Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Initial sample is a PE file and has a suspicious name

Source: global traffic

TCP traffic: 192.168.2.7:49753 -> 154.21.14.89:22455

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C498340 LoadLibraryA,GetProcAddress,FreeLibrary,recv,

8_2_00007FFB0C498340

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 0	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://ocsp.digicert.com0
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://ocsp.digicert.com0A
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://ocsp.digicert.com0C
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe	String found in binary or memory: http://www.actualinstaller.com
Source: HitPawInfo.exe.5.dr, 0	String found in binary or memory: http://www.digicert.com/CPS0
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe	String found in binary or memory: https://www.actualinstaller.comU
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1370907201.00000000046E4000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028AD000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028BC000.00000004.00001000.00020000.00000000.sdmp, Dutchai.lng.5.dr	String found in binary or memory: https://www.daproverb.be)
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe	String found in binary or memory: https://www.google.comU

System Summary

Source: initial sample

Static PE information: Filename: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Source: C:\Windows\System32\regsvr32.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DF694	8_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4EACC4	8_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E2DD8	8_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E4FE4	8_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4EE8F8	8_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DABD8	8_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4F2500	8_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DA840	8_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DA0E0	8_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E0310	8_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4F03E8	8_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4D9CD8	8_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4F1E64	8_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4D9EDC	8_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E1958	8_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DFA40	8_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E5AF8	8_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E9B1C	8_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4EBC74	8_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4ED680	8_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DB6A4	8_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4C16D0	8_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4DB26C	8_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4E5478	8_2_00007FFB0C4E5478
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4EACC4	12_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E2DD8	12_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E4FE4	12_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4EE8F8	12_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DABD8	12_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4F2500	12_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DA840	12_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DA0E0	12_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E0310	12_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4F03E8	12_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4D9CD8	12_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4F1E64	12_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4D9EDC	12_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E1958	12_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DFA40	12_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E5AF8	12_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E9B1C	12_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4EBC74	12_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DF694	12_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4ED680	12_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DB6A4	12_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4C16D0	12_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4DB26C	12_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4E5478	12_2_00007FFB0C4E5478
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4EACC4	20_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E2DD8	20_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E4FE4	20_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4EE8F8	20_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DABD8	20_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4F2500	20_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DA840	20_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DA0E0	20_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E0310	20_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4F03E8	20_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4D9CD8	20_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4F1E64	20_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4D9EDC	20_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E1958	20_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DFA40	20_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E5AF8	20_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E9B1C	20_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4EBC74	20_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DF694	20_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4ED680	20_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DB6A4	20_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4C16D0	20_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4DB26C	20_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4E5478	20_2_00007FFB0C4E5478

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe 5FC1BD27C679B1B5306996CFA518FA1A7B4FB60E0FE6EA92BB4BA3B82C471A85

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFB0C4A2E50 appears 63 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFB0C495120 appears 36 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFB0C4E4154 appears 75 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFB0C4D598C appears 39 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFB0C497410 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6652 -s 524

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: Number of sections : 11 > 10

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1319569569.000000007F120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceCommander.exeD vs Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1370907201.00000000046E4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceCommander.exeD vs Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"

Source: classification engine

Classification label: mal60.evad.winEXE@10/17@1/1

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

File created: C:\Users\user\AppData\Roaming\ResourceCommander

Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6652

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

File created: C:\Users\user~1\AppData\Local\Temp\AITMP0

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

File read: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

File read: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Source: unknown	Process created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe"
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6652 -s 524
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s ResPrompt.dll
Source: unknown	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s ResPrompt.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: pcinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

File written: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Window found: window name: TComboBox

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Creates an autostart registry key pointing to binary in C:\Windows

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static file information: File size 4284934 > 1048576

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274e00

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW,

8_2_00007FFB0C4B9030

Source: PCInfo.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x60c5c
Source: HitPawInfo.exe.5.dr	Static PE information: real checksum: 0x7d382 should be: 0x7cdc6
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Static PE information: real checksum: 0x0 should be: 0x41a78b

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	File created: \player reports algnet 07-10-2024 .pdf www.skype.com.exe
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	File created: \player reports algnet 07-10-2024 .pdf www.skype.com.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	File created: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	File created: C:\Users\user\AppData\Local\Temp\PCInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	File created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Jump to dropped file

Boot Survival

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP			Jump to behavior

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_8-38746

Source: C:\Windows\System32\regsvr32.exe	API coverage: 2.9 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 2.9 %

Source: C:\Windows\System32\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4EBC74 FindFirstFileExW,	8_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	8_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	8_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4EBC74 FindFirstFileExW,	12_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	12_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	12_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4EBC74 FindFirstFileExW,	20_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	20_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	20_2_00007FFB0C4B3250

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4B3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA,

8_2_00007FFB0C4B3830

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1372382822.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1372382822.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FFB0C4D40A0

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW,

8_2_00007FFB0C4B9030

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4ED000 GetProcessHeap,

8_2_00007FFB0C4ED000

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0C4D9238
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FFB0C4D9238
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe	Code function: 20_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FFB0C4D9238

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 154.21.14.89 22455

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

NtCreateUserProcess: Indirect: 0x7FFB0C5768AB

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe"

Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->o
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->lication Error<-->H
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4F4F90 cpuid

8_2_00007FFB0C4F4F90

Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	8_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	8_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	8_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	8_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	8_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	8_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00007FFB0C4EF34C
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	12_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	12_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	12_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	12_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	12_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	12_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00007FFB0C4EF34C
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	20_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	20_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	20_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	20_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	20_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	20_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	20_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_00007FFB0C4EF34C

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4D2F8C GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

8_2_00007FFB0C4D2F8C

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW,

8_2_00007FFB0C4B9030

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	11 Registry Run Keys / Startup Folder	112 Process Injection	1 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Regsvr32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Player reports algnet 07-10-2024 .pdf www.skype.com.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PCInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	8%	ReversingLabs	Win64.Trojan.SpywareX

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gibbooc2.com	154.21.14.89	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.actualinstaller.comU	Player reports algnet 07-10-2024 .pdf www.skype.com.exe	false		unknown
http://upx.sf.net	Amcache.hve.11.dr	false	URL Reputation: safe	unknown
https://www.google.comU	Player reports algnet 07-10-2024 .pdf www.skype.com.exe	false		unknown
http://www.actualinstaller.com	Player reports algnet 07-10-2024 .pdf www.skype.com.exe	false		unknown
https://www.daproverb.be)	Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1370907201.00000000046E4000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028AD000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028BC000.00000004.00001000.00020000.00000000.sdmp, Dutchai.lng.5.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.21.14.89	gibbooc2.com	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528513
Start date and time:	2024-10-08 00:39:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@10/17@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 256
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Simulations

Behavior and APIs

Time	Type	Description
00:40:55	Task Scheduler	Run new task: PMP path: regsvr32.exe s>/s ResPrompt.dll
00:40:55	Task Scheduler	Run new task: Res path: REG s>ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
00:40:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PMP schtasks /run /tn PMP
02:08:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PMP schtasks /run /tn PMP

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.21.14.89	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse
154.21.14.89	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.tjawiq.27210.15987.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gibbooc2.com	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse	154.21.14.89
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.tjawiq.27210.15987.exe	Get hash	malicious	Unknown	Browse	154.21.14.89
	hi.zip.exe	Get hash	malicious	Unknown	Browse	172.111.186.180
	hi.zip.exe	Get hash	malicious	Unknown	Browse	172.111.186.180
	Screenshoot Error Feed Today 24-05 Skype.com	Get hash	malicious	Unknown	Browse	172.111.186.180
	Screenshoot Error Feed Today 24-05 Skype.com	Get hash	malicious	Unknown	Browse	172.111.186.180

