-0
Opcode ID: d9c23544fbb2a9f569b4c70e99ee3ada11af114710c16124923c5dd5b1b488fd
Instruction ID: 562322747aa1f8909445d3987fda64598889664bfa92aa5ba54441f556b0199c
Opcode Fuzzy Hash: d9c23544fbb2a9f569b4c70e99ee3ada11af114710c16124923c5dd5b1b488fd
Instruction Fuzzy Hash: DB318225B189896BEB55FBB89CC256B72E1FFD4310B40053AE80FC33D2D918ED468789

Function 00007DF4218D52D0 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007DF4218D5344

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 5ecb9aca37cfa74a852660f22e24977ddf5ffe3d9d8c212dab6545ea967c75f3
Instruction ID: e250fd2e842d2c68959619370e25025f273c9156027d4689209d6a23efecb3c0
Opcode Fuzzy Hash: 5ecb9aca37cfa74a852660f22e24977ddf5ffe3d9d8c212dab6545ea967c75f3
Instruction Fuzzy Hash: AC31D770904B459FEB98DF28D4C8B6177E1FB55325F1002BAD85ACA2E6DB749881CB40

Function 000001F66438185C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessMitigationPolicy.KERNELBASE ref: 000001F66438192F

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
Instruction ID: ab96137dffae4b44733e3f11cd4a997dbd2539f6f367b43fe75d2b31b67450a1
Opcode Fuzzy Hash: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
Instruction Fuzzy Hash: 4F31AD30200A0B5EEF65976A88847F1F7D6EB943B1F1801FAC026DA1D9DA71DA81D780

Function 00007DF4218A3848 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT(?,?,?,?,?,FFFFFFFF,-00000001,-00000002,-00000001,00007DF4218C2CFA), ref: 00007DF4218A3867

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg
String ID:
API String ID: 1527718024-0
Opcode ID: aa4f1f029a65678ad9f3ad1f83a567308f2cd0838b93955c777e9bc3ae762b5b
Instruction ID: 730c357e63922cffdbbe19bae7f36769a2dfa8cf767c8155e689a20530bce77e
Opcode Fuzzy Hash: aa4f1f029a65678ad9f3ad1f83a567308f2cd0838b93955c777e9bc3ae762b5b
Instruction Fuzzy Hash: D2219031614D1C8FDB59EF1DDC8C7A277E1EBA831171442BBDC0ACB265DA35E8848791

Function 00007DF4218A6654 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF4218A6711

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 300bfe15e1352cda4c3c9a5eb26de8ea91f06f6889c64728d4398b9a5c111e42
Instruction ID: 31a9bdd9798484a1fba328cdb643b0d1d8f76fcf5107b89765a2baad9ead4a7c
Opcode Fuzzy Hash: 300bfe15e1352cda4c3c9a5eb26de8ea91f06f6889c64728d4398b9a5c111e42
Instruction Fuzzy Hash: 7C214C31609A0D9FDF84EF28D849AAA77E4FF94315F00462AE84ED3251DB38E941CB90

Function 000001F665D85394 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001F665D853E5

Memory Dump Source

Source File: 00000011.00000003.1431623286.000001F665D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F665D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_1f665d80000_OpenWith.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction ID: f81c0bc02ca9947da621fb800472eb9a02c1b6ef061d230d122a3ef033bfb11a
Opcode Fuzzy Hash: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction Fuzzy Hash: C8018F70610E06BBE7689B38D889775B3E1FB98321F040679E41AC32C1DB64EC91C785

Function 00007DF421882910 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007DF421882948

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a1e79bfd5fdfa4d599be838d72d64bf9e685b5698f2b0b05ab8498b458f49234
Instruction ID: 153b57195e99aef13bbe2fb880886659daaef3649a3ca9a046bd21a50fd61304
Opcode Fuzzy Hash: a1e79bfd5fdfa4d599be838d72d64bf9e685b5698f2b0b05ab8498b458f49234
Instruction Fuzzy Hash: BD01A231A1491D9FEB94AB69DC8863633E6EF89391B050076E80EC7154DA39AC42C781

Function 00007DF42189BAB4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF42189D0B5), ref: 00007DF42189BAFB

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 75680fa04e19e4440b4640af9aa4d4391f4b0436c9268b337d289e293cb6ea92
Instruction ID: 062b8c6bbbbf039b09b88736903e38959c7efe39c43ec019c9c5816e59355b70
Opcode Fuzzy Hash: 75680fa04e19e4440b4640af9aa4d4391f4b0436c9268b337d289e293cb6ea92
Instruction Fuzzy Hash: 5A01F63020894C9FDF94EB1CD8D8E6573E5EBA8310B1805AAD40ECB295CA65EC828B40

Function 00007DF4218E02AC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,00000000,00000000), ref: 00007DF4218E02F2

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e005b8aad8ae59e5c4306d33e7cf4f806ca0153c9240256dc9db618efce1777c
Instruction ID: 39e25d8ef76eb03e877d25f234bf20bc2723a0623359c875b3e71eca470b75ba
Opcode Fuzzy Hash: e005b8aad8ae59e5c4306d33e7cf4f806ca0153c9240256dc9db618efce1777c
Instruction Fuzzy Hash: B3F0123061BA0E9BFF6CABA59CD866B37B1EF54306B04143FEC0BD15A0CA6D9854D721

Function 00007DF421882BB0 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE ref: 00007DF421882BF6

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: e8b38785987ebe4bf97a71b2e294a612045f12fa57e0274daf3e7e500e703184
Instruction ID: f8c4c9f093e2052e2089e5811f2ad75a4e36a316905ef8dc4ae9c78b4e64a601
Opcode Fuzzy Hash: e8b38785987ebe4bf97a71b2e294a612045f12fa57e0274daf3e7e500e703184
Instruction Fuzzy Hash: 58013C70A096599FEB54EF69BCC612676B2FB98351B45413FE00EC79A0CA386880CB52

Function 00007DF421882B5C Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00007DF421882B7C

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f6a5c260a6ff26826b95901847e0f94daf167b208f970919ab6999429e88efbf
Instruction ID: f77b0c661c86c23ca736650f39affce40138a657e0402c5051f79c98ddfec3aa
Opcode Fuzzy Hash: f6a5c260a6ff26826b95901847e0f94daf167b208f970919ab6999429e88efbf
Instruction Fuzzy Hash: 47F0A061B1A2899BE720AF755CC112A61A3EBC8352F56457BE80BCA185EC399C81C642

Function 00007DF421893088 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetProcAddressForCaller.KERNELBASE ref: 00007DF4218930AF

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: c2543c20c0a7d110227d86949c13dfaa5e54e54e664fb098b1aa0bdcf88303a9
Instruction ID: a1648d05b8b3346407fb29ca77d689e6c5c141ae9d016b5c5f12899026c4f600
Opcode Fuzzy Hash: c2543c20c0a7d110227d86949c13dfaa5e54e54e664fb098b1aa0bdcf88303a9
Instruction Fuzzy Hash: 1FE0C211B18C0D1B6B6862BE288CA7751D6CBDC272304027BE81EC3295EC14CC850380

Function 00007DF4218A5644 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007DF4218A568F

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ddedd6023ad442b8d2b2fe3290ed3783bcd232237776f9c3a295af58d00cf6c3
Instruction ID: 53b4a0a4e79a57d982f23c7299dac81dde3efb18230a53ce4c242909a5e868da
Opcode Fuzzy Hash: ddedd6023ad442b8d2b2fe3290ed3783bcd232237776f9c3a295af58d00cf6c3
Instruction Fuzzy Hash: 2CF08C74204A048FEB48EF5CC88876677E2FFE8325F10016AE90EC72E4DB369989C741

Function 00007DF4218AD8E4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007DF4218AD909

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 23f3765db31a0df280e37a6bc4f8137308a1fee0486dc2818908f898aea27d2f
Instruction ID: c076b59af0e72806b2472201f695b54bc63e28b6ed3703abb36710452691a838
Opcode Fuzzy Hash: 23f3765db31a0df280e37a6bc4f8137308a1fee0486dc2818908f898aea27d2f
Instruction Fuzzy Hash: ADE0C232B150240BF72C6ABD2C8917A36DAC7CC572705423BF80AC3284ED7C8C4602D1

Function 00007DF4218ADADC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007DF4218ADAE6

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg
String ID:
API String ID: 1527718024-0
Opcode ID: 4c39f900df3972edeb9c523e4745635d2babc99cae264e1317ea5b764d4d565e
Instruction ID: b3f8b73e5ffe4c4d6b320fefc4d6c696f52aaa585e05b47bbf551173c06b8065
Opcode Fuzzy Hash: 4c39f900df3972edeb9c523e4745635d2babc99cae264e1317ea5b764d4d565e
Instruction Fuzzy Hash: A3D05E11B15D0D1BAB58A27E1C8A12621D6DBD81227440637B80AC2260ED29CC468250