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	38.9.223.35
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	38.9.223.19
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	38.208.16.112
	SecuriteInfo.com.Win64.TrojanX-gen.22573.8055.exe	Get hash	malicious	Unknown	Browse	143.244.33.74
	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse	154.21.14.89
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	154.23.184.60
	rInvoiceCM60916_xlx.exe	Get hash	malicious	FormBook	Browse	38.55.251.233
	NEW INVOICE.exe	Get hash	malicious	FormBook	Browse	206.238.91.127
	invoice_45009.xls	Get hash	malicious	Remcos	Browse	38.240.44.9
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	38.50.28.156

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\PCInfo.dll	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Player reports algnet 07-10-2024 .pdf www.skype.com.7z	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HitPawInfo.exe_4f927396ed7e1d24c97d8c6f3e8aee163dda5_092f0bdd_a9ecca0d-28b0-422f-a7be-50a9e18e0010\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8150383911723728
Encrypted:	false
SSDEEP:	384:r7WtYs7HnAP7zAKrkqjHzuiFCY4lO8Ty:WlAP7zAK7jHzuiFCY4lO8
MD5:	03698524701246C881403C8980A0FBF2
SHA1:	33250B6F954A295083EB332495CF16F3E9F0815B
SHA-256:	ADC30D0926D144869462D503437E236392DDDC209F34E77797ADE284747A3252
SHA-512:	9CAB9F1DC13208D6DFDD8DC9D9B8BBCEAB6AC74C2E46EC007C69789834E66BE98C13A1E0D436E725DF4F7A43965BA83CD43F63F1DBCB941A97EC4B013E51C40F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.1.4.4.5.5.0.6.8.2.0.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.e.c.c.a.0.d.-.2.8.b.0.-.4.2.2.f.-.a.7.b.e.-.5.0.a.9.e.1.8.e.0.0.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.c.b.6.e.3.b.-.8.a.e.2.-.4.d.d.6.-.8.6.0.d.-.5.b.5.8.0.d.4.1.4.4.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.i.t.P.a.w.I.n.f.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.c.-.0.0.0.1.-.0.0.1.4.-.5.9.2.f.-.a.6.f.3.0.9.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.7.1.5.e.c.d.3.8.5.8.f.f.0.3.f.d.4.2.9.3.0.0.b.4.6.f.9.d.3.2.3.0.0.0.0.0.9.0.4.!.0.0.0.0.8.0.8.1.8.3.d.9.1.6.0.a.8.9.a.d.3.c.8.7.3.0.d.2.b.6.b.7.6.8.0.3.c.a.9.7.f.3.8.f.!.H.i.t.P.a.w.I.n.f.o...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.0.:.0.6.:.3.2.:.0.8.!.7.d.3.8.2.!.H.i.t.P.a.w.I.n.f.o...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F7.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 22:40:55 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	65048
Entropy (8bit):	1.7297642325618234
Encrypted:	false
SSDEEP:	192:EISagvWOyjYPZ89REpSg/RXWQmOSJXjn6:3chkYPZ8c8MRmQpSx6
MD5:	525FBCB9F2FA3E975CF9A9C51A4AE2FD
SHA1:	CB9838B6A942ADACC725C69A3EE15C7A9F153D97
SHA-256:	F17391BC11DDA5BBEE47387BD3FB351052DBF26909D48B92A10C1A487DCA3BC0
SHA-512:	1543A25CE9A53865869C565A47C2F853F5C7F80B7A7CF99B5486C0B2846F0444D67088905AFF3D88A3357169E4884A675523BC62F8778E8BFCEEBC48A4E20A6F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......wc.g....................................l...T...........p...........`.......8...........T...........p...........................................................................................................eJ......D.......Lw......................T...........oc.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER82B4.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6722
Entropy (8bit):	3.7176785443667146
Encrypted:	false
SSDEEP:	192:R6l7wVeJlxhqvGYpM4hrLfpBy89b8O+f0oBUm:R6lXJlHqOYpM4hrLL83fzH
MD5:	67DC1D76CD68AA96D8B7E5908FDA447F
SHA1:	A905DDE37543F2457E619CA307EE18C5FE137DD1
SHA-256:	AC7C5DD0ABCB9E82FBB733F359D7833F83CA7CFD79FE5072C6ED89247DD3D368
SHA-512:	F5D3BC4CB3EDC3287824A5AEB3A2722226E3AC6E5F62DE44C80316AC9913C283F6A06C585734A67A4DD39FF34DF304A9CFACEA15532C0F9B430FFB5E8DFBC641
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER82E3.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4657
Entropy (8bit):	4.484496955120546
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYJg771I94rWpW8VY72Ym8M4JL8F4yq85USCr9PBvzEpTd:uIjfeI7ba7Ve/JxJr9PBvzEpTd
MD5:	30A6927ABDB42B091B87F35A7C8813B5
SHA1:	B5BC38DE263D5C7C47A5522F1F341A8227F5EBF9
SHA-256:	AF94AFF81F8D0FD50CD87230602EA2B3E3D4810D858B449A0BEF13221A9FC5DD
SHA-512:	EBB2D5EC7687BB2C47A300BC7EDCA5F8A1FFA8CA71F430A77ABA09E702991292257D999B34BDEA3ADA1C70122C7F7061133A9EA4E6A683B4EF6675F17DA373CF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533623" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\AITMP0\Dutchai.lng

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with CRLF line terminators
Category:	dropped
Size (bytes):	9854
Entropy (8bit):	4.955567924478758
Encrypted:	false
SSDEEP:	192:G6bfLftPfe6WyeDf5Z/tesgtqbkktW/8plKJAxzt6:RLft3e6WyeTIltqtw8pn76
MD5:	95291CB96482A97215C2C2EE737619F4
SHA1:	A256C8E1A5D12EEA3FF5FB5A7A3891B0CFB6AC2E
SHA-256:	B58A44302AA11D1FA02732879F806B35E65E7C7C2FF6A6E7C48C66E327E66373
SHA-512:	D176A38B52E8DC8C33C08A405108541D576AA0AAD7FA8CA0AEFD55FBC811DC1A8EE2CC555FA29883B25397968575A12F97E1299FAD834F4EC3B4A4F397A09268
Malicious:	false
Preview:	.[Info]..id=1043..lng=nl..translator=Jacques Deseure (https://www.daproverb.be) 13/05/2020....[Buttons]..0=< &Terug..1=&Volgende >..2=&Annuleren..3=&Installeren..4=&Sluiten..5=&Ja..6=&Nee..7=&Bladeren.....8=&Voltooien..9=&Uitpakken..10=OK..11=A&kkoord..12=Afdrukken....[Title]..0=<AppNameVersion> Installatie....[Language]..0=<AppName> Installatie..1=Selecteer de installatietaal:....[Welcome]..0=<AppName> Installatie..1=Hiermee zal <AppNameVersion> worden ge.nstalleerd.<#><#>Klik op Volgende om verder te gaan, of op Annuleren om af te sluiten...2=Copyright . %s..3=Opties....[LicenseAgreement]..0=Gebruiksrechtovereenkomst..1=Lees de volgende belangrijke informatie voordat u verder gaat...2=Lees de volgende gebruiksrechtovereenkomst. U moet akkoord gaan met deze overeenkomst voordat u verder kunt gaan met de installatie...3=Indien u akkoord gaat met de gebruiksrechtovereenkomst, klik op Akkoord...4=Ik ga akkoord met de overeenkomst...5=Door het installeren van dit programma, gaat u akk

C:\Users\user\AppData\Local\Temp\AITMP0\Uninstall.ini

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	modified
Size (bytes):	1294
Entropy (8bit):	4.998390290636298
Encrypted:	false
SSDEEP:	24:EyMtE0ZIaRZY+Z5V14hmtEs5HjI4He93hmtEswba/2PNRyZag+:Ee0rRZY+ZR1tEdMSgtENbaqNYZ2
MD5:	98EF129CD7FC258ECE3C468F089B04CE
SHA1:	14DFA1715C7BF50DB4B78D3AC60C1CD906137EB9
SHA-256:	9BBEC2A97023FAFB540D6B346636C3F4362B12CFB2ECC0002E183C6DDDF376B7
SHA-512:	F83305A6BEDE9EF60612A066CD47DB089BD30F80287348FF10AC63844D05777221666B1EDDB5D220686A38C04BD1EA86CA4FAC63028A840C751504149B847A05
Malicious:	false
Preview:	.[General]..AppName=HitPaw FotorPea..AppEdition=..AppVersion=4.0.1..GUID={1E697A61-832E-478F-9EE0-909B3BDAB870}..AllUsers=0..Admin=1..x64=0..InstallDir=C:\Users\user~1\AppData\Local\Temp..MainExe=C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe....[Messages]..0=%s verwijderen..1=Weet u zeker dat u %s volledig wilt verwijderen?..2=%s is van de computer verwijderd...3=Wilt u met ons uw opinie over dit product delen?..4=%s moet worden afgesloten om door te gaan met verwijderen.%n%nOm door te gaan, sluit %s en klik op OK.%nOm de verwijdering af te sluiten, klik op Annuleren...5=Om de verwijdering van %s te voltooien, moet de computer opnieuw worden opgestart.%n%nWilt u nu opnieuw opstarten?..6=%s kan alleen worden verwijderd als de gebruiker administrator-rechten heeft...7=Wilt u de instellingenbestanden van %s verwijderen?..8=%s moet worden afgesloten om door te gaan met verwijderen.%n%nOm door te gaan, sluit %s en klik dan op Opnieuw.%nOm dit bestand over te slaan, klik op Negeren

C:\Users\user\AppData\Local\Temp\AITMP0\aidatafile.zip

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1030414
Entropy (8bit):	7.995083770357619
Encrypted:	true
SSDEEP:	24576:/MfC0TKcWCOnqrftqSXv6SAGIzY9EGajR/5Pevhv3:/MfZWgftq4bIzY98jR/5PeZv
MD5:	76258CA71C5D5200C20FF1C5309AA8F2
SHA1:	CCB79681CA9CE13D5B60888564C5E9FE35059237
SHA-256:	2CEF521504F3C843B22C9F7B2EE203DE17493D9738FF4467D2967F85FAB61CA2
SHA-512:	BE2E5331B2F41130F6076E2AC1360EB2B677EAECFA3D87FCB2EDB22C128663BE71D93DE75EACC0D8EDAB6951099DA7DE1ACD72DAD18FB0802E5E60EA5790753A
Malicious:	false
Preview:	PK..........FY...aL...........0.}.XSW..IH ....G......E%A......+ DA.h.......mZ.Rmk[[..m..k[........h.Fi.j[q.?s..............uf.3s.,7DN($....<6.!........"B...u'.Ot.-........0.O7$.R&&.....S.JCV.2%M.>r.rVz.....E%....Q...N...&........C..M...c.,.x....X.\|.Px2....[...w..+z.d.Z..B9.;.)......'hztJb2.o...B.^s$....iU.#i"voK&A...m.._.&:...bB..:vH.:Qa/.....s....x. ...TG...i..[.I..q".Q...H...,B..E..@~..NB.!.......F./M...K.Q...gHJ0&..{g..t.'.~95...b..YK...k...e.....V.%..3d... .....\|..r..t(.2BYQ.QN...X...}..I.W....;N3.3............r.....<a...T-./v...w....w....Y...?.u.X.W..,Q...q......C.`..S...........\.-'.YrD[T!..p...A.4][.&.).s.6j..'..au.2...c6....6...Z6.. R9..u...+.:qfO.Wt................nN-.j.W:......k.EN.. (W......(.$.:..#....0.o}M.k..Tr........f.!ue...0.w.... G...g7A..pG.;.2..0.....B.g..PL{l...L.EY......3...v.P.N{..#.{.d.V...2D..Ft.^...1.0..u.I..-?.G.....?i..M)>^....P76>....a.$.96>8:>>.4......O.X.......\.....p,.w.q...r........R...n...q.......Q.....?Bq

C:\Users\user\AppData\Local\Temp\AITMP0\aiheader.bmp

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	PC bitmap, Windows 3.x format, 498 x 55 x 24, image size 82280, cbSize 82334, bits offset 54
Category:	dropped
Size (bytes):	82334
Entropy (8bit):	0.6686601662037086
Encrypted:	false
SSDEEP:	96:NxPnHCSst/INv/Q/6760tuLAdPhfvejG9NscS11wolaIsp7Jzx7:fgtc/tJdtejd11Y7Jzx7
MD5:	A620C87E69889F459C022578F3F5E420
SHA1:	125AF2C1D2D822982109D79A56703063EADCB683
SHA-256:	AC34D2317F948C0D02E90C6F2473C4CC2A78D99D21C341FFA02FF4908B48DB2B
SHA-512:	8CBD9CEAA52204B9049618170579AE99C4425DE37DBD89787CF00A192C8A69A8390D692BF25A38C83A1D72BB05516EE6857B429EAAB995B92DEF12C68D6E3027
Malicious:	false
Preview:	BM.A......6...(.......7...........hA....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.3763216431025045
Encrypted:	false
SSDEEP:	48:adMJ34BYIvCrN2SJ/dpvvYrvz3fb46OxVOsOSiXwlZoxsDp:adm37sCZdJ/dp3WvLoiXwboxsDp
MD5:	BAA63F11F9C2E4DDC827B0B36DA75C4F
SHA1:	A882761158CC5271EBC889642CD5BFC1EB957139
SHA-256:	C7F53E52BCAFB0F9975AC2EBA6F6B8DE434B30E88656EFF2B5721C24EE3213F4
SHA-512:	0D6B6819D5234FCB2C38174D68303F254CAFD94562601D6CD0A2DFD0C3FEDCC92A2B47A990F0BC2558AC1B89DF01D16EC9798C53EB9B4F9689D5FBC2415A87DC
Malicious:	false
Preview:	.[Setup]..AIVer=10.1..BDID=20241006..GUID={1E697A61-832E-478F-9EE0-909B3BDAB870}..AppName=HitPaw FotorPea..AppVersion=4.0.1..AppEdition=..AppDescription=HitPaw FotorPea..Publisher=HitPawSoftware..WebSite=..SupportLink=..Copyright=Copyright . 2024 <Publisher>..PackageType=0..InstallLevel=0..UpgradeMode=0..RunAsAdmin=0..IfInstalled=0..Windows Server 2003=1..Windows XP=1..Windows Vista=1..Windows 7=1..Windows 8=1..Windows 8.1=1..Windows 10=1..Windows 11=1..Windows Server 2008=1..Windows Server 2008 R2=1..Windows Server 2012=1..Windows Server 2012 R2=1..Windows Server 2016=1..Windows Server 2019=1..Windows Server 2022=1..Enab=1..SystemType=0..Internet=0..Archive=0..InstallDir=<TempDir>..MainExe=<InstallDir>\HitPawInfo.exe..ProgramGroup=<AppName>..Uninstall=0..Updater=0..LaunchOnStatup=0..RegisterAppPath=0..ActiveSetup=0..CacheSetup=0..SelectFolderMode=0..AltInstallDir=<AppData>\<AppName>..DataExtractParam=-o"<InstallDir>" -aoa..UninstallFile=Uninstall.exe..LangIDMethod=0..AllowInstallIf