Function 00007DF421883DD8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF421883E05

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: 3b09555bf32cd7a482aca5e21dc4f37ab037edd0c1b9afc7390cc3b8e22e33b4
Instruction ID: 8f298b0b77637895e5a29f132455ede913bb4f06b5e4a3f4575adf6f3fd3137b
Opcode Fuzzy Hash: 3b09555bf32cd7a482aca5e21dc4f37ab037edd0c1b9afc7390cc3b8e22e33b4
Instruction Fuzzy Hash: 4EE04F305519095BEBA8E61DC8493513AE0FB98306F64427DD805C96D1CB39D89BCF81

Function 00007DF42189305C Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00007DF42189307E

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: d2d5b14ed622bd10ab8a5ccb37e25b8514a013ff251dbc888e29767cfd00138f
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: F4D0A710725D0D2BEB48633D1CD472721D5EBDC261F54013BF80EC2281DD59CC550301

Function 00007DF421909F04 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,00007DF42191B7C7,?,?,?,?,00000000,00000000), ref: 00007DF421909F21

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d72fac8d1d1b7f96bb5fe0759d88f2d5c6e0343dfc4f10e03c2c9322f33a3d86
Instruction ID: a1c45f944dda750156d012dfaa21513b7f3e3a821da8921c28725f772828e96b
Opcode Fuzzy Hash: d72fac8d1d1b7f96bb5fe0759d88f2d5c6e0343dfc4f10e03c2c9322f33a3d86
Instruction Fuzzy Hash: 23E04F319188594BF30DF734DCD58E73671EBA4700F914632D807810A2ED3C6659C681

Function 00007DF421883EB4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF421883ECA

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f40fb4788220d337bb008d16cea7b0a0ee6a5daf6a138a5e0a6bf71422f7da42
Instruction ID: c6c55f136108f8f7504559c28296e1478b47616a70f148d1396e8c3fe9f31c3d
Opcode Fuzzy Hash: f40fb4788220d337bb008d16cea7b0a0ee6a5daf6a138a5e0a6bf71422f7da42
Instruction Fuzzy Hash: 21D05E34706E4E4BFF9CA6AA88EC53622A1EF98202708107DD80BC1DE1CA59D8409301

Function 00007DF42188FBE8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007DF42188FBEE

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: _malloc_dbg
String ID:
API String ID: 1527718024-0
Opcode ID: 7aac0fcb7c972547ff5d390886f6270a0f974cec2218a33fb889b5e6a18d3d37
Instruction ID: 6fdd316cdcabbe8dcdd030b0dc2773f75ce6532b8b6cd0f25e3062a793cd47b1
Opcode Fuzzy Hash: 7aac0fcb7c972547ff5d390886f6270a0f974cec2218a33fb889b5e6a18d3d37
Instruction Fuzzy Hash: FFD01260A0680A0BBB9076FB1CCE13929A8DB682027000022E819C0260EA08C9A4E3A2

Function 00007DF421884A20 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF421884A29

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 551c0ffc82b28a3876ee79cfc9de3840c8837f1e4274ad0e5daf9a8a7b3ff23c
Instruction ID: ce73bb61f9965403c20b41c9d7dcb3e438ae0187149ca172b124bef6df8f2bb1
Opcode Fuzzy Hash: 551c0ffc82b28a3876ee79cfc9de3840c8837f1e4274ad0e5daf9a8a7b3ff23c
Instruction Fuzzy Hash: 15B01224D27C4F12ED4C33770E991293660AF58202FC40025E806C4858E54CC494A346

Function 00007DF421895BBC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF421895BC5

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b7031c71d370f0c4b9d1add862bc0dfec61c612abdfff09cb5e9d61695c69b58
Instruction ID: a5356095c1e1a37d0c2f3a8994a8d6e821e55e7e3c52aa9368b769787605e466
Opcode Fuzzy Hash: b7031c71d370f0c4b9d1add862bc0dfec61c612abdfff09cb5e9d61695c69b58
Instruction Fuzzy Hash: 02B0123489BD4B52FD0C337A4DF915939A0BF54201FC50036D806C0150E60EC09A47DA

Function 00007DF421892E18 Relevance: 1.3, APIs: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 00007DF421892E40

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: dd3043cd4fdbf6ce1bec2523c8a3e90b76413ae5d3024df9cc9149889a1f6f13
Instruction ID: 8b0a3dd2c0337c8a9d0c4f8ac63d94c0d81101f5114dcca953d7499ebbbcbbd3
Opcode Fuzzy Hash: dd3043cd4fdbf6ce1bec2523c8a3e90b76413ae5d3024df9cc9149889a1f6f13
Instruction Fuzzy Hash: 9C119A31B145497BE7599B789CD92BB36E2FFD4200B440236D80BC61A6EF289D448744

Function 00007DF4218824F4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007DF42188254E

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 85f62002f11eda201487085593c698b0135f5f3e41b5990a1ae8dfcda2a01f33
Instruction ID: 68e13d6cc7c42ff1e043b8e5d6c64f08a68e6b8f2b474f7842b5117ce199fded
Opcode Fuzzy Hash: 85f62002f11eda201487085593c698b0135f5f3e41b5990a1ae8dfcda2a01f33
Instruction Fuzzy Hash: 98016730A58D4D5BE798DB2C8C9422132E2FB98355755817AE00FC62E4EA29DC42C712

Non-executed Functions

Function 00007DF4218AE261 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.1740346650.00007DF421881000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF421881000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_7df421881000_OpenWith.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f5df41ea43a57528ce76f95f617c5d60ae02f95908509022172248d9e28bd8
Instruction ID: 317b8491c6c81d94af8fc2b3a06f72133790875556e8c436f9feff669d1d81d5
Opcode Fuzzy Hash: 46f5df41ea43a57528ce76f95f617c5d60ae02f95908509022172248d9e28bd8
Instruction Fuzzy Hash: FFB01130E28808C2C2280E0AF802330F2B0C30B300F00303A2000F3A20C8BACC82008F

Function 000001F664380511 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1740887784.000001F664380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F664380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f664380000_OpenWith.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
Instruction ID: 9c6f723353de5f7bfac1b68b00d860ec9f8fa9508ac40f659eae0282c9a534f1
Opcode Fuzzy Hash: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
Instruction Fuzzy Hash: 26B01132E28A0082E3880E0AB8023B0F2B0C30B300F00B0322008F3220C828CC08028F

Analysis Process: MSBuild.exePID: 1196, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	4

Executed Functions

Function 00D48DFF Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.3764474511.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_d40000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4175c125b4782cd8111dc4be8bf4da0f0e8de92404a2fdd0c4f44e1069290
Instruction ID: 00822c76a9429f4441422a8a5aab15d95c7204936bd765f4b1f6b48704e9391a
Opcode Fuzzy Hash: abe4175c125b4782cd8111dc4be8bf4da0f0e8de92404a2fdd0c4f44e1069290
Instruction Fuzzy Hash: E141E171E0438A8FCB14DFA9D8147AEBBF1EF89310F15856AD408E7291DB749845CBE1

Function 00D48ED8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00D48F3F

Memory Dump Source

Source File: 00000019.00000002.3764474511.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_d40000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 478d5d9b72bdb9f2f42195a724577348c1a53393685644660f09f360b5a38dcc
Instruction ID: 58708720b9361873de3e1fd2a9c785c00a747f59164660202f183e876d89eecb
Opcode Fuzzy Hash: 478d5d9b72bdb9f2f42195a724577348c1a53393685644660f09f360b5a38dcc
Instruction Fuzzy Hash: A11120B1C0065A9BDB20DF9AC444BDEFBF4AF48320F14812AE818B7240D778A945CFA1

Analysis Process: wmplayer.exePID: 6000, Parent PID: 7724COMMON

Executed Functions

Function 00007DF4ADB71958 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337nativememoryCOMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007DF4ADB7199B
NtAllocateVirtualMemory.NTDLL ref: 00007DF4ADB71A3A
NtWriteVirtualMemory.NTDLL ref: 00007DF4ADB71A88
NtQueryInformationProcess.NTDLL ref: 00007DF4ADB71AB0
NtReadVirtualMemory.NTDLL ref: 00007DF4ADB71AE0
NtReadVirtualMemory.NTDLL ref: 00007DF4ADB71B13
NtReadVirtualMemory.NTDLL ref: 00007DF4ADB71B42
NtReadVirtualMemory.NTDLL ref: 00007DF4ADB71B76
NtProtectVirtualMemory.NTDLL ref: 00007DF4ADB71BBD
NtProtectVirtualMemory.NTDLL ref: 00007DF4ADB71C44
NtWriteVirtualMemory.NTDLL ref: 00007DF4ADB71C69
NtProtectVirtualMemory.NTDLL ref: 00007DF4ADB71C8D