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.zip

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	93930
Entropy (8bit):	7.979028337427802
Encrypted:	false
SSDEEP:	1536:Lo5J7yB3siNX6YmFOXg69t6vEPtZbP8xM7odVBUXF/J07khE9RV:eyCuKYnXRmUbP8modVBUHUtp
MD5:	493C36038828A5EF850DA2106AB956C3
SHA1:	8DDEEE9E5A5266982B41EB33F26676D7B0797E41
SHA-256:	F18F571A0826A626095C6D81E1F7063340436156569FAEC173474A2EEEC5B29B
SHA-512:	D422D8BBF7E5E121D7A63045E7BBD4FC81AB742157F05503748F089106102505DE2FDA6154456AD6709F5DB7B9007E5A1BF246A4F75749E408B412CC2D71953B
Malicious:	false
Preview:	PK.........FY..1sf...X.......aisetup.ini}U.n.8....;...l...+..[....f.v..4...I...d.>P....}.}....%!.........BPE.W..?..\..[.`.x}.?t.g.n..E..]..c..v'...;.OV..r.t..t>...\|2v...<.....@..;+....1.. )g.g. .......H.../..!.2...(.Gu&..;8.T....<.Bm(.G.....I.....{G..].].k....O9xN..fR.,...d... 1\..w....(3..R.b..(..YvB.. 0.3...s[G.)Z.q.L.....4PCV...Awv.W%.[.......t.8Y2r...I8U.\.`....QJ.....f{8.x.~].......g;.kv.=x....m;....Y9.h\|..........)X..P.\..hH.A .vKTjR..ffVF.......A.V<.A<....z.z."W.k.ib..........w...u...Z.+..wA...a.:.........t.>n...."......91C..\-...h.:..Qjb.`..(.xr.Y.OP.....5b.$.+.J..9...(#z..?.D~l.....M.O.\Q....D.+?..',.6.%.....JQ.P<..-.H.Bo.V.LJ;wG.(..9.\|A......y8../...K.&....A6....5..U..$..nXy....qm...lf.#...\..P..U]a.Bt.s...w../.!.7.P....WkIoP....qG.....O(......x...=....:.g...v...7. .8S&Y\|5b.p.6<.f.\{.9...24ZG.YW..e..0....6A.&I.......nSc.0.8....@.Q..<1.v.?PK.........R.X..,....~&......Dutchai.lng.Z.n...}....(.`.2-..X........${.M....p......

C:\Users\user\AppData\Local\Temp\AITMP0\aiwizard.bmp

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	PC bitmap, Windows 3.x format, 500 x 314 x 24, image size 471000, cbSize 471054, bits offset 54
Category:	dropped
Size (bytes):	471054
Entropy (8bit):	3.2443524520002636
Encrypted:	false
SSDEEP:	1536:/tfIWZ9jM6WivZDowwJH2lg0t5zspYuGDkGJK+HZky/iDOhyNlLgyOXwBJJPwcMG:52iv24SYxDmkZ3qOsBggr6Jla
MD5:	5B5B3247038C1AF153DFCB567B11DAA8
SHA1:	F35F529797188E9ABA2F7C5BECBD70309BD14541
SHA-256:	48260B05BA47BF1CE3ECA2FC7899C65E95609CA3B6AB3A9F71F61C67493A3604
SHA-512:	9396A455BAD36896F33F5456B89E4B7D0AF401399A8603939F485061143EAEB90A9EF5418844A4117975E6850FE3C9EAD7E913D3979D44314D1EF70B2459DC8F
Malicious:	false
Preview:	BM.0......6...(.......:............/.......................................................................................................................................................................................................................{.{.z.........................................~..~..~..}..\|..}..\|..{..{..................................................~..\|..\|..{..z..y..x..x..v..v..u..t..s..s..r..q..p..o..o..n..n..m..l..l..k..k..j..j..i..i......................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	500488
Entropy (8bit):	7.912186742228876
Encrypted:	false
SSDEEP:	12288:8NgbfebCK2Zc88TonN0jeidRntIYRRCQYffq+:ugbEjkc8ConiFztIwR92j
MD5:	00CED89A573AD1E1F96C94C763222E1E
SHA1:	808183D9160A89AD3C8730D2B6B76803CA97F38F
SHA-256:	5FC1BD27C679B1B5306996CFA518FA1A7B4FB60E0FE6EA92BB4BA3B82C471A85
SHA-512:	A527A55B7874E619379F18DF0EBF3BE17505D310B9AFD9E1FCCF21210EB4B93AA358F7A7BE1AA4616309D99810A0629389024738D36AEF867910419A410E0F55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Player reports algnet 07-10-2024 .pdf www.skype.com.7z, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........:...i...i...i..\i..i...h..i...h..i...h..i...h..i...h..i}..h...i}..h..iV..h..iW..h..i...i...i...h...i..0i...i..Xi...i...h...iRich...i................PE..d.....sf.........."......\...........W.........@..........................................`.................................................,...................h....T...Q......T...Xu...............................u..8............p..H............................text...7[.......\.................. ..`.rdata...%...p...&...`..............@..@.data...............................@....pdata..h...........................@..@.rsrc...............................@..@.reloc..T............P..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PCInfo.dll

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	358400
Entropy (8bit):	6.138682134890285
Encrypted:	false
SSDEEP:	6144:jZdYCSKWdQPJLxlAG10PT02qHfhLLnII0E0Mu2:k59QPJLxlAGOPTQHFDV0
MD5:	438909882796242739C542D4AA5E94DA
SHA1:	E2A82D09C76C6A59F909CB35D4BF4F4F862213E1
SHA-256:	B81A96A53AB20F43624CE4E8D25468AB8F65EF88441368CDA0C9C54525DB31F6
SHA-512:	2F972CE6901734E3217AA1982695DA589A52926C7C49C0A340C41E963B3CC03D2EFD3DE5A6AF6E61691CAE211D756710D722234457D01B4642BF463EFE641652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Player reports algnet 07-10-2024 .pdf www.skype.com.7z, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Zm.7...d...d...dUt.e...dUt.e...dUt.e...d...e...d...e...dUt.e...d...eQ..dUt.e...d...do..dV..e...dV..e...dV..d...dV..e...dRich...d................PE..d.....g.........." ...)............4.....................................................`.........................................@...H.......x............P.. C..............p......................................@...............(............................text............................... ..`.rdata..............................@..@.data...</... ......................@....pdata.. C...P...D...&..............@..@.rsrc................j..............@..@.reloc..p............l..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Respc.jpg

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=4, manufacturer=Canon, model=Canon PowerShot SX20 IS, orientation=upper-left], baseline, precision 8, 640x480, components 3
Category:	dropped
Size (bytes):	770719
Entropy (8bit):	6.712677731362388
Encrypted:	false
SSDEEP:	12288:SIO0TqHrAKgmuN0KeNtK7781ybIsOCuy+kj62iBYzZx1ldbO52/i:pULj9oQyAf2aYpbG
MD5:	E9FC238F898B1F0763B4A2EA5BF6DA2B
SHA1:	090CC66E5C8CBA33C1B0F63F76B33C3190F6D789
SHA-256:	F7249877EA94D997512FD5CF67C64DE8E9302D164FED5F2C2F3B6180E0DFC293
SHA-512:	1FBAA8DA4D1A1F791133B126AE66E587215C73DCBE73B2F93687097C87A283F2BCD16D340CD8ED3A30506A47549156D6BF4575A8250BC0F96E4CD610894AFE6F
Malicious:	false
Preview:	......JFIF..............Exif..II...............>...........D...............i.......\.......Canon.Canon PowerShot SX20 IS...........................'...........................................................8.......2012:05:10 05:31:51.A..........C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...'.>..u+?.jH.s}.........u2`.<......h>.....5.CR...[..m&.... 6y=q.5..xw.VV6..Y\[...VA...O'...8...0......%X....N<....w...g.-4...7R.....[7.H.....U\|

C:\Users\user\AppData\Roaming\ResourceCommander\Promptdource.xml

Process:	C:\Users\user\AppData\Local\Temp\HitPawInfo.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	970
Entropy (8bit):	5.5220747862495365
Encrypted:	false
SSDEEP:	24:VnA/LJ/L59/L5QSIDO/LJ/Lbxw/Lp+/L6vSIDn/Lzb:VM1fNcS11cpiXcjzb
MD5:	923CCF347E169F5533DBFC41D829B9DA
SHA1:	0360807D4C2A4923A679FC6F1175BB87A8749841
SHA-256:	C57D35C439689668E10C53E86662E297DEDE3B96F1D37E4A9FAD20689DE646FB
SHA-512:	F5CA8F9F7206FFDE49CA4C3A106C68A7F076665042BD9E53FCD0FF01B0E71C847B157C493AB0C3202033ACB30A87BC50E9627B97DFC20AC62B81505C10346BFA
Malicious:	false
Preview:	. Windows Registry Editor Version 5.00..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}]..@="ResPrompt"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ImplementedCategories]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ImplementedCategories\{EDF4B444-2758-45C1-A25A-F9ED8B5E5145}]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\InprocServer32]..@="ResPrompt.dll".."ThreadingModel"="Apartment"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ProgID]..@="ResPrompt"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\Programmable]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}TypeLib]..@="{EDF4B444-2758-45C1-A25A-F9ED8B5E5145}"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\VERSION]..@="1.0"

C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

Process:	C:\Users\user\AppData\Local\Temp\HitPawInfo.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32843280
Entropy (8bit):	7.9672098266294284
Encrypted:	false
SSDEEP:	49152:r+NwYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYVYT:Cm
MD5:	E1BDFA7BC2EC8370102E69DE1FDC2800
SHA1:	1B26BCEC613EE069C0905055B40F0E858143562D
SHA-256:	15C4C03C0E4345A3FCC08E55164ED5CF004D8C2C40A46D7F7DB891F312226497
SHA-512:	333F62FB4ABBA81F09A5D12AFAAFD8ED716CA03E7EF251C49B4DCF75EEA7D6ADF790C1FA9EED346AC8D22831904B8729DC771F9D66CE94C8F23F23BD0643A6E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: Player reports algnet 07-10-2024 .pdf www.skype.com.7z, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..L...L...L...O...L...I...L...H...L...K...L..cH...L..cO...L..cI...L...M...L...M.}.L..bI...L..bL...L..b....L......L..bN...L.Rich..L.........PE..d......g.........." ...)............$<....................................................`..........................................u..l...<v.......p..............................0...........................(......@...............`............................text...x........................... ..`.rdata.............................@..@.data....I...........~..............@....pdata..............................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416756136146776
Encrypted:	false
SSDEEP:	6144:gcifpi6ceLPL9skLmb0mnSWSPtaJG8nAgex285i2MMhA20X4WABlGuNi5+:Fi58nSWIZBk2MM6AFBYo
MD5:	50FB39C82E93073338034769D715E7CD
SHA1:	B2EA561B148D74A81227AAF4289F1B4AF5433A2E
SHA-256:	E9301DA96E65A854DFC5C669866767BDE8E4350FC59B71745C49B919FA7419EA
SHA-512:	3F750ABAD30BC6CFA66D56AB8B9EAD79B304521DD57D964EB641B0E5C0F8D801E821BCE516CF094CBF39FDC1B14A7C4CDCF98A4296C56EA644B617E6E4A0E8E4
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn.\...................................................................................................................................................................................................................................................................................................................................................K.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.211500858406131
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Player reports algnet 07-10-2024 .pdf www.skype.com.exe
File size:	4'284'934 bytes
MD5:	005245fcbca50a836235392c802198a8
SHA1:	e53c665ed01e497874627ac654d6f90832dba1af
SHA256:	be1d320f773a860897be73dd16f805902effaead313873b0c622bc6eff9db715
SHA512:	c4297732536440eee0d666e1e52b4777d2444f4d91ab77c779e3fb0acbbc20b61ccd3d6654d8ab7ff3af71283109fb633f5d83b21be00fd14e52720a8eab0d26
SSDEEP:	98304:gqwsVKHOycs8IZPGQe92Mxvtq44djR/1eZhRj:gHrelDVq4OjR/+Rj
TLSH:	5816AF13B285A53EC07B1E396937D710993BBA213A53DC4B57F40A8CDF359902E3A687
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	13fb8f9cd15b3c2f

Static PE Info

General

Entrypoint:	0x677dcc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6700C0CE [Sat Oct 5 04:30:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2b038313242eff88172dd3dbdaa72202