Strings

H, xrefs: 00007DF4ADB71BF2
H, xrefs: 00007DF4ADB71C15

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: MemoryVirtual$Read$Protect$Write$AllocateInformationProcessQuery_calloc_dbg
String ID: H$H
API String ID: 3959100322-136785262
Opcode ID: 8b723a4ddad616be20f9dda8abf44bc9042e1d61a48c0cd72079f3722cd3507a
Instruction ID: 9772ab89b7813a6017120309538bc158c7eba5a53463929c29607f35e14dca55
Opcode Fuzzy Hash: 8b723a4ddad616be20f9dda8abf44bc9042e1d61a48c0cd72079f3722cd3507a
Instruction Fuzzy Hash: 72B184B060DB888FD764DF58D885A9AB7F5FBD4344F000A2EE58EC3251EB34E5458B86

Function 0000023076702D24 Relevance: 17.0, APIs: 2, Strings: 7, Instructions: 1263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 000002307670386B
_calloc_dbg.MSVCRT ref: 00000230767039C1

Strings

;Ln, xrefs: 00000230767031B4
;$dW, xrefs: 0000023076703D1C
MZ, xrefs: 0000023076703583
N, xrefs: 0000023076703A58
MZ, xrefs: 0000023076703971
;$dW, xrefs: 000002307670352D
t, xrefs: 0000023076703A60

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: CurrentFormatPathUser_calloc_dbg
String ID: ;$dW$;$dW$MZ$MZ$N$t$;Ln
API String ID: 2292065830-84560671
Opcode ID: 1512b8534d4c685afcc9061355cc33150ae67fa718ee72ec55426bd84ba67b64
Instruction ID: 089245b4c89d3120e86c197d792ff3d65f277fee1823cd46e4f25ecfef9271bd
Opcode Fuzzy Hash: 1512b8534d4c685afcc9061355cc33150ae67fa718ee72ec55426bd84ba67b64
Instruction Fuzzy Hash: 87A28DB0518B888FD375DF18D8887EBB7E4FB99711F500A2ED48AC3251DB74A541CB92

Function 00007DF4ADB71CE8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 296processnativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4ADB71290: RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB712BD

Part of subcall function 00007DF4ADB712C8: VirtualProtect.KERNELBASE ref: 00007DF4ADB712F5

Part of subcall function 00007DF4ADB71438: RegOpenKeyExW.KERNELBASE ref: 00007DF4ADB71497
Part of subcall function 00007DF4ADB71438: RegQueryValueExW.KERNELBASE ref: 00007DF4ADB714E6
Part of subcall function 00007DF4ADB71438: RegCloseKey.KERNELBASE ref: 00007DF4ADB7150C
Part of subcall function 00007DF4ADB71438: GetVolumeInformationW.KERNELBASE ref: 00007DF4ADB71570

_calloc_dbg.MSVCRT ref: 00007DF4ADB71DE3
CreateProcessW.KERNELBASE ref: 00007DF4ADB71F80
NtResumeThread.NTDLL ref: 00007DF4ADB71FA5
FindCloseChangeNotification.KERNELBASE ref: 00007DF4ADB71FBF
??3@YAXPEAX@Z.MSVCRT ref: 00007DF4ADB71FDC

Strings

-, xrefs: 00007DF4ADB71E95

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: Close$??3@ChangeCreateFindFunctionInformationNotificationOpenProcessProtectQueryResumeTableThreadValueVirtualVolume_calloc_dbg
String ID: -
API String ID: 3202447450-2547889144
Opcode ID: 105c85825427e7c8ed203293b96c467a96f9bba36c05be2648f83f100e5bc7da
Instruction ID: 5a24a107154d6932b82a438a428c0a9f8a4f0f9ccedc472a7c8ef417ec4acdfa
Opcode Fuzzy Hash: 105c85825427e7c8ed203293b96c467a96f9bba36c05be2648f83f100e5bc7da
Instruction Fuzzy Hash: 5B91B3B0A0EA894FEB54EB24C9956AB73F1FF94345F40452AD54BC31A1EF78E8018792

Function 00007DF4ADB82704 Relevance: 6.0, APIs: 4, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007DF4ADB82715
??3@YAXPEAX@Z.MSVCRT ref: 00007DF4ADB82727
_malloc_dbg.MSVCRT ref: 00007DF4ADB82731
NtQuerySystemInformation.NTDLL ref: 00007DF4ADB82755

Memory Dump Source

Source File: 0000001A.00000002.3765088712.00007DF4ADB81000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb81000_wmplayer.jbxd

Similarity

API ID: InformationQuerySystem$??3@_malloc_dbg
String ID:
API String ID: 1074928427-0
Opcode ID: eaf85d99e703aa885d9be82610ad3d8d03a394a4204a017367fdf17adc8f3dbe
Instruction ID: 760dcc45763e1483304de3a823aff1aecc653ed6d704cf36ac4561d48a118f05
Opcode Fuzzy Hash: eaf85d99e703aa885d9be82610ad3d8d03a394a4204a017367fdf17adc8f3dbe
Instruction Fuzzy Hash: 4E013134B1A9459FE785EF25DD68B6A77F1FBA4305F440128E40BC21A0DF38D945CB42

Function 00000230766FCDF4 Relevance: 4.6, APIs: 3, Instructions: 110
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 00000230766FCEA7
BindIoCompletionCallback.KERNEL32 ref: 00000230766FCEDE
ConnectNamedPipe.KERNELBASE ref: 00000230766FCEEF

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: NamedPipe$BindCallbackCompletionConnectCreate
String ID:
API String ID: 2502124517-0
Opcode ID: 1f39a579d535edce93b33f8ad890ac1eeea552d42be0d6d7d28d92d913c1a808
Instruction ID: d7716e007f28d46482db4f0c892227484504a1a5aa4b69452fffb4d4e163a579
Opcode Fuzzy Hash: 1f39a579d535edce93b33f8ad890ac1eeea552d42be0d6d7d28d92d913c1a808
Instruction Fuzzy Hash: 9431B370208A488FE7A5EF28D8D8B9AB7E4FB88310F504A29D05BC31D5DF78D945CB81

Function 0000023076702C64 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 0000023076702CBC

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f6b0f352e34b93935ac2a1f97fa2b0892be8d0a68ee0d9962c8f94757f801c03
Instruction ID: bf066a7bc84288b4b3dbed918764fa259ea33b98e8ef460af117582b3b47517d
Opcode Fuzzy Hash: f6b0f352e34b93935ac2a1f97fa2b0892be8d0a68ee0d9962c8f94757f801c03
Instruction Fuzzy Hash: E621C37270494C4FE7509EA888D83ABB2D4E798381F70053EE94AC3250DA28DE44C761

Function 00000230766F2628 Relevance: 3.3, APIs: 2, Instructions: 293
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00000230766F272E
SuspendThread.KERNELBASE ref: 00000230766F2770

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ChangeCloseFindNotificationSuspendThread
String ID:
API String ID: 186804629-0
Opcode ID: ee0b4b29cbf429cf193f7da3647d56e0b1a845656fd74a12addcfb7ee39e090b
Instruction ID: 63a0b2494ff6d9829d05358cd663f01a5f6edb0818f04b51946c4e9ba8abd4da
Opcode Fuzzy Hash: ee0b4b29cbf429cf193f7da3647d56e0b1a845656fd74a12addcfb7ee39e090b
Instruction Fuzzy Hash: 32911730208A098BEB78DB98E8E93B9B3D6FB45310F94415DD05BC7181DA39F942CF91

Function 00007DF4ADB722CC Relevance: 2.0, APIs: 1, Instructions: 450timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4ADB71290: RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB712BD

Part of subcall function 00007DF4ADB712C8: VirtualProtect.KERNELBASE ref: 00007DF4ADB712F5

SetTimer.USER32 ref: 00007DF4ADB72762

Memory Dump Source

Source File: 0000001A.00000002.3764684590.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb71000_wmplayer.jbxd

Similarity

API ID: FunctionProtectTableTimerVirtual
String ID:
API String ID: 2248422592-0
Opcode ID: 907297c01f2e853a7e6e6be3efaf92a15819b9f7a160a726e89f0d05781fa5e1
Instruction ID: 97f79349758dfb63dd7bcd18d87db9611e16dcd9abc0e25f58b4b0938a69c574
Opcode Fuzzy Hash: 907297c01f2e853a7e6e6be3efaf92a15819b9f7a160a726e89f0d05781fa5e1
Instruction Fuzzy Hash: 4BE18270609A488FEB58EF28D9895AA77F1FF98304F14463EE44BC35A1DF38E9458B41

Function 00000230766FC25C Relevance: 1.8, APIs: 1, Instructions: 560memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000230766FC65C

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1463b6e579e83794cd598155eb9e3160b38bf0e3bcb0f61670329aaf0c67c5a2
Instruction ID: 2fd00e9469a0d9a7caa52b9f6b5cd2177eac19b11aec270a95cef180dc534622
Opcode Fuzzy Hash: 1463b6e579e83794cd598155eb9e3160b38bf0e3bcb0f61670329aaf0c67c5a2
Instruction Fuzzy Hash: BBF13A316185680EE73C9B6CA8D62BAB7D1F785301F28466ED4DBC2283D938D647CB91

Function 00000230767029D4 Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000023076702A94

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: f13696e1930880e2e19ebf6412232386b6a4ab7a0f564d2111b2459b68bcc0da
Instruction ID: 118e2607736304dcb5061b5ee16ff20a9b36bca8d84c73fd4a856cbfcb7758b7
Opcode Fuzzy Hash: f13696e1930880e2e19ebf6412232386b6a4ab7a0f564d2111b2459b68bcc0da
Instruction Fuzzy Hash: 8981DA72218B0DCBE775DA94D4E87EBF3D0FB94380F604619E857C3190EA68EA04C671

Function 00000230767027B8 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000023076702807

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: d9381645012d00cf6e7f8dfe8da443d67e907387f0873f85681973196ff3555c
Instruction ID: b1cbb984666889265ebb6ed083bd97891c6b3ff4d60a26f6aaad372476a4765d
Opcode Fuzzy Hash: d9381645012d00cf6e7f8dfe8da443d67e907387f0873f85681973196ff3555c
Instruction Fuzzy Hash: F9F0DA74A18B488FDBA4EF2CD4C9B9AB7E0FB99300F504519E84CC3245DB34E8848B86

Function 0000023076702990 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00000230767029BA

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 98d03459468cdcd74854b97b597847e55f0ea75636d4913b4c299d0c762e3800
Instruction ID: 1c5ff5546ae45f2ccb9f69a9e2d62bc5dcf26cb5ed29a0ec496e10f14054b19f
Opcode Fuzzy Hash: 98d03459468cdcd74854b97b597847e55f0ea75636d4913b4c299d0c762e3800
Instruction Fuzzy Hash: A4E09271218A088FDB00DF98CCC59AAF3E4E7D9300F404D6AE89BC6164D264E648CAA2

Function 000002307670288C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00000230767028A7

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1d483c746a178fd7cebb358bd60c8d391381be698edd62c71eedc0381d53c554
Instruction ID: 97090545484e28298aa0439c8f36007ebb6b91b509c14616adf7f4e6f581f1b1
Opcode Fuzzy Hash: 1d483c746a178fd7cebb358bd60c8d391381be698edd62c71eedc0381d53c554
Instruction Fuzzy Hash: AED0A739A28B4D4FEA50B768898030777D1F7D5308F9046089849C3294D62DE50083D2

Function 00000230767028B8 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00000230767028D9

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: bd75e34d41d0a0c218f00c4b384fa59cf13494ae4b0fc6bee219bc2a66024f0a
Instruction ID: b5b7de5d584b02812ee3cb82fb95bca9809fd871dc626ec6c68c638940b741a7
Opcode Fuzzy Hash: bd75e34d41d0a0c218f00c4b384fa59cf13494ae4b0fc6bee219bc2a66024f0a
Instruction Fuzzy Hash: 47D05B39D587499BD710FB68C88460A7BE1FBD9358F644618E88583354E33CE541C796

Function 000002307670252C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 000002307670254D

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 27a0ab9b8b81d19b55a36d5b88940b5d877d47714e961321c564cf766a84aa8c
Instruction ID: 72d5a1217ea6a5d1ba425ca17f4850963eaa1fd46165d02f3ace7402083e2f04
Opcode Fuzzy Hash: 27a0ab9b8b81d19b55a36d5b88940b5d877d47714e961321c564cf766a84aa8c
Instruction Fuzzy Hash: 83D01238A187498BD710AB68899560A7BE1B7C9354F544658F85983314E23CE581C69A

Function 0000023076702418 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000023076702428

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 2134b33d09b848e70ba1f23de37cfdd97cd4e92c7083e33fbb9b34bfa8345c36
Instruction ID: c93df5b3d8cec258d22705d019447b47e8ceda16784baa2171eaca464f87b8c2
Opcode Fuzzy Hash: 2134b33d09b848e70ba1f23de37cfdd97cd4e92c7083e33fbb9b34bfa8345c36
Instruction Fuzzy Hash: E8C08C20A1880F2AE91562FA8CD474A2080A78A3C0FC00000B81AC2180F40CEEC483B6

Function 00000230767028E8 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,?,00000230766F531B), ref: 00000230767028F8

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 14fbc5d4ea2d13eb613c5f0cfb1986910ad3174e43fd425e2ce4bb45159b65c3
Instruction ID: 3c9b30717a3757e6ad1c99cd4c5f1dddcaa5a857bcf1527ebe53d7042f2ac896
Opcode Fuzzy Hash: 14fbc5d4ea2d13eb613c5f0cfb1986910ad3174e43fd425e2ce4bb45159b65c3
Instruction Fuzzy Hash: 91C04C25629D0E5EE954A2E94DD57596290A759394F840400982AD2180E90DE6D493B6

Function 0000023076707DA0 Relevance: 7.6, APIs: 5, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000023076707DA9
WSAStartup.WS2_32 ref: 000002307670B1DC
socket.WS2_32 ref: 000002307670B24B
getsockopt.WS2_32 ref: 000002307670B27F
socket.WS2_32 ref: 000002307670B2B4

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: socket$ErrorModeStartupgetsockopt
String ID:
API String ID: 2955919026-0
Opcode ID: 3bad8950bc8ed42d49e75fcab8a12e6def80f6fb96da2e8da31b13afe45452c3
Instruction ID: 77359e9461c4e1454e1deecbb3445e9e6a9f2df2d0f8647f95c175b9c7c9a3f8
Opcode Fuzzy Hash: 3bad8950bc8ed42d49e75fcab8a12e6def80f6fb96da2e8da31b13afe45452c3
Instruction Fuzzy Hash: 25417530618A498FE759EF28D89C6AAB7E5FB98300F504A3DE04BC33A1DF789515CB51

Function 00007DF4ADB71438 Relevance: 6.1, APIs: 4, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 00007DF4ADB71497
RegQueryValueExW.KERNELBASE ref: 00007DF4ADB714E6
RegCloseKey.KERNELBASE ref: 00007DF4ADB7150C
GetVolumeInformationW.KERNELBASE ref: 00007DF4ADB71570

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: CloseInformationOpenQueryValueVolume
String ID:
API String ID: 4069062851-0
Opcode ID: 3ebb744f0aebbecadcf06631c3d65907a1788fb7df7ced3004579ef494ef68f9
Instruction ID: 806b8b519a5f0cf83d001a7ff39748ce37bc9385911f73f7fbecf5647249e2fe
Opcode Fuzzy Hash: 3ebb744f0aebbecadcf06631c3d65907a1788fb7df7ced3004579ef494ef68f9
Instruction Fuzzy Hash: 9A412B7051DA488BE759EB24C899BDBB3F1FB94305F404A2EE48BC3191EF78D5048B42

Function 00000230766FDFC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000230766FE047
VirtualProtect.KERNELBASE ref: 00000230766FE070

Strings

rE\, xrefs: 00000230766FDFDC

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ProtectVirtual
String ID: rE\
API String ID: 544645111-988334199
Opcode ID: fd197d1d460a7a7097ebc69198cfe8898b84731961e3c45740b5833891c72836
Instruction ID: ab4e9cb8e49053c15a87e7ddecd5d185a396d1d056353220ce004fb49acf8da4
Opcode Fuzzy Hash: fd197d1d460a7a7097ebc69198cfe8898b84731961e3c45740b5833891c72836
Instruction Fuzzy Hash: 9F11AE3130490C0FEB55F798E8D5BE9B2D6F7D4300F505529940BC3285DE2CDE458791