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0066E544h
call 00007F3568C2E58Dh
mov eax, dword ptr [00682278h]
mov eax, dword ptr [eax]
call 00007F3568E2C401h
mov eax, dword ptr [00682278h]
mov eax, dword ptr [eax]
mov edx, 00677E30h
call 00007F3568E2BE24h
mov ecx, dword ptr [00681EF0h]
mov eax, dword ptr [00682278h]
mov eax, dword ptr [eax]
mov edx, dword ptr [006401B0h]
call 00007F3568E2C3F0h
mov eax, dword ptr [00682278h]
mov eax, dword ptr [eax]
call 00007F3568E2C544h
call 00007F3568C26E8Fh
add byte ptr [eax], al
mov al, 04h
add al, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x290000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28b000	0x3a9c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c9000	0x475b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x293000	0x35dcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x292000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28ba14	0x8fc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x28f000	0xce2	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x274c18	0x274e00	68e4c2a381f4345dbbb44ee41c8fa94a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x276000	0x1e3c	0x2000	81fb32b1ce226bae6b5c8fdf4a80376e	False	0.511962890625	data	6.150585523530168	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x278000	0xa59c	0xa600	f80101c37a15ec9291d0930e8a30dc0e	False	0.5673004518072289	data	6.177864641492512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x283000	0x72c8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x28b000	0x3a9c	0x3c00	9795ff32dc393b54c43a05fdbf42b9ac	False	0.3219401041666667	data	5.218146922474968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x28f000	0xce2	0xe00	1c62b6eb4dc46277eff26ad45ad7c4d7	False	0.337890625	data	4.190105521637175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x290000	0x97	0x200	9749a8241934d1ca1139755eb913449b	False	0.251953125	data	1.7561102101709039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x291000	0x54	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x292000	0x5d	0x200	f73729dda1bbfa72002223975ffe4b57	False	0.189453125	data	1.375319454273433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x293000	0x35dcc	0x35e00	c42b5ac91a6b48bda088a98cedc9634a	False	0.5711599115429234	data	6.728160253041536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x2c9000	0x475b4	0x47600	129c8b3bf1bdc6341fa25ac8f34f20a4	False	0.4300877024956217	data	6.824922097379193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2ca53c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x2ca670	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x2ca7a4	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x2ca8d8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x2caa0c	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x2cab40	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x2cac74	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x2cada8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x2cae68	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x2caf48	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x2cb028	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x2cb108	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x2cb1c8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x2cb288	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x2cb368	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x2cb428	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x2cb508	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x2cb5c8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x2cb6a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.6934968017057569
RT_ICON	0x2cc550	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.8055054151624549
RT_ICON	0x2ccdf8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.6560693641618497
RT_ICON	0x2cd360	0x8695	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9864453022958813
RT_ICON	0x2d59f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.38150656571631375
RT_ICON	0x2e6220	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.4750630649569056
RT_ICON	0x2ef6c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.599896265560166
RT_ICON	0x2f1c70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6836303939962477
RT_ICON	0x2f2d18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7978723404255319
RT_STRING	0x2f3180	0x760	data			0.3172669491525424
RT_STRING	0x2f38e0	0xba8	data			0.2272117962466488
RT_STRING	0x2f4488	0x45c	data			0.35842293906810035
RT_STRING	0x2f48e4	0x328	data			0.40470297029702973
RT_STRING	0x2f4c0c	0x454	data			0.40703971119133575
RT_STRING	0x2f5060	0xf0	data			0.6583333333333333
RT_STRING	0x2f5150	0xcc	data			0.6764705882352942
RT_STRING	0x2f521c	0x124	data			0.6027397260273972
RT_STRING	0x2f5340	0x358	data			0.4264018691588785
RT_STRING	0x2f5698	0x3f8	data			0.375
RT_STRING	0x2f5a90	0x3ac	data			0.3829787234042553
RT_STRING	0x2f5e3c	0x4f8	data			0.31446540880503143
RT_STRING	0x2f6334	0x2f4	data			0.3637566137566138
RT_STRING	0x2f6628	0x2e0	data			0.35733695652173914
RT_STRING	0x2f6908	0x3f8	data			0.4005905511811024
RT_STRING	0x2f6d00	0x584	data			0.38526912181303113
RT_STRING	0x2f7284	0x4a8	data			0.3087248322147651
RT_STRING	0x2f772c	0x37c	data			0.39349775784753366
RT_STRING	0x2f7aa8	0x3bc	data			0.32217573221757323
RT_STRING	0x2f7e64	0x40c	data			0.3735521235521235
RT_STRING	0x2f8270	0xf4	data			0.5491803278688525
RT_STRING	0x2f8364	0xc4	data			0.6275510204081632
RT_STRING	0x2f8428	0x268	data			0.48863636363636365
RT_STRING	0x2f8690	0x434	data			0.3308550185873606
RT_STRING	0x2f8ac4	0x360	data			0.3912037037037037
RT_STRING	0x2f8e24	0x2dc	data			0.3770491803278688
RT_STRING	0x2f9100	0x318	data			0.33080808080808083
RT_RCDATA	0x2f9418	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x2fa178	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x2faed0	0xcfc	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003309265944645
RT_RCDATA	0x2fbbcc	0xcd9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033444816053512
RT_RCDATA	0x2fc8a8	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x2fd608	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x2fe360	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x2fefb0	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x2ffc00	0xcb5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033814940055334
RT_RCDATA	0x3008b8	0xcb0	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033866995073892
RT_RCDATA	0x301568	0xd56	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032220269478618
RT_RCDATA	0x3022c0	0xd47	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032362459546926
RT_RCDATA	0x303008	0xdc2	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031232254400908
RT_RCDATA	0x303dcc	0xdc5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031205673758865
RT_RCDATA	0x304b94	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x305888	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x306578	0xda9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031455533314269
RT_RCDATA	0x307324	0xda6	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031482541499714
RT_RCDATA	0x3080cc	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x308dc0	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x309ab0	0x10	data			1.5
RT_RCDATA	0x309ac0	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x30af4c	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x30c06c	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x30cdf8	0x780	data			0.5161458333333333
RT_RCDATA	0x30d578	0x2	data	English	United States	5.0
RT_RCDATA	0x30d57c	0x2644	Delphi compiled form 'TFormMain'			0.27133523887300937
RT_GROUP_CURSOR	0x30fbc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x30fbd4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x30fbe8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x30fbfc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x30fc10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x30fc24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x30fc38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x30fc4c	0x84	data	English	United States	0.6742424242424242
RT_VERSION	0x30fcd0	0x250	data	English	United States	0.4814189189189189
RT_MANIFEST	0x30ff20	0x691	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.40690065437239736