Function 00000230766FBBF0 Relevance: 4.6, APIs: 3, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingW.KERNELBASE ref: 00000230766FBC4C
MapViewOfFile.KERNELBASE ref: 00000230766FBC6E
FindCloseChangeNotification.KERNELBASE ref: 00000230766FBCE6

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: File$ChangeCloseFindMappingNotificationOpenView
String ID:
API String ID: 1008110341-0
Opcode ID: 8bb8605ac1c349b7ed951fd2da0efd1c73228fe5391c7a5f19e2fcd3618d3200
Instruction ID: 7d34ff7238cc63d58fb47a3e8cb012c368266810743e72f439aa0e17a19560aa
Opcode Fuzzy Hash: 8bb8605ac1c349b7ed951fd2da0efd1c73228fe5391c7a5f19e2fcd3618d3200
Instruction Fuzzy Hash: 4531613161490C8FEB55FF64E8DA6EBB3D4FB94300F50452AA44BC2181EE34E649C7A1

Function 00000230766FB9D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00000230766FBB1F

Strings

P, xrefs: 00000230766FBA46

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: CreateWindow
String ID: P
API String ID: 716092398-3110715001
Opcode ID: 3958d680dd61ed40200acf61cd907bfc270c34c5250da5fbb8d7e78c828db693
Instruction ID: d0a5e6ab3311fcca8cc67d67b5910f85ea529c1a2a80aef721962242db7da3b1
Opcode Fuzzy Hash: 3958d680dd61ed40200acf61cd907bfc270c34c5250da5fbb8d7e78c828db693
Instruction Fuzzy Hash: 97514F70518B488FD7A5EF28E89A79AB7E4FB95311F104A2FE08EC2150DF34A545CB93

Function 00007DF4ADB83018 Relevance: 3.3, APIs: 2, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007DF4ADB81708: RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB81735

Part of subcall function 00007DF4ADB81740: VirtualProtect.KERNELBASE ref: 00007DF4ADB8176D

_calloc_dbg.MSVCRT ref: 00007DF4ADB8313A
SendMessageA.USER32 ref: 00007DF4ADB831FB

Memory Dump Source

Source File: 0000001A.00000002.3765088712.00007DF4ADB81000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb81000_wmplayer.jbxd

Similarity

API ID: FunctionMessageProtectSendTableVirtual_calloc_dbg
String ID:
API String ID: 963881631-0
Opcode ID: 06791c2761ba3497e0c9077ab5921302019734c58a86a701aa2be8a22ea6a1e2
Instruction ID: d02784a6add5e7e70075899f07dfec22d187fbcaa96c71dd9fa9a24e80dd8f69
Opcode Fuzzy Hash: 06791c2761ba3497e0c9077ab5921302019734c58a86a701aa2be8a22ea6a1e2
Instruction Fuzzy Hash: 8B91713060DA888FEB54EF28D9955AE73F2FB94305B504A3ED08BC32D1DA78E845C781

Function 00000230766F22D0 Relevance: 3.2, APIs: 2, Instructions: 222
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00000230766F22E8
VirtualAlloc.KERNELBASE ref: 00000230766F23B4

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 9420d4d47bb5eb7f06d7fea4bf54311970c83033f74d5905fb72208c54926d5e
Instruction ID: d67ed33ac6860ced4e2e1cd2dec5ac9c8c75e681cac6480e68473646e6448fcc
Opcode Fuzzy Hash: 9420d4d47bb5eb7f06d7fea4bf54311970c83033f74d5905fb72208c54926d5e
Instruction Fuzzy Hash: A151D671218E0D4FE765EBECE4AC3A9B3D6F798301F904129D44AC3194EE79DD818B92

Function 00000230766FD594 Relevance: 3.1, APIs: 2, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00000230766FD5D8
FindCloseChangeNotification.KERNELBASE ref: 00000230766FD62C

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ChangeCloseFileFindNotificationView
String ID:
API String ID: 556135526-0
Opcode ID: f5e4ace49f8dbf4d208ab68c6c07d1c08f373a7b01313fe5be4b999b6ef0fbb6
Instruction ID: 5ea2cf0216273c04de96a076bed526394d93e0e3b997eef1cdc3cd15e35dddeb
Opcode Fuzzy Hash: f5e4ace49f8dbf4d208ab68c6c07d1c08f373a7b01313fe5be4b999b6ef0fbb6
Instruction Fuzzy Hash: 2A41B43021490C8FEB65FFA8E8D86EAB3E5FB95305F404529A50BC3195DF28FA458B91

Function 00000230766F2974 Relevance: 3.1, APIs: 2, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000230766F29B3
VirtualProtect.KERNELBASE ref: 00000230766F2A19

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9af94119fb7637b7a971dd9e5dfe6689dbe62cc4b897151fb24c5dcbfab40a36
Instruction ID: c658be6f69793c0b4780e3780c266b3c11ba73858080522911907e5cdcae9a48
Opcode Fuzzy Hash: 9af94119fb7637b7a971dd9e5dfe6689dbe62cc4b897151fb24c5dcbfab40a36
Instruction Fuzzy Hash: 6C315C30308A894BEB24DFACE8E87D57BC5FB5A314F550295EC8AC72C5DB58D802C796

Function 00007DF4ADB712C8 Relevance: 3.1, APIs: 2, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007DF4ADB712F5
VirtualProtect.KERNELBASE ref: 00007DF4ADB7137E

Memory Dump Source

Source File: 0000001A.00000002.3764684590.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb71000_wmplayer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aa55061d99e775b82e27cc6da46f8fa59da2ee6fc95db4891e67f0932caa2168
Instruction ID: 7e432a9b09e95c664bf1416e4ada4caf807a28c28b642143c561c72b7dafc79b
Opcode Fuzzy Hash: aa55061d99e775b82e27cc6da46f8fa59da2ee6fc95db4891e67f0932caa2168
Instruction Fuzzy Hash: 4B2136B160B98557EB189B2CC580E76B3F5FF90388F15113BE84FC7AA5E768F8018265

Function 00007DF4ADB712C8 Relevance: 3.1, APIs: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF4ADB712F5
VirtualProtect.KERNELBASE ref: 00007DF4ADB7137E

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 89563af4fe1d572c43706a2c5b782feb3df9d02bfd1ff06021ce1d81ad062eb6
Instruction ID: c12b4ef9c783b57f5f2e28f89b7f753e5515b8d38ba25e708630117cb11d7929
Opcode Fuzzy Hash: 89563af4fe1d572c43706a2c5b782feb3df9d02bfd1ff06021ce1d81ad062eb6
Instruction Fuzzy Hash: 182127B160B98557EB189B2CC580E76B3F5FF90384F15113BE84FC7AA5E668E8018264

Function 00007DF4ADB81740 Relevance: 3.1, APIs: 2, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007DF4ADB8176D
VirtualProtect.KERNELBASE ref: 00007DF4ADB817F6

Memory Dump Source

Source File: 0000001A.00000002.3765088712.00007DF4ADB81000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb81000_wmplayer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 555ee51bdfbe110a30625e9d65cd405c650e6e50b938efdbc78372c29de57681
Instruction ID: e6878eefa134b790b61c142c9ae1f8aff63c49f48d4ebef41f77a663c68f049c
Opcode Fuzzy Hash: 555ee51bdfbe110a30625e9d65cd405c650e6e50b938efdbc78372c29de57681
Instruction Fuzzy Hash: B92105B990B54547EB189B2CD684A7BB3F1FFA0388F14413EE44FC72A4D668F8018281

Function 0000023076734468 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000023076734496
??3@YAXPEAX@Z.MSVCRT ref: 00000230767344A0

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 5a17d2a82900e38e66e0587de357cfea25c88adc918405c2cab64094945da2f0
Instruction ID: 1fbf8d782b8b25698e2bf36c7bef87e6a991dc9bcefaf589ac587e4df2c8a157
Opcode Fuzzy Hash: 5a17d2a82900e38e66e0587de357cfea25c88adc918405c2cab64094945da2f0
Instruction Fuzzy Hash: D2F09670218D0E4FEF98DFAE88D9F6273D0FF58350F501164980AC7289DA29DC41D750

Function 00000230766FC784 Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00000230766FC9BF

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 59198f789e8770a8feb484424aff911a50a4b1632d60f2ad6db9f6e5577744bf
Instruction ID: 1b074d3f2aa449e216e9e842e7afac4365b0fb3041a84ea7c8a5824bc57fa213
Opcode Fuzzy Hash: 59198f789e8770a8feb484424aff911a50a4b1632d60f2ad6db9f6e5577744bf
Instruction Fuzzy Hash: 55913E31518A4C4BD765EB54D4D96EBF3E1FB94300F40492EE08BC3192EE35EA49CB92

Function 00000230766FCA8C Relevance: 1.7, APIs: 1, Instructions: 228fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00000230766FCC99

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e26a3d902f64fdb1e6a29b1ddfd8af137ced715061d327bbcfc87f3b72d7e64f
Instruction ID: 3bbab4b016cb76bb89938c6dc7e7360308c679cec18ef550b4a5215339459379
Opcode Fuzzy Hash: e26a3d902f64fdb1e6a29b1ddfd8af137ced715061d327bbcfc87f3b72d7e64f
Instruction Fuzzy Hash: CB71E735208B0C8FD779EB58E8D5AA6B3E1FB94710F500A1DD48BC3192DA38FA45CB91

Function 00007DF4ADB715E8 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE ref: 00007DF4ADB7172D

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a4d7378eb0dc183d45dac9fde789c38604b4b9a60361aa9a1ccba498305d516d
Instruction ID: 09b4ca347a273d23249165f2ffc099f517a109b827aef265b1130e114eb8ddb1
Opcode Fuzzy Hash: a4d7378eb0dc183d45dac9fde789c38604b4b9a60361aa9a1ccba498305d516d
Instruction Fuzzy Hash: 4B71537061D7884FD765EB28D4857ABB7F1FB98300F004A3EE58FC3192EA34A5058B92

Function 00000230766F6C10 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 00000230766F6CD6

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c27442c9625b69612e30a0c621dafdc38b3cd1b2ea33eefe8ec2cdf5f7c33623
Instruction ID: 2f7920a0b2f77f0ca6cac80687fac505c3a14687f0f10fb1a8e09963f0075127
Opcode Fuzzy Hash: c27442c9625b69612e30a0c621dafdc38b3cd1b2ea33eefe8ec2cdf5f7c33623
Instruction Fuzzy Hash: 7441A93031490D0BEF69E774F8E97EAB2D5E794310F800629A447E31D6DE2DEA058761

Function 00000230766FA76C Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00000230766FA7FB

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: _malloc_dbg
String ID:
API String ID: 1527718024-0
Opcode ID: d2cb0783aaccdf533b8783a245833ea662784d452517a49626c29c14fb2d72e4
Instruction ID: 3e55d195b510abfd5a2beb05a3195494bffe5cf7f4916bd1d417878934debece
Opcode Fuzzy Hash: d2cb0783aaccdf533b8783a245833ea662784d452517a49626c29c14fb2d72e4
Instruction Fuzzy Hash: 3141A131218D0E9FDB94EF6CD8DCAA5B7E0FB68311750466AD41AC3664DB74E981CBC0

Function 00000230766F778C Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 00000230766F78B2

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: c6fe4b8a49b1c432d16a5d1b2244a4336856686fe2f0bc0d983b446ba2d85ae3
Instruction ID: 558629faf030e0b142fc13855f5a28199b12e48ca5762aa98cee74aa804d5ff8
Opcode Fuzzy Hash: c6fe4b8a49b1c432d16a5d1b2244a4336856686fe2f0bc0d983b446ba2d85ae3
Instruction Fuzzy Hash: 78414F711186488BE769EF64D4E9BDBF7E1FB94340F404A1DA08BC3191EE79A604CB52

Function 00000230766FCCD0 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00000230766FCD2F

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2f464fde3477c0bba4832f44d3340180ae7d23497e5ed422822a87f1e6a42210
Instruction ID: 595d48dc07ff95301962e8648122a0a0345d15dd9ba8eb3e0eb063a298960a0e
Opcode Fuzzy Hash: 2f464fde3477c0bba4832f44d3340180ae7d23497e5ed422822a87f1e6a42210
Instruction Fuzzy Hash: 52018471204A0C8FE741FB59D8C59ADB7E9FBD8314F50062AE84AC6150EF24EA55C791

Function 000002307670D4AC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 000002307670D4FE

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e53db298d0d7d8de9701e8a24c72cb59212fc55ca396913229799ff2ccd7724d
Instruction ID: 80b8f4006e18079666537d4e47b848d41e0f18f0a61eedc5868e762c057df7a5
Opcode Fuzzy Hash: e53db298d0d7d8de9701e8a24c72cb59212fc55ca396913229799ff2ccd7724d
Instruction Fuzzy Hash: FB112130200A1D9FEFA59FA988E83E676D0EB58355F14017AEC0ACA195CB74ED45C7B1

Function 00000230766F2904 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00000230766F293C

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a3e65a005f3911c52a3a19618f507bf36bcbd5794d57615cb3bbd7cad2f75c67
Instruction ID: 3abbfdd9b83e6e793d1308642005adb725df1bda1b7eff346a22321527631a75
Opcode Fuzzy Hash: a3e65a005f3911c52a3a19618f507bf36bcbd5794d57615cb3bbd7cad2f75c67
Instruction Fuzzy Hash: 0B01263171490D8FEB64ABAEECA866573DAFB8A316B444065D80AC3144DA3EAC41CB91

Function 00007DF4ADB82F60 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetWinEventHook.USER32 ref: 00007DF4ADB82FCD

Memory Dump Source

Source File: 0000001A.00000002.3765088712.00007DF4ADB81000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb81000_wmplayer.jbxd

Similarity

API ID: EventHook
String ID:
API String ID: 3661607649-0
Opcode ID: e6b188324f96a1e03f166e4287a2793acb406422b2b30f8b11d607c185f61fee
Instruction ID: 3d5b21c0212b03d9331fc1685e1f8c088c7145b65b7f7802ba03a4b847fa951f
Opcode Fuzzy Hash: e6b188324f96a1e03f166e4287a2793acb406422b2b30f8b11d607c185f61fee
Instruction Fuzzy Hash: 7F116D3081A9858FEB54AB64D9697AF72B0FF10318F600A3DD48BC22E1EB3DA4449741

Function 00000230766FBE7C Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000230766FBED6

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4d57d7d5982399080f90361c2699a999889f8feb933735bc5bb6e787f07df0d3
Instruction ID: f3291b0cab7b5f9e1777a731ff65904de3a15d9b101934159820edddb6b8eb26
Opcode Fuzzy Hash: 4d57d7d5982399080f90361c2699a999889f8feb933735bc5bb6e787f07df0d3
Instruction Fuzzy Hash: 0B01A460314A4C4FFB55EBB8A8B93A9B6D6EB94301F50056AA00BC32D1EA2CDE058751

Function 00000230766F2B50 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00000230766F2B70

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: eab2b32177be9564e25d5777707ea1ca30621b5695f0306aefe172fe800bc35c
Instruction ID: 8665bb108a4a3835020c3665c925f7b19731d9e15ebce6705f70d5b608495d1c
Opcode Fuzzy Hash: eab2b32177be9564e25d5777707ea1ca30621b5695f0306aefe172fe800bc35c
Instruction Fuzzy Hash: B9F0E521708A0D4FF730AEF67CE93AA724BE384317FA40D3AD807C6185D83D99828760

Function 00000230766F697C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetProcAddressForCaller.KERNELBASE ref: 00000230766F69A3

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: c691d5039295ecc8b7e044fb40fc3c69618cf93c91779b6bda279d67736a12d8
Instruction ID: abe131e14be8b3ed5af88f15dc85e854ac341766a9624efb58c7c9b121b6fc58
Opcode Fuzzy Hash: c691d5039295ecc8b7e044fb40fc3c69618cf93c91779b6bda279d67736a12d8
Instruction Fuzzy Hash: 2FE0C221B04C1E0BAB7862EE64DCAB651C6C7DC172754027BE42DC3299EC14CC410390

Function 00007DF4ADB71290 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB712BD

Memory Dump Source

Source File: 0000001A.00000002.3764684590.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb71000_wmplayer.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: cff89ce48d21670ef986fb34dbe231ab83686b2b911df37c38ad495f9c0b2048
Instruction ID: 3db407243258d799f89ab699fb55772d6c44f09646369a8240401143f4cb863a
Opcode Fuzzy Hash: cff89ce48d21670ef986fb34dbe231ab83686b2b911df37c38ad495f9c0b2048
Instruction Fuzzy Hash: 30E04F309059054BEB98DA1DC90975036E0EB5C30AF604669D505C92D1DB39989BCF81

Function 00000230766F74A0 Relevance: 1.5, APIs: 1, Instructions: 276COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00000230766F757E

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ef59572018a9deb8cc9717970e2f4ccce5bc515e763955c946e33fff9a11c9f9
Instruction ID: d433653f9bc1cb13672d0a7dc4ad9076bcc6b9f2dc842ba58536e3c1ae49d853
Opcode Fuzzy Hash: ef59572018a9deb8cc9717970e2f4ccce5bc515e763955c946e33fff9a11c9f9
Instruction Fuzzy Hash: FE919270218A0C8FEB55EF58E4D9AEAB7E0FB58300F804559E44BC7196DE34FA45CBA1