Imports

DLL	Import
wininet.dll	InternetCloseHandle, InternetReadFile, HttpOpenRequestW, HttpSendRequestW, InternetConnectW, InternetOpenW, InternetOpenUrlW, HttpQueryInfoW
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	SHBrowseForFolderW, SHGetSpecialFolderLocation, Shell_NotifyIconW, ShellExecuteExW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetFolderPathW, SHGetMalloc, SHGetDesktopFolder, SHChangeNotify, SHAppBarMessage, ShellExecuteW
user32.dll	MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, ExitWindowsEx, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, FlashWindow, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, SendMessageTimeoutW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	LoadTypeLib, SysFreeString, VariantClear, VariantInit, GetErrorInfo, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType
advapi32.dll	RegSetValueExW, RegConnectRegistryW, OpenThreadToken, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, EqualSid, RegReplaceKeyW, GetTokenInformation, RegCreateKeyExW, RegLoadKeyW, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegRestoreKeyW
msvcrt.dll	memcpy, memset
kernel32.dll	SetFileAttributesW, GetFileType, SetFileTime, QueryDosDeviceW, GetACP, GetExitCodeProcess, CloseHandle, LocalFree, GetCurrentProcessId, GetSystemDefaultLangID, SizeofResource, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, HeapAlloc, ExitProcess, GetCPInfoExW, GetSystemTime, GetLongPathNameW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, lstrlenA, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, GlobalLock, SetThreadPriority, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, SystemTimeToFileTime, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, TzSpecificLocalTimeToSystemTime, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	IsEqualGUID, OleInitialize, OleUninitialize, CoInitialize, CoCreateGuid, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, AddFontResourceW, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, RemoveFontResourceExW, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, AddFontResourceExW, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x471050
__dbk_fcall_wrapper	2	0x4126d8
dbkFCallWrapperAddr	1	0x68663c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:41:00.207323074 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:00.212357044 CEST	22455	49753	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:00.212440014 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:00.215517998 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:00.223222971 CEST	22455	49753	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:00.223278999 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:00.228336096 CEST	22455	49753	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:01.930526972 CEST	22455	49753	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:01.932346106 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.300762892 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.307121992 CEST	22455	49788	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:05.307216883 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.307917118 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.308254957 CEST	49753	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.312728882 CEST	22455	49788	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:05.312796116 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:05.313174009 CEST	22455	49753	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:05.318564892 CEST	22455	49788	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:07.020719051 CEST	22455	49788	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:07.020771027 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.332336903 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.339513063 CEST	22455	49814	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:09.339647055 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.340564966 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.341135979 CEST	49788	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.348381042 CEST	22455	49814	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:09.348438978 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:09.348464012 CEST	22455	49788	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:09.355849028 CEST	22455	49814	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:11.067265034 CEST	22455	49814	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:11.067420959 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.363399982 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.370292902 CEST	22455	49836	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:13.370408058 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.371057034 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.371951103 CEST	49814	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.377968073 CEST	22455	49836	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:13.378041983 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:13.378823042 CEST	22455	49814	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:13.384656906 CEST	22455	49836	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:15.200669050 CEST	22455	49836	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:15.200730085 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.394459963 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.399339914 CEST	22455	49862	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:17.399424076 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.400264978 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.400516987 CEST	49836	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.405397892 CEST	22455	49862	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:17.405457020 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:17.405546904 CEST	22455	49836	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:17.410609007 CEST	22455	49862	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:19.217902899 CEST	22455	49862	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:19.218065023 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.425961018 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.432321072 CEST	22455	49887	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:21.432424068 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.433084965 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.433463097 CEST	49862	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.439956903 CEST	22455	49887	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:21.440022945 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:21.440206051 CEST	22455	49862	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:21.446948051 CEST	22455	49887	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:23.195993900 CEST	22455	49887	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:23.196090937 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.457287073 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.462104082 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:25.462263107 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.470081091 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.471170902 CEST	49887	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.474944115 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:25.475020885 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:25.475929022 CEST	22455	49887	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:25.479827881 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:26.065853119 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:26.070911884 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:26.070992947 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:26.075803995 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:27.175410032 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:27.175503016 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.488234043 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.495275021 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:29.495405912 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.496001005 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.496402025 CEST	49913	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.503062010 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:29.503222942 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:29.503712893 CEST	22455	49913	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:29.510596037 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:31.222316980 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:31.227806091 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:31.228915930 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:31.234549999 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:31.243427038 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:31.245991945 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.535276890 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.542371035 CEST	22455	49969	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:33.542485952 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.543184042 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.543668985 CEST	49943	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.550409079 CEST	22455	49969	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:33.550425053 CEST	22455	49943	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:33.550514936 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:33.556905031 CEST	22455	49969	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:35.271652937 CEST	22455	49969	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:35.271771908 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.566363096 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.574450016 CEST	22455	49980	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:37.574544907 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.575162888 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.575517893 CEST	49969	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.801166058 CEST	22455	49980	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:37.801182032 CEST	22455	49969	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:37.801234007 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:37.808378935 CEST	22455	49980	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:39.308710098 CEST	22455	49980	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:39.308911085 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.598979950 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.605317116 CEST	22455	49981	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:41.605483055 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.606259108 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.606846094 CEST	49980	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.612468958 CEST	22455	49981	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:41.612778902 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:41.612937927 CEST	22455	49980	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:41.619155884 CEST	22455	49981	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:43.355313063 CEST	22455	49981	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:43.355611086 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.629246950 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.637959957 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:45.638109922 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.639017105 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.639579058 CEST	49981	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.647325039 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:45.647470951 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:45.647828102 CEST	22455	49981	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:45.656260014 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:48.223752975 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:48.223844051 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:48.224308014 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:48.224347115 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:48.224541903 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:48.224601030 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:48.227360010 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:48.227402925 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.672207117 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.677728891 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:49.677815914 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.752782106 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.756031990 CEST	49984	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.757745981 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:49.757826090 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:49.760951996 CEST	22455	49984	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:49.764046907 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:50.378582954 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:50.383476973 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:50.383542061 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:50.388381004 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:51.398080111 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:51.398359060 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.785193920 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.792102098 CEST	22455	49986	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:53.792232037 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.792937994 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.793051004 CEST	49985	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.800158978 CEST	22455	49986	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:53.800174952 CEST	22455	49985	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:53.800240040 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:53.807341099 CEST	22455	49986	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:55.543483019 CEST	22455	49986	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:55.543622971 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.843652964 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.848555088 CEST	22455	49987	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:57.848637104 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.852905035 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.853241920 CEST	49986	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.858088970 CEST	22455	49987	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:57.858160973 CEST	22455	49986	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:57.858169079 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:41:57.863063097 CEST	22455	49987	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:59.575078011 CEST	22455	49987	154.21.14.89	192.168.2.7
Oct 8, 2024 00:41:59.575149059 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.879553080 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.884701014 CEST	22455	49988	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:01.884933949 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.885490894 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.885610104 CEST	49987	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.891782999 CEST	22455	49988	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:01.891869068 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:01.892281055 CEST	22455	49987	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:01.896779060 CEST	22455	49988	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:03.621555090 CEST	22455	49988	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:03.621653080 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.910460949 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.917121887 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:05.917299032 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.918497086 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.918731928 CEST	49988	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.924613953 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:05.924710035 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:05.925141096 CEST	22455	49988	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:05.931308985 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:06.143975973 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:06.150660992 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:06.150801897 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:06.157355070 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:07.534625053 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:07.541205883 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:07.541318893 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:07.548794031 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:07.669919968 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:07.670188904 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.942598104 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.950530052 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:09.950702906 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.952562094 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.953114033 CEST	49989	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.959599018 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:09.959728003 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:09.959898949 CEST	22455	49989	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:09.964598894 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:11.315911055 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:11.320867062 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:11.321105957 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:11.325953960 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:11.836005926 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:11.836206913 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.973659992 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.980859041 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:13.981014013 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.983064890 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.983423948 CEST	49990	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.990247011 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:13.990291119 CEST	22455	49990	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:13.990361929 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:13.997875929 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:15.362864017 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:15.370196104 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:15.370343924 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:15.378212929 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:15.744293928 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:15.744462967 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.004868984 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.009989977 CEST	22455	49992	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:18.010183096 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.011961937 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.012315989 CEST	49991	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.016762018 CEST	22455	49992	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:18.016936064 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:18.017086029 CEST	22455	49991	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:18.021823883 CEST	22455	49992	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:19.748555899 CEST	22455	49992	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:19.748893976 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.035476923 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.043226957 CEST	22455	49993	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:22.043364048 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.046264887 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.046420097 CEST	49992	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.052468061 CEST	22455	49993	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:22.052551031 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:22.052952051 CEST	22455	49992	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:22.060986042 CEST	22455	49993	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:23.757072926 CEST	22455	49993	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:23.757205963 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.083635092 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.090312958 CEST	22455	49994	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:26.090512037 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.092386961 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.092802048 CEST	49993	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.099163055 CEST	22455	49994	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:26.099282026 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:26.099728107 CEST	22455	49993	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:26.105859995 CEST	22455	49994	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:27.954169035 CEST	22455	49994	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:27.954289913 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.145150900 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.152242899 CEST	22455	49995	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:30.152319908 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.153291941 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.153400898 CEST	49994	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.159634113 CEST	22455	49995	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:30.159646034 CEST	22455	49994	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:30.159697056 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:30.166832924 CEST	22455	49995	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:31.887953997 CEST	22455	49995	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:31.888075113 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.177548885 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.182620049 CEST	22455	49996	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:34.182796001 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.184586048 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.184951067 CEST	49995	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.189817905 CEST	22455	49996	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:34.189920902 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:34.190114021 CEST	22455	49995	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:34.195200920 CEST	22455	49996	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:35.915709972 CEST	22455	49996	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:35.915851116 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.207089901 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.430330992 CEST	22455	49997	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:38.430506945 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.464771986 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.464898109 CEST	49996	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.471230984 CEST	22455	49997	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:38.471266031 CEST	22455	49996	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:38.471344948 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:38.478051901 CEST	22455	49997	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:40.180012941 CEST	22455	49997	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:40.180236101 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.488516092 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.493479013 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:42.493582010 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.494256973 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.494376898 CEST	49997	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.499263048 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:42.499317884 CEST	22455	49997	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:42.499363899 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:42.504385948 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:43.019047022 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:43.024228096 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:43.026163101 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:43.030977964 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:44.228851080 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:44.228916883 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.520327091 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.525150061 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:46.525306940 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.526149035 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.526292086 CEST	49998	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.530934095 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:46.531006098 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:46.531121016 CEST	22455	49998	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:46.535872936 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:47.644309998 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:47.649276018 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:47.649365902 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:47.654370070 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:48.277458906 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:48.277522087 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.551039934 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.578007936 CEST	22455	50000	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:50.578114986 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.579092979 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.579221964 CEST	49999	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.586771011 CEST	22455	50000	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:50.586801052 CEST	22455	49999	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:50.586853027 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:50.593369961 CEST	22455	50000	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:52.304307938 CEST	22455	50000	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:52.304426908 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.598572016 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.605148077 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:54.605340958 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.607132912 CEST	50000	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.607156992 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.613756895 CEST	22455	50000	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:54.615416050 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:54.615541935 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.622865915 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:54.675787926 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.682909966 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:54.683238983 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:54.689757109 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:56.323116064 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:56.323251009 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.652652025 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.831301928 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:58.831520081 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.910175085 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.910309076 CEST	50001	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.917818069 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:58.917836905 CEST	22455	50001	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:58.917880058 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:58.924997091 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:59.722186089 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:59.728924990 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:42:59.729038000 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:42:59.735636950 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:00.556129932 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:00.556272030 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.943176031 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.950645924 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:02.950803041 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.952452898 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.952773094 CEST	50002	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.959459066 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:02.959621906 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:02.959980011 CEST	22455	50002	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:02.967128992 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:04.081720114 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:04.393876076 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:04.779478073 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:04.779494047 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:04.780194044 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:04.780428886 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.972920895 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.980966091 CEST	22455	50004	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:06.981089115 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.981836081 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.982000113 CEST	50003	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.989895105 CEST	22455	50004	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:06.989972115 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:06.991456032 CEST	22455	50003	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:06.998342037 CEST	22455	50004	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:08.718144894 CEST	22455	50004	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:08.718399048 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.004057884 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.012013912 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:11.012176037 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.013087034 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.013257027 CEST	50004	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.021222115 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:11.021234989 CEST	22455	50004	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:11.021312952 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.029788971 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:11.910665035 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.918864965 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:11.918967009 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:11.927807093 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:12.727941036 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:12.728055000 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.036494970 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.044564009 CEST	22455	50006	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:15.044763088 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.046660900 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.047072887 CEST	50005	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.054522038 CEST	22455	50006	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:15.054620028 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:15.055116892 CEST	22455	50005	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:15.062197924 CEST	22455	50006	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:16.790770054 CEST	22455	50006	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:16.790884018 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.066585064 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.074429989 CEST	22455	50007	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:19.074529886 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.075370073 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.075679064 CEST	50006	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.083633900 CEST	22455	50007	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:19.083697081 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:19.083991051 CEST	22455	50006	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:19.091959953 CEST	22455	50007	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:20.940979958 CEST	22455	50007	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:20.941042900 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.099164009 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.107760906 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:23.107888937 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.108536959 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.108661890 CEST	50007	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.116492033 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:23.116525888 CEST	22455	50007	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:23.116585970 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:23.124288082 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:24.895241022 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:24.895344019 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:25.241080999 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:25.241221905 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.129286051 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.137408018 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:27.137510061 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.138207912 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.138365984 CEST	50008	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.146596909 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:27.146610022 CEST	22455	50008	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:27.146694899 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:27.154405117 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:28.347848892 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:28.523505926 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:28.523622036 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:28.532996893 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:28.872560978 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:28.872720957 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.160636902 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.168732882 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:31.168919086 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.170840025 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.171171904 CEST	50009	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.179192066 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:31.179208040 CEST	22455	50009	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:31.179322958 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:31.187788963 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:32.753741026 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:32.763503075 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:32.763627052 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:32.771168947 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:32.902139902 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:32.902367115 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.192303896 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.200843096 CEST	22455	50011	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:35.201359987 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.201893091 CEST	50010	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.202002048 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.208586931 CEST	22455	50010	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:35.208695889 CEST	22455	50011	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:35.208789110 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:35.215137959 CEST	22455	50011	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:36.947031975 CEST	22455	50011	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:36.947165012 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.222986937 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.227946043 CEST	22455	50012	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:39.228044987 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.228677034 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.228810072 CEST	50011	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.233426094 CEST	22455	50012	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:39.233498096 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:39.233614922 CEST	22455	50011	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:39.238435984 CEST	22455	50012	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:40.948730946 CEST	22455	50012	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:40.948852062 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.281338930 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.286221981 CEST	22455	50013	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:43.290170908 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.298983097 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.302591085 CEST	50012	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.303805113 CEST	22455	50013	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:43.303881884 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:43.307581902 CEST	22455	50012	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:43.308830976 CEST	22455	50013	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:45.031501055 CEST	22455	50013	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:45.032573938 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.363521099 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.368451118 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:47.368596077 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.373270988 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.373400927 CEST	50013	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.378011942 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:47.378182888 CEST	22455	50013	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:47.378221989 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:47.383017063 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:48.331779957 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:48.340662003 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:48.340718031 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:48.348340988 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:49.255762100 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:49.255846977 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.395212889 CEST	50015	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.401185989 CEST	22455	50015	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:51.401305914 CEST	50015	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.402077913 CEST	50015	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.402225018 CEST	50014	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.408272028 CEST	22455	50015	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:51.408289909 CEST	22455	50014	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:51.408390045 CEST	50015	22455	192.168.2.7	154.21.14.89
Oct 8, 2024 00:43:51.413885117 CEST	22455	50015	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:53.196394920 CEST	22455	50015	154.21.14.89	192.168.2.7
Oct 8, 2024 00:43:53.196504116 CEST	50015	22455	192.168.2.7	154.21.14.89

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:41:00.191730976 CEST	50982	53	192.168.2.7	1.1.1.1
Oct 8, 2024 00:41:00.204094887 CEST	53	50982	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 00:41:00.191730976 CEST	192.168.2.7	1.1.1.1	0x24aa	Standard query (0)	gibbooc2.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 00:41:00.204094887 CEST	1.1.1.1	192.168.2.7	0x24aa	No error (0)	gibbooc2.com		154.21.14.89	A (IP address)	IN (0x0001)	false

Target ID:	5
Start time:	18:40:46
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe"
Imagebase:	0x330000
File size:	4'284'934 bytes
MD5 hash:	005245FCBCA50A836235392C802198A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	18:40:47
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\HitPawInfo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe"
Imagebase:	0x7ff7973f0000
File size:	500'488 bytes
MD5 hash:	00CED89A573AD1E1F96C94C763222E1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	18:40:54
Start date:	07/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	ResPrompt.dll
Imagebase:	0x7ff62cef0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	18:40:54
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6652 -s 524
Imagebase:	0x7ff66b850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	18:40:55
Start date:	07/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s ResPrompt.dll
Imagebase:	0x7ff62cef0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	18:40:55
Start date:	07/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Imagebase:	0x7ff776990000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	18:40:55
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	20:10:00
Start date:	07/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s ResPrompt.dll
Imagebase:	0x7ff62cef0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true