Function 00000230766F3C84 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00000230766F3CB1

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: a4029a93bfcd341c8676454adb8c6f5f12b6913b14ed0bccef0902b234b6dd47
Instruction ID: 05c022a76c909d448ba4541a4275f9216841ace8bf11194b445e8de527cc1033
Opcode Fuzzy Hash: a4029a93bfcd341c8676454adb8c6f5f12b6913b14ed0bccef0902b234b6dd47
Instruction Fuzzy Hash: 48E04F301009095BEBA8DB5DC94D39036D0EB9830AFA04258D405C9295CB39D49BCF81

Function 00007DF4ADB71290 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB712BD

Memory Dump Source

Source File: 0000001A.00000003.1679091354.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_7df4adb71000_wmplayer.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: fc492990cf9c193ed0fed28dab1318ef1c2e9243cee28bd6a774944ac56baf31
Instruction ID: 0c7e47f54d23da2ad08f2bf799b9d59d12fb83bd886fe80bf60e70f0af262ca6
Opcode Fuzzy Hash: fc492990cf9c193ed0fed28dab1318ef1c2e9243cee28bd6a774944ac56baf31
Instruction Fuzzy Hash: ADE04F709059055BEB98DA1DC9097503AE0EB5830AF604669D505C92E1DB79949BCF81

Function 00007DF4ADB81708 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4ADB81735

Memory Dump Source

Source File: 0000001A.00000002.3765088712.00007DF4ADB81000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb81000_wmplayer.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: 62df2a061ef9a83e40c3da8f8fbf33d98cfabe8aaf6c816d3fbd47a45bbcd3fe
Instruction ID: ad9e075eb79f465961588cbcb93f6a08655251f9ffc3a77d86b085b303e33c35
Opcode Fuzzy Hash: 62df2a061ef9a83e40c3da8f8fbf33d98cfabe8aaf6c816d3fbd47a45bbcd3fe
Instruction Fuzzy Hash: 36E04F746429054BEBA8E61DC94975036F0EB5830AFA0426DD505CA291CB39949BCF82

Function 00000230766F6950 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000230766F6972

Memory Dump Source

Source File: 0000001A.00000002.3755154542.00000230766F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000230766F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_230766f1000_wmplayer.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: 1b9924acae3c4f7b723a48d61ad4fde45677fdbbec3ffd00baeefdea04c60b44
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: 17D0A710320D0E1BEA58637D6CE937591D5E7CC221F90023AB40BC2282DD5DCD550390

Non-executed Functions

Function 00007DF4ADB7199C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007DF4ADB71AB6

Strings

., xrefs: 00007DF4ADB71A32
o, xrefs: 00007DF4ADB71A38
(, xrefs: 00007DF4ADB71A2C

Memory Dump Source

Source File: 0000001A.00000002.3764684590.00007DF4ADB71000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4ADB71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7df4adb71000_wmplayer.jbxd

Similarity

API ID: InformationProcessQuery
String ID: ($.$o
API String ID: 1778838933-116743476
Opcode ID: 4bc1349027c11bed1782b00e19f7c38053766996ee3beef85e27a3dd3919dec8
Instruction ID: caba274068d3b2540c7a88f8e4125ec760cec0de08cec03189228e2655db760c
Opcode Fuzzy Hash: 4bc1349027c11bed1782b00e19f7c38053766996ee3beef85e27a3dd3919dec8
Instruction Fuzzy Hash: 2781907090E7D44FE3759B6884183EBBBF0FF55344F14292ED0EBC32A2E62895458722

Analysis Process: dllhost.exePID: 7132, Parent PID: 6000COMMON

Executed Functions

Function 00000213BBF5385C Relevance: 1.8, APIs: 1, Instructions: 269
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000213BBF53484: GetVolumeInformationW.KERNELBASE ref: 00000213BBF535BB

NtQuerySystemInformation.NTDLL ref: 00000213BBF539CF

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: Information$QuerySystemVolume
String ID:
API String ID: 2187445334-0
Opcode ID: bf88aa79f3393f2c4270e4c8f0c1006911046903424164ea2339802639798b84
Instruction ID: b50539c369f62ff0aaefac13a904be529252b40acabe56372d60136144a3263d
Opcode Fuzzy Hash: bf88aa79f3393f2c4270e4c8f0c1006911046903424164ea2339802639798b84
Instruction Fuzzy Hash: 8B91A531118F094FE765EB38C8497E673E2FB64305F104A3AA45BC32A5EF35D6458B81

Function 00000213BBF52AC4 Relevance: .3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2732d31d058e475aa1d3db2d810b78d2ce7aeb846d2da72cd2dfad050138dd
Instruction ID: ad3533914b0d3d64c93b690336ce2974c68aaa1eb18a8fd31f50cfec06f65628
Opcode Fuzzy Hash: 6d2732d31d058e475aa1d3db2d810b78d2ce7aeb846d2da72cd2dfad050138dd
Instruction Fuzzy Hash: 9CB1073121CE095BE756EB14C4A5BDB73E2FBA5308F404619A487C719AEE35F709CB81

Function 00000213BBF76E1C Relevance: 7.6, APIs: 5, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00000213BBF76E25
WSAStartup.WS2_32 ref: 00000213BBF7A3BC
socket.WS2_32 ref: 00000213BBF7A42B
getsockopt.WS2_32 ref: 00000213BBF7A45F
socket.WS2_32 ref: 00000213BBF7A494

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: socket$ErrorModeStartupgetsockopt
String ID:
API String ID: 2955919026-0
Opcode ID: 690d345f2021f6da5236feb68d8b287bbf9abb83f2ecb601865a28f0a565e020
Instruction ID: deac54a069d3e5e7982cc5acf9464a7b2c1c17345814d9b95e4f708f1261f330
Opcode Fuzzy Hash: 690d345f2021f6da5236feb68d8b287bbf9abb83f2ecb601865a28f0a565e020
Instruction Fuzzy Hash: F1412470518A488FE754EF28D89C6D977E2FBA8304F51976EE046C32E5EF399508CB41

Function 00000213BBF58038 Relevance: 4.6, APIs: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF58089
??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF580A1
??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF580FE

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 842a0fcfbae77ddf7c9ef53a2fdb97499bdab63288fbf5ca7410195d085d151d
Instruction ID: 7574d692c283ab4ffe16688b4d27f67f07cb5890d572492e55cf40719ac13b8e
Opcode Fuzzy Hash: 842a0fcfbae77ddf7c9ef53a2fdb97499bdab63288fbf5ca7410195d085d151d
Instruction Fuzzy Hash: 4D31A5342159098FEFA8FF19D8AD7E83393FFA4305F5440A8980ACB19ADE25DE55C750

Function 00000213BBF53658 Relevance: 3.2, APIs: 2, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00000213BBF53792
MapViewOfFile.KERNELBASE ref: 00000213BBF537B9

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: 07ba9efbedda36450ba34410379ba26bd737a34b556add273976d4b653339635
Instruction ID: d7db527c52201658a7382e79f3940afae2689652d9f436b283830bdf7534b70b
Opcode Fuzzy Hash: 07ba9efbedda36450ba34410379ba26bd737a34b556add273976d4b653339635
Instruction Fuzzy Hash: A451913151CB888BD725EB28C8857EAB7E1FB94305F00492FA4DBC2191EF349609CB92

Function 00000213BBF779E0 Relevance: 3.1, APIs: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIoCompletionPort.KERNELBASE ref: 00000213BBF77A42
SetFileCompletionNotificationModes.KERNEL32 ref: 00000213BBF77A88

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPort
String ID:
API String ID: 3755109111-0
Opcode ID: 3d04898f0baabecc2f3c6bacaaade18d79c33302fe0cdaf5b807a00c8715d7ea
Instruction ID: 4ed4b1ac7c07141f83acf50383598f21ff43c9bdc339c724c753efb0acc9c606
Opcode Fuzzy Hash: 3d04898f0baabecc2f3c6bacaaade18d79c33302fe0cdaf5b807a00c8715d7ea
Instruction Fuzzy Hash: B131A4303285154BFF78DB29988D7E572D6F764319F5001A9E806C21EAEF26CF458781

Function 00000213BBF53484 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 00000213BBF535BB

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: fc96228221a64c14c7771b2c820f555db7d261a1131db5f0bd3cfba39c9abf21
Instruction ID: 7e18df8629d53117494d011bfb0fbc37fb2102d87102fc3a67aee0984ad33032
Opcode Fuzzy Hash: fc96228221a64c14c7771b2c820f555db7d261a1131db5f0bd3cfba39c9abf21
Instruction Fuzzy Hash: AB51F47111C7488BE76AEB28C4987DBB7E1FBA4304F504A2DE08AC2195EF759709CB42

Function 00000213BBF77DD0 Relevance: 1.6, APIs: 1, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00000213BBF77DFD

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: e6fd14d16137a95e4702a1e33f0533e96a3ee2d73c8ca89cef5c35a36976fbc4
Instruction ID: f53397d7b06740eb74e118eaf093bfa50b55d2cf480db1e636aceb569ad9c53d
Opcode Fuzzy Hash: e6fd14d16137a95e4702a1e33f0533e96a3ee2d73c8ca89cef5c35a36976fbc4
Instruction Fuzzy Hash: BB21B7303185044FEF68DB39988D7E533D2EB64329F2046A9E82AC72D9EF358E554752

Function 00000213BBF61784 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00000213BBF61810

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 8ba5e81e031e817494e782a31e249e73ef5175517b47c90734a6ec4d735d2d12
Instruction ID: a70495800af909219e219dae02fd1fd3135dc95948845111e1c75718fefbeb1e
Opcode Fuzzy Hash: 8ba5e81e031e817494e782a31e249e73ef5175517b47c90734a6ec4d735d2d12
Instruction Fuzzy Hash: B11173315248085BEBB8FB65C4997E93392FBA4314F5412759C1FC618FEE260B4AC690

Function 00000213BBF528D4 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00000213BBF52949

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 147b7861b8d55a5ae4162ffc4259640c3a28b81395385b0f304c643425426fcc
Instruction ID: b7079bf3f7e2f002c77fe6fdc2803c17d40f426cfd4e3c7bba0bdfd490a93ae6
Opcode Fuzzy Hash: 147b7861b8d55a5ae4162ffc4259640c3a28b81395385b0f304c643425426fcc
Instruction Fuzzy Hash: AD014430318E090AEA69F374485D3FD22D7FBA5319F440329680AD32DAFE16DB085651

Function 00000213BBF54520 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000213BBF58038: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF58089
Part of subcall function 00000213BBF58038: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF580A1
Part of subcall function 00000213BBF58038: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,00000213BBF5454C), ref: 00000213BBF580FE

Part of subcall function 00000213BBF53CB0: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000213BBF54590), ref: 00000213BBF53CD9

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000213BBF545DB), ref: 00000213BBF54579

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: cea5a1abd7c6ef95cc881fb3b015a3920f1a58e6b13961532c49689afed8ac0f
Instruction ID: dcf8eed8cc0f4a5c962e4b184f17a55ce2c54f400d0e45f73b10a5314d7b543d
Opcode Fuzzy Hash: cea5a1abd7c6ef95cc881fb3b015a3920f1a58e6b13961532c49689afed8ac0f
Instruction Fuzzy Hash: F20125311149084FD759EB18C8DDBE9B3A2FBA4308F540299941AC61DAEF359B4EC7C0

Function 00000213BBF528A0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddressForCaller.KERNELBASE ref: 00000213BBF528C7

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: be8164fcd6bb8b439b0c6dd95cb79210c8cf986f476e4ea7066077b0df3d1665
Instruction ID: 04614604c734029b52ebd7b805212940523dff48154026b69103d3874639e540
Opcode Fuzzy Hash: be8164fcd6bb8b439b0c6dd95cb79210c8cf986f476e4ea7066077b0df3d1665
Instruction Fuzzy Hash: 87E0C221718C090BAB78A1AE248C6F651C6C7EC27670402BBE41CC3299ED11CD450390

Function 00000213BBF52874 Relevance: 1.5, APIs: 1, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000213BBF52896

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: f35568f047778682c4e09a0758aa0e790cfbd22d610be31b2a97550f5aa62a06
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: ADD0A720324D0E1BEA58A37D1CA83F511C6E7EC32AF50113AB409C2285ED59CE590300

Function 00000213BBF53CB0 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000213BBF54590), ref: 00000213BBF53CD9

Memory Dump Source

Source File: 0000001B.00000002.3755090359.00000213BBF50000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BBF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_213bbf50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 8cb90f487aa88aaeb899a82658a4f96ee9d6a5816eee242e74479443c5ca5ecc
Instruction ID: 9fec42b40b7c86b83da1c9308ec58a25bf002dc2ba1036fa3215df16c6874689
Opcode Fuzzy Hash: 8cb90f487aa88aaeb899a82658a4f96ee9d6a5816eee242e74479443c5ca5ecc
Instruction Fuzzy Hash: 6EE0EC30315D198EEB69EB39885C7E032E1FB68308F980958E006C31D4FA6DDA49C752

Analysis Process: MSBuild.exePID: 2908, Parent PID: 744COMMON

Executed Functions

Function 00A208D0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7decbfcc8004d1471a370e148c3d4da70c839c5f0f399ca7ae7eb383a4edf586
Instruction ID: 0884e9843293912ebfdc5bd7ea34e5bca8afdc1d744c0a3fc249388b39e2f2b8
Opcode Fuzzy Hash: 7decbfcc8004d1471a370e148c3d4da70c839c5f0f399ca7ae7eb383a4edf586
Instruction Fuzzy Hash: 30819D34B002158FDB55EF78E959B2E7FE2BF88314F148569E0069F3A6DE749C068B81

Function 00A208BF Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9907581cb1532d5dc71a3a9cbc7bb6dcb0866cead5c78c23f7295c8f70d4b6d4
Instruction ID: 7466f544a0a1323b28e333f4c4023d0f7df4ff004b27eea0d864f2651acd1e59
Opcode Fuzzy Hash: 9907581cb1532d5dc71a3a9cbc7bb6dcb0866cead5c78c23f7295c8f70d4b6d4
Instruction Fuzzy Hash: 2C519034B012158FDB15BF78E958A2D7BE2BB84305B108629D0169F3A6EF749D06CB81

Function 00A2099B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4073920e07d54a2d82f315fbd618b1935acc42a7560c8fc4e4f9d699bc2516ab
Instruction ID: 60decb1f1fc79fa3c650383f0d180567de0fc958c23b5c7e039db974b89b454d
Opcode Fuzzy Hash: 4073920e07d54a2d82f315fbd618b1935acc42a7560c8fc4e4f9d699bc2516ab
Instruction Fuzzy Hash: 623180307003158BD725BB78D415B1EBA92BF84315F14CA2DD0269F396DF75DD498B82

Function 00A210A9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ba5940ee7eec4b19b1667817b2a009d0f3f39f092042eb5071e46351593ddd
Instruction ID: 332c6b28981930685cb15b476bbe52911d417a5d62f1c6b58a8e13b676ea95d1
Opcode Fuzzy Hash: 70ba5940ee7eec4b19b1667817b2a009d0f3f39f092042eb5071e46351593ddd
Instruction Fuzzy Hash: 8D21C271F043145FDB14ABBD581936EBEEAAFC8300B18852EE44BD7382DD389C0287A1

Function 00A20F88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e0e5fdb6321a1ebea2e507d72c4ed76f5a4b924bfcd600950e0e965140ec37
Instruction ID: faed56b4c6c8e438f9e149328909ea6ffa19b95bbaf9e855168a6160fa291b1a
Opcode Fuzzy Hash: 34e0e5fdb6321a1ebea2e507d72c4ed76f5a4b924bfcd600950e0e965140ec37
Instruction Fuzzy Hash: 8B31AE74E003089FDB45EFB8D95469D7FB2FF88304F10866AD001AB255DB306A45CB51

Function 00A20F98 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1998522405.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_a20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613ae78417087d4db77fa9944407720faf49a76831af3d22ae2678d6d14d4113
Instruction ID: fcb4b10c66365b9704a27319d6de02f95fca7d17e490d59aedcae19424f1e8c5
Opcode Fuzzy Hash: 613ae78417087d4db77fa9944407720faf49a76831af3d22ae2678d6d14d4113
Instruction Fuzzy Hash: 81218D74E003089FDB45FFB8D948AAD7BB6FF88304F108569D005AB354EB706A45CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Rhadamanthys

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe

C:\Users\user\AppData\Local\Temp\cfi

C:\Users\user\AppData\Local\Temp\d31d8958

C:\Users\user\AppData\Local\Temp\e5b60341

C:\Users\user\AppData\Local\Temp\ec76b918

C:\Users\user\AppData\Local\Temp\mvyvk

C:\Users\user\AppData\Local\Temp\nfsxtmg

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre