Edit tour

Windows Analysis Report
5fnrWlGa3H.exe

Overview

General Information

Sample name:	5fnrWlGa3H.exe renamed because original name is a hash value
Original sample name:	36E570B7964F458F06DC81B29802E947.exe
Analysis ID:	1528937
MD5:	36e570b7964f458f06dc81b29802e947
SHA1:	3d26217dbe9f6c2ab2c78f879e348958f304527c
SHA256:	0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
Tags:	exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5fnrWlGa3H.exe (PID: 4320 cmdline: "C:\Users\user\Desktop\5fnrWlGa3H.exe" MD5: 36E570B7964F458F06DC81B29802E947)

5fnrWlGa3H.exe (PID: 6564 cmdline: C:\Users\user\Desktop\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

5fnrWlGa3H.exe (PID: 6640 cmdline: "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe" MD5: 36E570B7964F458F06DC81B29802E947)

5fnrWlGa3H.exe (PID: 2200 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

WerFault.exe (PID: 4748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 84 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5fnrWlGa3H.exe (PID: 6604 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

5fnrWlGa3H.exe (PID: 5036 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

5fnrWlGa3H.exe (PID: 7132 cmdline: C:\Users\user\Desktop\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

WerFault.exe (PID: 4308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5fnrWlGa3H.exe (PID: 5492 cmdline: C:\Users\user\Desktop\5fnrWlGa3H.exe MD5: 36E570B7964F458F06DC81B29802E947)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "87.120.116.119", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000003.00000002.4530137278.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: 5fnrWlGa3H.exe PID: 4320	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: 5fnrWlGa3H.exe PID: 6564	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: 5fnrWlGa3H.exe PID: 5492	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 5fnrWlGa3H.exe PID: 6640	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.5fnrWlGa3H.exe.318b08c.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0.2.5fnrWlGa3H.exe.2f0a99c.2.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
1.2.5fnrWlGa3H.exe.400000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
3.2.5fnrWlGa3H.exe.64a0000.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.5fnrWlGa3H.exe.64a0000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T13:45:36.638818+0200	2050110	1	Malware Command and Control Activity Detected	87.120.116.119	1380	192.168.2.5	62185	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5fnrWlGa3H.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 1.2.5fnrWlGa3H.exe.400000.0.unpack

Malware Configuration Extractor: XenoRAT {"C2 url": "87.120.116.119", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 5fnrWlGa3H.exe	Virustotal: Detection: 59%			Perma Link
Source: 5fnrWlGa3H.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5fnrWlGa3H.exe

Joe Sandbox ML: detected

Source: 5fnrWlGa3H.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5fnrWlGa3H.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.costura.pdb.compressed source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $jq&costura.xeno rat client.pdb.compressed4'jq source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 4x nop then jmp 01AA17B0h	1_2_01AA0B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 4x nop then jmp 02C817B0h	3_2_02C80B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02C8D021
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02C8817A
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 4x nop then jmp 051117B0h	10_2_05110B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 4x nop then jmp 00EC17B0h	12_2_00EC0B60

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 87.120.116.119:1380 -> 192.168.2.5:62185

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.116.119

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 87.120.116.119:1380

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.119

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: 5fnrWlGa3H.exe, 0000000C.00000002.2063581045.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: zoiygpwj.rc5.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

PE file contains section with special chars

Source: 5fnrWlGa3H.exe	Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: section name: !KZr-E>K

PE file has nameless sections

Source: 5fnrWlGa3H.exe	Static PE information: section name:
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F90D8 NtReadVirtualMemory,	7_2_055F90D8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F94B0 NtWriteVirtualMemory,	7_2_055F94B0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F9608 NtSetContextThread,	7_2_055F9608
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F9290 NtResumeThread,	7_2_055F9290
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F90D1 NtReadVirtualMemory,	7_2_055F90D1
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F94A8 NtWriteVirtualMemory,	7_2_055F94A8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F9600 NtSetContextThread,	7_2_055F9600
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F9288 NtResumeThread,	7_2_055F9288

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_02EE3CA0	0_2_02EE3CA0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C2D38	0_2_010C2D38
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6DD8	0_2_010C6DD8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010CBDD0	0_2_010CBDD0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C24A0	0_2_010C24A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C08F8	0_2_010C08F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C3750	0_2_010C3750
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010CC638	0_2_010CC638
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C4650	0_2_010C4650
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010CC2A0	0_2_010CC2A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6949	0_2_010C6949
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6958	0_2_010C6958
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C1958	0_2_010C1958
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C4559	0_2_010C4559
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010CB198	0_2_010CB198
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C240A	0_2_010C240A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C7810	0_2_010C7810
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6069	0_2_010C6069
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6078	0_2_010C6078
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C54E8	0_2_010C54E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C54F8	0_2_010C54F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C2770	0_2_010C2770
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6BC1	0_2_010C6BC1
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C6BD0	0_2_010C6BD0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C66D8	0_2_010C66D8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 0_2_010C66E8	0_2_010C66E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 1_2_01AA0B60	1_2_01AA0B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C80B60	3_2_02C80B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87898	3_2_02C87898
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8B8A0	3_2_02C8B8A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8C6D0	3_2_02C8C6D0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C82760	3_2_02C82760
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8DC80	3_2_02C8DC80
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C85C7B	3_2_02C85C7B
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8E5F0	3_2_02C8E5F0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C83D60	3_2_02C83D60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8ED18	3_2_02C8ED18
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8AF50	3_2_02C8AF50
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C82757	3_2_02C82757
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8DC73	3_2_02C8DC73
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D012E8	3_2_02D012E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D00278	3_2_02D00278
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0F09A	3_2_02D0F09A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0AAE0	3_2_02D0AAE0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0FB08	3_2_02D0FB08
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D029F8	3_2_02D029F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D05968	3_2_02D05968
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D02F39	3_2_02D02F39
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D04C10	3_2_02D04C10
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D012DB	3_2_02D012DB
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0026B	3_2_02D0026B
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0E5D0	3_2_02D0E5D0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01602D38	7_2_01602D38
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_0160BDD0	7_2_0160BDD0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606DD8	7_2_01606DD8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016008F8	7_2_016008F8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016024A0	7_2_016024A0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01602770	7_2_01602770
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01603750	7_2_01603750
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01604650	7_2_01604650
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_0160C638	7_2_0160C638
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_0160C2A0	7_2_0160C2A0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606949	7_2_01606949
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606958	7_2_01606958
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01601958	7_2_01601958
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01604559	7_2_01604559
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_0160B198	7_2_0160B198
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606069	7_2_01606069
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606078	7_2_01606078
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01602409	7_2_01602409
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016054E8	7_2_016054E8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016054F8	7_2_016054F8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606BC1	7_2_01606BC1
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_01606BD0	7_2_01606BD0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016066E8	7_2_016066E8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_016066D8	7_2_016066D8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055FA9D0	7_2_055FA9D0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F8060	7_2_055F8060
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055FAE70	7_2_055FAE70
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F6EC8	7_2_055F6EC8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055FA9C0	7_2_055FA9C0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F3C90	7_2_055F3C90
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F3CA0	7_2_055F3CA0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F9770	7_2_055F9770
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F976F	7_2_055F976F
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F7FE2	7_2_055F7FE2
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F37B8	7_2_055F37B8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055FAE60	7_2_055FAE60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055FAE20	7_2_055FAE20
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 7_2_055F6EB8	7_2_055F6EB8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 10_2_05110B60	10_2_05110B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Code function: 12_2_00EC0B60	12_2_00EC0B60

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80

Source: 5fnrWlGa3H.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000000.2041304346.0000000000A92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2058476458.00000000010DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000001.00000002.2051574960.00000000015EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000001.00000002.2050162445.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBouncyCastle.Crypto.dllP vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000003.00000002.4531740504.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBouncyCastle.Crypto.dllP vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2064568243.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe	Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe.1.dr	Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe

Source: 5fnrWlGa3H.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5fnrWlGa3H.exe	Static PE information: Section: !KZr-E>K ZLIB complexity 1.0003727956431536
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: Section: !KZr-E>K ZLIB complexity 1.0003727956431536

Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/13@1/1

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5fnrWlGa3H.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2200

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File created: C:\Users\user\AppData\Local\Temp\a3mi0qv1.bas

Jump to behavior

Source: 5fnrWlGa3H.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003212000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003292000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003202000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.000000000329E000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003220000.00000004.00000800.00020000.00000000.sdmp, 2tif1pqf.0vs.3.dr, a3mi0qv1.bas.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 5fnrWlGa3H.exe	Virustotal: Detection: 59%
Source: 5fnrWlGa3H.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File read: C:\Users\user\Desktop\5fnrWlGa3H.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe "C:\Users\user\Desktop\5fnrWlGa3H.exe"
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe"
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 84
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 5fnrWlGa3H.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 5fnrWlGa3H.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.costura.pdb.compressed source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $jq&costura.xeno rat client.pdb.compressed4'jq source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Unpacked PE file: 0.2.5fnrWlGa3H.exe.a70000.0.unpack !KZr-E>K:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler
Source: 3.2.5fnrWlGa3H.exe.64a0000.1.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.5fnrWlGa3H.exe.64a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.5fnrWlGa3H.exe.64a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4530137278.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 5492, type: MEMORYSTR

Source: 5fnrWlGa3H.exe	Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe	Static PE information: section name:
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87248 push esp; retf	3_2_02C8724A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8A384 push 691402CBh; retf	3_2_02C8A38A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86B91 push ecx; retf	3_2_02C86B92
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86B29 push ecx; retf	3_2_02C86B2A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86B2B push eax; retf	3_2_02C86B32
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8708B push ebx; retf	3_2_02C87092
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87087 push ebx; retf	3_2_02C8708A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C871B8 push esp; retf	3_2_02C871BA
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87173 push esp; retf	3_2_02C8717A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C88EFC pushfd ; retf	3_2_02C88EFD
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86E98 push ebx; retf	3_2_02C86E9A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87E78 pushad ; retf	3_2_02C87E7A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86E30 push edx; retf	3_2_02C86E32
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86E33 push edx; retf	3_2_02C86E3A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C89F44 push 686802CBh; retf	3_2_02C89F4A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C874EF push esi; retf	3_2_02C874F2
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C87419 push esi; retf	3_2_02C8741A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8741B push esi; retf	3_2_02C87422
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86D40 push edx; retf	3_2_02C86D42
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8257B push ds; retf	3_2_02C82582
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C86D01 push edx; retf	3_2_02C86D02
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02C8752B push edi; retf	3_2_02C87532
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0EDB8 pushad ; iretd	3_2_02D0F095
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0747F push C3059489h; ret	3_2_02D074B8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Code function: 3_2_02D0DAD2 pushad ; ret	3_2_02D0DAD9

Source: 5fnrWlGa3H.exe	Static PE information: section name: !KZr-E>K entropy: 7.998540652452658
Source: 5fnrWlGa3H.exe.1.dr	Static PE information: section name: !KZr-E>K entropy: 7.998540652452658

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

Jump to dropped file

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 5440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 6570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 7570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 78C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 88C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 52D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory allocated: 4E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 6830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 6960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 7CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 8CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Window / User API: threadDelayed 8698			Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Window / User API: threadDelayed 1135			Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 1900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 6596	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 2672	Thread sleep count: 8698 > 30	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 2672	Thread sleep count: 1135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 4672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 6220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wqr5mayt.mmg.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wqr5mayt.mmg.3.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: wqr5mayt.mmg.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wqr5mayt.mmg.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wqr5mayt.mmg.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: wqr5mayt.mmg.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wqr5mayt.mmg.3.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wqr5mayt.mmg.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 5fnrWlGa3H.exe, 00000003.00000002.4523467453.00000000011B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wqr5mayt.mmg.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wqr5mayt.mmg.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wqr5mayt.mmg.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wqr5mayt.mmg.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wqr5mayt.mmg.3.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wqr5mayt.mmg.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 5fnrWlGa3H.exe	Binary or memory string: hy0ZI63i+QfA4mtukVRrITaMl9cgwO/8MKxwEKCjXLQCy/eh4xfjMbVGFhmK6O57QC3ICgu3+eAUuR7zfjJBR9zPYuJ7f+YphXJfEfvxVAeHNbvL4je7N3K3EGszqye3biSRz+YyawckoaCfbGmlw4D3KRowK4ZxkenxO0np3WQq22cUAV3MnLBn5dQEmU0rubgeo/K5MSI9t8s/FpJHXckcxVbz4kXcMHKI4Z0RkIkYlXIeFflbxjSDlxfjwc+9ZtXA
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 5fnrWlGa3H.exe	Binary or memory string: pHYzpyIJOq9oTHm99JGwB3Z9PrCF+xLcZmHd6rCqGQorLMi3YrJ4ummlFgNiVT7xcNlQqtQGohZQ59uF9oFhemscUskr6KM8GqhAjrlVmCiTzWFjohYe4Cz74yTcoe9aXdwX2qU39pL8XA6/2Wt1Ib7UbSuH9r6M4/mJYamu5jvsUBEi4AqNR/dEo3++FIo0ZHk3kv0IVNskH0RBZ2Zl5bP4LIpTX2FRTyMuQ+hLu5IhsS5Txp9aM4xWBCD+WRVImvqZ
Source: wqr5mayt.mmg.3.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: wqr5mayt.mmg.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wqr5mayt.mmg.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory written: C:\Users\user\Desktop\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Memory written: C:\Users\user\Desktop\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory written: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Memory written: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 5fnrWlGa3H.exe, 00000003.00000002.4523467453.00000000011B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: 7.2.5fnrWlGa3H.exe.318b08c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.5fnrWlGa3H.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 4320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6640, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: 7.2.5fnrWlGa3H.exe.318b08c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.5fnrWlGa3H.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 4320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6640, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	131 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5fnrWlGa3H.exe	59%	Virustotal		Browse
5fnrWlGa3H.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
5fnrWlGa3H.exe	100%	Avira	TR/Dropper.Gen
5fnrWlGa3H.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
87.120.116.119	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
http://go.microsoft.c	5fnrWlGa3H.exe, 0000000C.00000002.2063581045.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	zoiygpwj.rc5.3.dr	false		unknown
https://www.ecosia.org/newtab/	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	zoiygpwj.rc5.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.116.119	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528937
Start date and time:	2024-10-08 13:42:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5fnrWlGa3H.exe renamed because original name is a hash value
Original Sample Name:	36E570B7964F458F06DC81B29802E947.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/13@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 154 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 5fnrWlGa3H.exe, PID 5036 because it is empty
Execution Graph export aborted for target 5fnrWlGa3H.exe, PID 6564 because it is empty
Execution Graph export aborted for target 5fnrWlGa3H.exe, PID 6604 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:43:03	API Interceptor	11213805x Sleep call for process: 5fnrWlGa3H.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	https://z168563365.cloud/	Get hash	malicious	Unknown	Browse	87.120.117.199
	http://ak437453-76542337354.com/	Get hash	malicious	Unknown	Browse	87.120.117.199
	https://ak-45k430083237-akbn.com/	Get hash	malicious	Unknown	Browse	87.120.117.199
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	87.120.112.80
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	83.97.73.44
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	83.97.73.44
	bomb.bin.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, Fabookie, LummaC Stealer, PureLog Stealer, RedLine	Browse	83.97.73.44
	http://83.97.73.87	Get hash	malicious	Unknown	Browse	83.97.73.87
	s9NHSv02oh.exe	Get hash	malicious	Amadey, Healer AV Disabler, RedLine	Browse	83.97.73.127
	So4DNHATbK.exe	Get hash	malicious	Amadey, RedLine	Browse	83.97.73.130

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAt92n4M9XKbbDLI4MWuPJKAVKhav:ML9E4Ke84qXKDE4KhKiKhk
MD5:	08B391CB8E70DAE45E693F5AEFF97240
SHA1:	3D9B7C574393BC5E42C3F5BD802DA891EAC2A86C
SHA-256:	E8723F906E58446CB7375D96D654DDF02AC17662F53DBB965C845999E1016628
SHA-512:	73266735B86824221433C5585969ABDACAFEBF1D6FF7FE0D4EAF6299060373D7C041B52BF99E6CD1FA33173B0D60AE4417AA6F0850BAE5C8CCBB52D700644E35
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\1hhrgjc2.tor

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2tif1pqf.0vs

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\a3mi0qv1.bas

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dgbhmv4f.xlt

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mguezme5.xtc

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p405dcok.vya

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\srm3hadz.ivn

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wqr5mayt.mmg

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zoiygpwj.rc5

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zvhdt0ay.gqh

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	modified
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	187392
Entropy (8bit):	7.439991489878118
Encrypted:	false
SSDEEP:	3072:vmXhVaFmIuuXsb0+sMAxUNb8IYaqhObXeEFkXGQYdq7guNDFtmI:vW/FHotDMA6Nb8IYa8ObvFkXGQYdq7gc
MD5:	36E570B7964F458F06DC81B29802E947
SHA1:	3D26217DBE9F6C2AB2C78F879E348958F304527C
SHA-256:	0522D7E6B3FC2FBD36F0D8145DE8B564146188D515099D7661DE3B4D82E287F4
SHA-512:	C8045BD9838D415CA3BDC5E39B4E13F796E7F12BB6BA83121324084C75C58C621C2CEB9FBAE051908AA582CF3C949BF677856E4272C7CD35427094695D1490E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............P..............@... ... ....@.. .......................`............`..................................'..W.......8.................... .......................................................@............... ..H...........!KZr-E>KL.... ......................@....text........ ...................... ..`.rsrc...8...........................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5fnrWlGa3H.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.439991489878118
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	5fnrWlGa3H.exe
File size:	187'392 bytes
MD5:	36e570b7964f458f06dc81b29802e947
SHA1:	3d26217dbe9f6c2ab2c78f879e348958f304527c
SHA256:	0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
SHA512:	c8045bd9838d415ca3bdc5e39b4e13f796e7f12bb6ba83121324084c75c58c621c2ceb9fbae051908aa582cf3c949bf677856e4272c7cd35427094695d1490e0
SSDEEP:	3072:vmXhVaFmIuuXsb0+sMAxUNb8IYaqhObXeEFkXGQYdq7guNDFtmI:vW/FHotDMA6Nb8IYa8ObvFkXGQYdq7gc
TLSH:	E804E69C726076EEC857D072DEA86D64FA6078BB831F4613A46715ADEE0D887CF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............P..............@... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	acacacee22222736

Static PE Info

General

Entrypoint:	0x43400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67001AAD [Fri Oct 4 16:41:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00434000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x22794	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x1238	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x34000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x22000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
!KZr-E>K	0x2000	0x1e14c	0x1e200	f41a355abf38a2c6e817b0a052ebee0a	False	1.0003727956431536	data	7.998540652452658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x22000	0xdc18	0xde00	466ae6c618ef8e14b194e649824bc639	False	0.37918778153153154	data	4.871659499239213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x1238	0x1400	de4d7e2cbbb9022243ce402970697c53	False	0.283984375	data	4.51104571565989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0xc	0x200	91840e499f62c8a5bca414c133ca0d9f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x34000	0x10	0x200	1287f32f628dcd3d15597a97e95be0f9	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x30130	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.09131205673758866
RT_GROUP_ICON	0x30598	0x14	data	1.1
RT_VERSION	0x305ac	0x3b8	COM executable for DOS	0.38445378151260506
RT_MANIFEST	0x30964	0x8d3	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3935369632580788

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T13:45:36.638818+0200	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	87.120.116.119	1380	192.168.2.5	62185	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 13:43:02.843908072 CEST	49704	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:02.849538088 CEST	1380	49704	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:02.849615097 CEST	49704	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:04.464624882 CEST	1380	49704	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:04.464720964 CEST	49704	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:14.472887993 CEST	49710	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:14.477754116 CEST	1380	49710	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:14.477827072 CEST	49710	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:16.073607922 CEST	1380	49710	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:16.073674917 CEST	49710	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:26.066318035 CEST	49783	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:26.074507952 CEST	1380	49783	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:26.074592113 CEST	49783	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:27.682579041 CEST	1380	49783	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:27.682761908 CEST	49783	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:37.691668987 CEST	62046	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:37.696584940 CEST	1380	62046	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:37.696692944 CEST	62046	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:39.295036077 CEST	1380	62046	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:39.295113087 CEST	62046	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:49.300929070 CEST	62118	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:49.307957888 CEST	1380	62118	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:49.308085918 CEST	62118	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:43:50.940496922 CEST	1380	62118	87.120.116.119	192.168.2.5
Oct 8, 2024 13:43:50.940567970 CEST	62118	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:00.959826946 CEST	62173	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:00.964941025 CEST	1380	62173	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:00.965028048 CEST	62173	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:02.574632883 CEST	1380	62173	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:02.574770927 CEST	62173	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:12.581429005 CEST	62174	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:12.586579084 CEST	1380	62174	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:12.586689949 CEST	62174	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:14.202918053 CEST	1380	62174	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:14.203089952 CEST	62174	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:24.206902027 CEST	62175	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:24.212482929 CEST	1380	62175	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:24.214272022 CEST	62175	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:25.844295025 CEST	1380	62175	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:25.844410896 CEST	62175	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:35.844194889 CEST	62176	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:35.849123001 CEST	1380	62176	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:35.850033998 CEST	62176	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:37.534392118 CEST	1380	62176	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:37.535414934 CEST	62176	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:41.738291979 CEST	62177	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:41.743529081 CEST	1380	62177	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:41.743619919 CEST	62177	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:43.359772921 CEST	1380	62177	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:43.363420963 CEST	62177	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:43.816699028 CEST	62178	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:43.821722031 CEST	1380	62178	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:43.821799994 CEST	62178	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:45.418607950 CEST	1380	62178	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:45.418697119 CEST	62178	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:50.816694975 CEST	62179	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:50.821616888 CEST	1380	62179	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:50.821754932 CEST	62179	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:44:52.438040018 CEST	1380	62179	87.120.116.119	192.168.2.5
Oct 8, 2024 13:44:52.439188004 CEST	62179	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:02.436079979 CEST	62180	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:02.441061020 CEST	1380	62180	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:02.441154003 CEST	62180	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:04.064802885 CEST	1380	62180	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:04.066411972 CEST	62180	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:13.504074097 CEST	62181	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:13.509597063 CEST	1380	62181	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:13.509687901 CEST	62181	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:15.125845909 CEST	1380	62181	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:15.125961065 CEST	62181	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:25.115657091 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:25.120805025 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:25.120893002 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:25.706526995 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:25.720776081 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:25.725784063 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:25.900736094 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:25.903207064 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:25.908121109 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.266669035 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.266876936 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.266911983 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.269263983 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:26.401000023 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:26.405946016 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.586412907 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.589613914 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:26.594412088 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:26.594548941 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:26.628757000 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.174062014 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.176084042 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.181451082 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.353730917 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.358110905 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.358700037 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.359390974 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.359989882 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:27.363002062 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.363540888 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.364145041 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:27.364883900 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:28.675812960 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:28.676187038 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:28.679704905 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:28.680742979 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:28.684794903 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:28.685961962 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:28.686053991 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:28.722465038 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.242453098 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.244520903 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.249789953 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.414056063 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.418749094 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.419323921 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.419831038 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.420479059 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.423621893 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.424207926 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.424577951 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.425440073 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.859446049 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:29.863454103 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:29.868443012 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:30.642482042 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:30.644715071 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:30.645859957 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:30.650016069 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:30.650754929 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:30.650881052 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:30.654913902 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:30.691375017 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.047954082 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.049171925 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.055192947 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.219127893 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.220824003 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.225784063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.391525030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.393155098 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.393765926 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.394644976 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.395067930 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:31.398349047 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.398586035 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.399513960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:31.399945974 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:32.234448910 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:32.235763073 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:32.240756989 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:32.577121973 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:32.629122019 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:32.707237959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:32.708733082 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:32.713602066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:33.084412098 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:33.084544897 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:33.084728003 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:33.091434956 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:33.098485947 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:33.421857119 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:33.423928976 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:33.429053068 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:34.608892918 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:34.610238075 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:34.615665913 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:35.415126085 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:35.421283007 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:35.426294088 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638642073 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638688087 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638720989 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638751984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638784885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638789892 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.638818026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638851881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638884068 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638916016 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638940096 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.638940096 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.638950109 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.638983011 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.639261007 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.639267921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.639301062 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.639333010 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.639353991 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.691287994 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.726000071 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.726155043 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.726188898 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.726214886 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.726223946 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.726277113 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.730910063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.730962038 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.731017113 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.731050014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.731087923 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.731115103 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.735671997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.735706091 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.735801935 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.735934973 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.735969067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.736020088 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.740463018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.740498066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.740530014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.740582943 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.740731955 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.740766048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.740787029 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.745237112 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.745273113 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.745296955 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.745438099 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.745471954 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.745497942 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.745503902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.745560884 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.793298006 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.793333054 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.793366909 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.793442965 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.813333035 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.813370943 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.813410997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.813442945 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.813527107 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.813527107 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.818099976 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.818135023 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.818336964 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.818370104 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.818813086 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.822927952 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.822962046 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.823035002 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.823100090 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.823133945 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.823170900 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.823187113 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.823229074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.827712059 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.827745914 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.827814102 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.827826023 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.827858925 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.827913046 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.832489967 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.832561016 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.832592010 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.832616091 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.832623959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.832782030 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.837249041 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.837322950 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.837352991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.837378025 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.837383986 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.837416887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.837435961 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.842016935 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.842048883 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.842077017 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.842082024 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.842138052 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.867881060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.867914915 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.867945910 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.867964029 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.867979050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868011951 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868093967 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868153095 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.868153095 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.868396044 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868444920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868477106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868493080 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.868509054 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868541002 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868558884 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.868575096 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.868621111 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.869201899 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.869529009 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.869594097 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.879895926 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.879928112 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.879982948 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.879996061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.880028009 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.880060911 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.880080938 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.900963068 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901004076 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901038885 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.901057959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901093006 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901125908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901163101 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901196957 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901269913 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.901269913 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.901269913 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.901731014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901765108 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901798010 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.901814938 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.902092934 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902142048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902151108 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.902179003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902210951 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902229071 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.902245045 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902306080 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.902915001 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902964115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.902997971 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903017044 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.903032064 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903065920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903084040 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.903776884 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903825045 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903835058 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.903858900 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903889894 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903909922 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.903923035 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.903984070 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.904692888 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.904726028 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.904757977 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.904778004 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.904791117 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.904822111 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.904836893 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.905502081 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.905534983 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.905564070 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.905567884 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.905601025 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.905617952 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.943296909 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943376064 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.943483114 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943515062 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943562031 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.943566084 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943600893 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943633080 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943650007 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.943667889 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.943718910 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.944226980 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.944276094 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.944308996 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.944329977 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.944340944 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.944375992 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.944390059 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.945013046 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.945046902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.945075989 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.945077896 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.945141077 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.955456018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955537081 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955571890 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955602884 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.955604076 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955638885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955761909 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.955786943 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.955857992 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.955977917 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956036091 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956079006 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956085920 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.956115007 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956150055 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956167936 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.956845999 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956902981 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.956914902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956949949 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956981897 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.956999063 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.957015991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957073927 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.957705021 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957844019 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957876921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957895994 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.957911015 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957942963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.957957983 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.958564997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.958615065 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.958625078 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.958651066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.958683014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.958705902 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.958715916 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.958775043 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.959420919 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.959453106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.959523916 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.967276096 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967324972 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967394114 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.967406988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967442036 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967473984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967494011 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.967506886 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967538118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967559099 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.967571974 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967603922 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967628956 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.967636108 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.967686892 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.968103886 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989476919 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989554882 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989578962 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989629984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989662886 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989687920 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989696980 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989728928 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989761114 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989761114 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989794016 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989809990 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989825964 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989856958 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989872932 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989888906 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989921093 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989938974 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.989954948 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.989986897 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990014076 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.990020037 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990108013 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990119934 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.990309000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990369081 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.990408897 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990457058 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990489960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990502119 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.990521908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990555048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990566969 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.990617037 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990648985 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.990658998 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.991267920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.991318941 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.991326094 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.991369963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.991416931 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:36.991430044 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.991458893 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:36.991518974 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.019474030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019507885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019540071 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019571066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019572973 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.019604921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019623995 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.019637108 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019671917 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019685030 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.019704103 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019736052 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019750118 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.019769907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019804955 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.019815922 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.020106077 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020137072 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020164013 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.020186901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020219088 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020236969 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.020252943 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020284891 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020304918 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.020318031 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020351887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.020370960 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.021020889 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021070957 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021081924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.021105051 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021153927 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021155119 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.021188974 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021220922 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021236897 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.021254063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021289110 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.021303892 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.022140026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.022241116 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.022244930 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.022289991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.022321939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.022340059 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.022355080 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.022413969 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.030937910 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031021118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031052113 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031085014 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031100988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031132936 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031155109 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031167030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031198978 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031217098 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031230927 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031261921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031285048 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031313896 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031364918 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031379938 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031415939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031447887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031464100 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.031480074 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.031526089 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.042946100 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043117046 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043164015 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043210030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043220043 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043229103 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043268919 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043278933 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043334007 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043348074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043348074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043379068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043440104 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043450117 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043490887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043499947 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043499947 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043512106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043524981 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043534994 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043536901 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043585062 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.043593884 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043605089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.043648958 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.044102907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.044112921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.044121981 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.044131041 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.044162989 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.054896116 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.054951906 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.054976940 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.054986954 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055001974 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055011988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055021048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055027008 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.055031061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055067062 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.055079937 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055083990 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.055090904 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055100918 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055139065 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.055366039 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055375099 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055387020 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055398941 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055407047 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.055432081 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.055469990 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077075005 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077106953 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077140093 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077171087 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077174902 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077223063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077254057 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077285051 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077322960 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077322960 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077337027 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077384949 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077383995 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077419043 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077501059 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077532053 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077532053 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077565908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077588081 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077598095 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077631950 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077649117 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077663898 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077696085 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077709913 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077728987 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077760935 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077780008 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077794075 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077843904 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.077857018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077935934 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077982903 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.077985048 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.078032017 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078078985 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078084946 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.078113079 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078145027 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078165054 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.078178883 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078210115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078231096 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.078243971 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078301907 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.078840971 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078912020 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078946114 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.078969002 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.079011917 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.079071999 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106240034 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106307030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106343031 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106374979 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106408119 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106507063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106542110 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106573105 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106585026 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106585026 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106607914 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106627941 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106641054 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106689930 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106689930 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106739044 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106771946 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106786013 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106803894 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106837988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106849909 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106870890 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.106923103 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.106988907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107053041 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107088089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107098103 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.107141018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107172966 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107188940 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.107206106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107239962 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.107253075 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118388891 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118422031 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118473053 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118520975 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118554115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118568897 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118591070 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118624926 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118655920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118690014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118725061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118730068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118730068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118761063 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118823051 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118856907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118874073 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118906975 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118956089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.118963957 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.118988991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119020939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119035006 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.119054079 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119086027 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119098902 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.119119883 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119154930 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.119168997 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.130954981 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131022930 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131026983 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131062984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131094933 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131128073 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131160021 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131191969 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131196976 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131196976 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131226063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131242037 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131258965 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131304979 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131320000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131352901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131397009 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131402969 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131438017 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131469011 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131498098 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131500959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131535053 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131547928 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131572008 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131603003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131618023 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131638050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131669998 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131688118 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.131702900 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.131747961 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142368078 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142385960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142394066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142435074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142441988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142453909 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142462969 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142523050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142532110 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142540932 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142549992 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142560959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142569065 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142621040 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142630100 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142631054 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.142630100 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142630100 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142630100 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142646074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.142677069 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.163731098 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163739920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163748980 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163881063 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.163907051 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163921118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163929939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163938999 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163949013 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163953066 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.163959026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163968086 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163976908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.163981915 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.163989067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164021969 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164058924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164155960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164242029 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164251089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164297104 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164303064 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164313078 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164321899 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164330959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164350986 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164398909 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164618015 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164633989 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164643049 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164673090 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164705038 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164732933 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164742947 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164755106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164763927 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164773941 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.164777994 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.164802074 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.165317059 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165328026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165335894 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165345907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165355921 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165369987 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.165424109 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.165595055 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165604115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165613890 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165621996 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.165643930 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.165678024 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.193767071 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.193820000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.193869114 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.193876982 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.193902016 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.193933010 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.193984985 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194016933 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194042921 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194042921 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194067001 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194102049 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194122076 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194134951 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194168091 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194201946 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194202900 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194236040 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194251060 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194284916 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194329977 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194334030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194366932 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194396973 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194411993 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194431067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194462061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194477081 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.194814920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194848061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.194931030 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.195111990 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.195185900 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206058025 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206073046 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206083059 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206091881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206101894 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206111908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206140995 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206183910 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206258059 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206268072 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206285000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206294060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206304073 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206312895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206322908 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206330061 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206331015 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206382990 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206386089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206397057 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206406116 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206470013 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206492901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206540108 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206556082 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206566095 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206573963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206625938 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.206727028 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.206793070 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.219719887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219738960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219748974 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219857931 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219868898 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219887018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219887972 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.219898939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219909906 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.219909906 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219922066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219945908 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.219953060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219964027 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.219966888 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219979048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.219999075 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.220029116 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.220066071 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220081091 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220124006 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.220155001 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220165968 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220182896 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220194101 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220204115 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.220204115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220220089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.220230103 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.220289946 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.230998039 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231048107 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231095076 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231108904 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231129885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231178999 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231210947 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231260061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231265068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231265068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231292963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231323004 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231338024 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231357098 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231400967 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231405973 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231440067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231472015 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231482983 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.231503963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.231565952 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.251266003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251296043 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251328945 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251389980 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.251470089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251502037 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251554012 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251585960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251610994 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.251610994 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.251619101 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251650095 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251677990 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.251683950 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251718998 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.251733065 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253293037 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253412962 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253460884 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253473043 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253498077 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253513098 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253528118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253576040 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253592968 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253624916 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253657103 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253674030 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253690004 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253720999 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253740072 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253771067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253802061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253820896 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253834963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253865957 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253880978 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253899097 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253930092 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253946066 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.253964901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.253995895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254013062 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.254028082 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254060984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254076958 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.254093885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254123926 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254136086 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.254159927 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254192114 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254206896 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.254225016 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.254281044 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281385899 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281400919 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281409979 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281419992 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281430006 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281447887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281456947 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281465054 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281475067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281483889 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281493902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281547070 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281547070 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281560898 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281584024 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281625986 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281653881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281663895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281704903 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281733036 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281743050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281752110 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281763077 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.281784058 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281809092 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.281878948 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.282316923 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.282375097 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.283519030 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293454885 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293504953 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293529987 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.293534994 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293584108 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.293632984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293664932 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293697119 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293728113 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293760061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293791056 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293800116 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.293800116 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.293824911 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.293843031 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.294013023 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.294060946 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.294063091 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.294095039 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.294126987 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.294143915 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.294158936 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.294208050 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305474997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305526018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305573940 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305587053 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305607080 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305638075 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305670977 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305704117 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305735111 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305778980 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305778980 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305783987 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305816889 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305821896 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305866957 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305877924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305938005 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.305980921 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.305989027 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306021929 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306054115 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306066036 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306086063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306118011 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306133986 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306150913 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306183100 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306196928 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306217909 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306265116 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306612015 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306662083 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306709051 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306714058 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306746960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306777954 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306793928 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.306809902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306842089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.306854010 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.317872047 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.317943096 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.317961931 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.317994118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318025112 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318072081 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318120003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318131924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.318131924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.318152905 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318191051 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318201065 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.318223000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318255901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318284035 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.318288088 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318320036 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318336010 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.318352938 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318383932 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.318392038 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.338781118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.338865995 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339065075 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339075089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339087009 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339096069 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339104891 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339113951 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339123964 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339133024 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339140892 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339149952 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339159012 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339167118 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339215040 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339215040 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339406013 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339437008 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339503050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339520931 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339559078 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339569092 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339579105 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339615107 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339648008 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339699984 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339802980 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339814901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339824915 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339862108 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339927912 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339937925 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339946985 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339956045 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.339976072 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.339998960 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.340251923 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.340260983 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.340270996 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.340292931 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.340337992 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.394725084 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394752026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394762993 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394824028 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394834042 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394843102 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394854069 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394920111 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.394943953 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394954920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394963980 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394973993 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394983053 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.394994020 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395006895 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395021915 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395039082 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395066977 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395126104 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395138025 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395186901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395199060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395210981 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395212889 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395225048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395255089 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395291090 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395488024 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395498037 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395507097 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395515919 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395524979 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395534039 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395544052 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395544052 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395554066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.395581961 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.395608902 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396135092 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396143913 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396152020 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396162033 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396172047 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396186113 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396224976 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396234035 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396235943 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396272898 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396375895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396387100 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396436930 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396492004 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396539927 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396557093 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396568060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396609068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396621943 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396636963 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396646023 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396677971 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396888018 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396923065 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396931887 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.396943092 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396974087 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.396974087 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397074938 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397115946 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397125959 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397131920 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.397171974 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.397239923 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397249937 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397258997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397263050 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397279978 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397290945 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.397305965 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.397345066 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.400096893 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400105953 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400115013 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400122881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400142908 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.400177956 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.400271893 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400283098 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400295019 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400305033 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400314093 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400321960 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.400324106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400360107 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.400388956 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400398970 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400405884 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400410891 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400419950 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.400471926 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405658007 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405680895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405692101 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405700922 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405709028 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405710936 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405741930 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405791998 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405842066 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405874014 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405879021 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405879021 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405879021 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405908108 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405931950 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.405940056 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405972958 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.405989885 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.406006098 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.406040907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.406052113 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.426659107 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426708937 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426743031 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426743031 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.426791906 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426791906 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.426861048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426892996 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426915884 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.426927090 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426959991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.426980972 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427009106 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427057028 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427061081 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427117109 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427162886 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427169085 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427217007 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427248001 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427269936 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427280903 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427311897 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427335024 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427346945 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427377939 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427396059 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427429914 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427463055 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427479029 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427495003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427525997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427545071 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427556992 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427587986 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427604914 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427619934 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427650928 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427666903 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.427681923 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427716017 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.427731991 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.472506046 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.482625961 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482707977 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482717991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482728004 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482738972 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482747078 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482758045 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482758045 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.482795954 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.482817888 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482827902 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482836962 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482846022 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482860088 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.482860088 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.482893944 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.482923985 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483026028 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483036041 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483043909 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483052969 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483062029 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483071089 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483073950 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483081102 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483092070 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483099937 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483108997 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483115911 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483119011 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483144045 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483170986 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483177900 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483182907 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483215094 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483285904 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483298063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483305931 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483336926 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483371019 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483778000 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483820915 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483830929 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483870029 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.483948946 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483958960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.483968019 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484000921 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484015942 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484021902 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484029055 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484039068 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484062910 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484071970 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484072924 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484081984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484101057 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484117031 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484127045 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484134912 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484137058 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484162092 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484205961 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484216928 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484225988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484251976 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484255075 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484292984 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484317064 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484328032 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484335899 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484363079 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484395027 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484426975 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484539032 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484591007 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484750032 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484760046 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484770060 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484778881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484792948 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484797955 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484802961 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484812975 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484822035 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484832048 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484838009 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484864950 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484909058 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484919071 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484929085 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484937906 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484947920 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484957933 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.484961987 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.484968901 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485002041 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.485017061 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485022068 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.485080004 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485095024 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485104084 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485114098 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.485122919 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.485163927 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.493463039 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493486881 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493496895 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493537903 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.493571043 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.493611097 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493731976 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493741989 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493751049 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493760109 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493767977 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493774891 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.493778944 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493791103 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493799925 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493808985 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493819952 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.493824959 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.493869066 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.515223026 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515264988 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515275002 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515295029 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515309095 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.515311003 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515321970 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515331984 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515464067 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515465975 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.515465975 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.515476942 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.515522957 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.570533037 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.575581074 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.656985044 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.658304930 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:37.663395882 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.745166063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:37.800627947 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:38.189429998 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:38.196362019 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:38.651835918 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:38.655920029 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:38.660921097 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:38.858551025 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:38.859838009 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:38.864872932 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.075723886 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.128741980 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:41.171524048 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:41.415688038 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.585020065 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.628746986 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:41.648442984 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:41.653481960 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.819472075 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:41.863130093 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.043657064 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.216603041 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.218236923 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.218249083 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.223227024 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.386388063 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.443450928 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.520358086 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.525288105 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.689929962 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.693340063 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.697802067 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.702661991 CEST	1380	62185	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:42.702698946 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:42.702898979 CEST	62185	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.027056932 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.033283949 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.038235903 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.156392097 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.156475067 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.156559944 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.156982899 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.158138990 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.158196926 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.158318996 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.158430099 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.158513069 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.159189939 CEST	62186	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.160022974 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.160083055 CEST	62183	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.161499977 CEST	1380	62184	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.161562920 CEST	62184	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.163286924 CEST	1380	62182	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.163336039 CEST	62182	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:43.163526058 CEST	1380	62183	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.164232016 CEST	1380	62186	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:43.164297104 CEST	62186	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:44.766637087 CEST	1380	62186	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:44.766762018 CEST	62186	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:54.778465986 CEST	62187	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:54.783864975 CEST	1380	62187	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:54.783974886 CEST	62187	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:45:56.373671055 CEST	1380	62187	87.120.116.119	192.168.2.5
Oct 8, 2024 13:45:56.373867989 CEST	62187	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:06.396687031 CEST	62188	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:06.402573109 CEST	1380	62188	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:06.402915955 CEST	62188	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:08.001811981 CEST	1380	62188	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:08.001895905 CEST	62188	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:11.894829035 CEST	62189	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:11.899723053 CEST	1380	62189	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:11.899805069 CEST	62189	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:33.302396059 CEST	1380	62189	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:33.302681923 CEST	62189	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:39.285701036 CEST	62190	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:39.290625095 CEST	1380	62190	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:39.290707111 CEST	62190	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:40.909568071 CEST	1380	62190	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:40.909779072 CEST	62190	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:41.895088911 CEST	62191	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:41.900041103 CEST	1380	62191	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:41.903510094 CEST	62191	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:43.518419981 CEST	1380	62191	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:43.518625975 CEST	62191	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:47.848089933 CEST	62192	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:47.853235960 CEST	1380	62192	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:47.853303909 CEST	62192	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:49.471716881 CEST	1380	62192	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:49.471797943 CEST	62192	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:59.486469984 CEST	62193	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:46:59.492027044 CEST	1380	62193	87.120.116.119	192.168.2.5
Oct 8, 2024 13:46:59.492106915 CEST	62193	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:47:01.077439070 CEST	1380	62193	87.120.116.119	192.168.2.5
Oct 8, 2024 13:47:01.077506065 CEST	62193	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:47:06.406768084 CEST	62194	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:47:06.411716938 CEST	1380	62194	87.120.116.119	192.168.2.5
Oct 8, 2024 13:47:06.411803961 CEST	62194	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:47:08.247744083 CEST	1380	62194	87.120.116.119	192.168.2.5
Oct 8, 2024 13:47:08.247838974 CEST	1380	62194	87.120.116.119	192.168.2.5
Oct 8, 2024 13:47:08.247884035 CEST	62194	1380	192.168.2.5	87.120.116.119
Oct 8, 2024 13:47:08.248369932 CEST	62194	1380	192.168.2.5	87.120.116.119

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 13:43:29.104418993 CEST	53	56842	162.159.36.2	192.168.2.5
Oct 8, 2024 13:43:29.574722052 CEST	54301	53	192.168.2.5	1.1.1.1
Oct 8, 2024 13:43:29.581907988 CEST	53	54301	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 13:43:29.574722052 CEST	192.168.2.5	1.1.1.1	0x3e51	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 13:43:29.581907988 CEST	1.1.1.1	192.168.2.5	0x3e51	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	07:42:56
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5fnrWlGa3H.exe"
Imagebase:	0xa70000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Imagebase:	0xf30000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Imagebase:	0x80000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\5fnrWlGa3H.exe
Imagebase:	0xaf0000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4530137278.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe"
Imagebase:	0xd50000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80
Imagebase:	0xa90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Imagebase:	0x330000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Imagebase:	0x980000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:42:57
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Imagebase:	0x650000
File size:	187'392 bytes
MD5 hash:	36E570B7964F458F06DC81B29802E947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:42:58
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 84
Imagebase:	0xa90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 010C6DD8 Relevance: 3.8, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Yqz , xrefs: 010C6E6B
P, xrefs: 010C6E5D
-}Fr, xrefs: 010C6E6E

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: -}Fr$P$Yqz
API String ID: 0-1752235571
Opcode ID: 7a7f7de1b627bbb64c5fa908aea33f945df99ed637aae6d7c0d91e3f9489303a
Instruction ID: e8a2c339e9b8d178b11493bdae2236bca769b8384c91da3330f4882825a1a6c0
Opcode Fuzzy Hash: 7a7f7de1b627bbb64c5fa908aea33f945df99ed637aae6d7c0d91e3f9489303a
Instruction Fuzzy Hash: 3121C771E046198BEB58CF6BD84069EFBB3AFC8200F04C1BAC518A6225EB3519568F51

Function 010C240A Relevance: 2.8, Strings: 2, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 010C26CB
Tejq, xrefs: 010C2509

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: Tejq$Tejq
API String ID: 0-942063033
Opcode ID: d105f935433f234fa0d49cd89ffe792b3bcf65d1ea345dee993e04a909e4e61c
Instruction ID: 9001d170197d4489812c09d448eec3f76e8e523dd8af7c32d8f500549fb12a69
Opcode Fuzzy Hash: d105f935433f234fa0d49cd89ffe792b3bcf65d1ea345dee993e04a909e4e61c
Instruction Fuzzy Hash: 84B12674E002098FCB08CFA9C990AEEFBB2FF99310F24946AD456AB365D7315946CF50

Function 010C24A0 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 010C26CB
Tejq, xrefs: 010C2509

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: Tejq$Tejq
API String ID: 0-942063033
Opcode ID: 9b347ecf5fe9587271abc268eea0c7dbf21e091968fda23d1bcba5f4f2154754
Instruction ID: 665d4f1167c66113085d6d440de1106a12e5ac8c32face39d483ff8fc5a3d495
Opcode Fuzzy Hash: 9b347ecf5fe9587271abc268eea0c7dbf21e091968fda23d1bcba5f4f2154754
Instruction Fuzzy Hash: FA81B274E002098FDB48DFAAC954ADEFBB2FF89310F20802AD419BB268D7359945CF54

Function 010C2D38 Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Fd~K, xrefs: 010C2E09
I\g, xrefs: 010C2F01

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: Fd~K$I\g
API String ID: 0-4251205942
Opcode ID: 64a337c32119009ab9981fc36472616d921fc3eb7d348e0d2e5082c3ac01a845
Instruction ID: fc0376892e26736db4ce60e260525799f2b0a4050663cbec09d125b03b9d50bd
Opcode Fuzzy Hash: 64a337c32119009ab9981fc36472616d921fc3eb7d348e0d2e5082c3ac01a845
Instruction Fuzzy Hash: 7C5105B0E0520A8FDB08DFAAD8546EEFBF2BB89310F14D16AD455B7254D7348A418FA4

Function 010CBDD0 Relevance: 1.4, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!:1~, xrefs: 010CBFEA

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: !:1~
API String ID: 0-1641426056
Opcode ID: 1d4fbfbdc97a12e132e513aa26b93e0adda622845c67f4f8a19963577ae54b4a
Instruction ID: 836c2c65ebabb8300662f9032c2c178ef6c44ad68f2b51403867164e36acd7f3
Opcode Fuzzy Hash: 1d4fbfbdc97a12e132e513aa26b93e0adda622845c67f4f8a19963577ae54b4a
Instruction Fuzzy Hash: 035144B0D0120ADFCB18CFAAE4456AEBBB1FF48741F10942AE856B7354DB395A42CF54

Function 010C08F8 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 010C0A32

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 7f13e132c016e025be7b5275c5ce78c13c466714feabd903fe6bafc959489bd1
Instruction ID: 6da1c7329e21c10c44a6459eb527148822c506f2c18d10ed45203a49d4bc7ace
Opcode Fuzzy Hash: 7f13e132c016e025be7b5275c5ce78c13c466714feabd903fe6bafc959489bd1
Instruction Fuzzy Hash: 80517375E01658CFDB58CFAAC9446DDBBF2AFC9301F14C1AAD509AB264EB345A85CF00

Function 010C3750 Relevance: 1.3, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R8)+, xrefs: 010C37FF

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: R8)+
API String ID: 0-2193803958
Opcode ID: a6d87e90a9eb212595d1f13428c7a24d86f8b645f0ab59637ad94eff0a0e01b8
Instruction ID: 9d90789ed5b33d2272cc4eed3752bf4e79a6cabe684f32b92b60fd4cd5f75a44
Opcode Fuzzy Hash: a6d87e90a9eb212595d1f13428c7a24d86f8b645f0ab59637ad94eff0a0e01b8
Instruction Fuzzy Hash: 99211571E006588FEB18CFAAD8546DEBBF3AFC9310F14C16AD408AA228DB350A55CF50

Function 010C4559 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f144bcfc6eb555b0a380a1a594ca983306cfc3e5bbaee710f1d5a1d72f36d308
Instruction ID: 4b4be21ae40b871d7df80701215a8268b1238025ae5151fcf7ef1658a5f3a79e
Opcode Fuzzy Hash: f144bcfc6eb555b0a380a1a594ca983306cfc3e5bbaee710f1d5a1d72f36d308
Instruction Fuzzy Hash: 14F17C70E0524ADFCB14CFA9C4908EEFBB2FF8A301B149559D485EB219D735AA42CF91

Function 010C4650 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d18bf86746acae771a65e27a287e55612a2f24fc4d9124429b0e38b93cfd469
Instruction ID: b4cfef50f1483adc1591cc3682742dfc02ad7cfc9ad8a5b4b2c399f134f962c8
Opcode Fuzzy Hash: 2d18bf86746acae771a65e27a287e55612a2f24fc4d9124429b0e38b93cfd469
Instruction Fuzzy Hash: 7CD16A74E0020ADFCB14CFA9C4948AEFBB2FF88301B64D559D455EB258D739AA42CF91

Function 010CC2A0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd153c3eef6556d3b32d55e287663749abf1e161e136b54f880c96130bd97e0d
Instruction ID: 32549ff25291531507bc1177bf473bc7c7d6b5de124078cf7f5df09c573c4c96
Opcode Fuzzy Hash: dd153c3eef6556d3b32d55e287663749abf1e161e136b54f880c96130bd97e0d
Instruction Fuzzy Hash: AA71B274E00609DFDB14DFA9E55459DFBB2FF88300B20942AD84AB7358EB369A45CF14

Function 010CC638 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22294546cea0b5a592b59fd678cdae6a2aaf51b599d88bf16c618bc5fbedbc3
Instruction ID: 59db6f22b5b8a2cfca67ed7cf1b1e10ac82e57d229ddbaa55757b3369f425df0
Opcode Fuzzy Hash: a22294546cea0b5a592b59fd678cdae6a2aaf51b599d88bf16c618bc5fbedbc3
Instruction Fuzzy Hash: 05412574D1520ADFDB04CFA9D6405AEFBB2FF89304F00986AC45AB7268E735A601CF51

Function 010C17C3 Relevance: 1.7, APIs: 1, Instructions: 159
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 010C18FF

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe3c5717f5fb358e6a03bb889be4ab447bc049a791b9b4d74e52a966c14033c4
Instruction ID: 32f0d8f490f2984ade23a8860dd476c9028026b4c739602bc64612f011ac8498
Opcode Fuzzy Hash: fe3c5717f5fb358e6a03bb889be4ab447bc049a791b9b4d74e52a966c14033c4
Instruction Fuzzy Hash: 1F51E0B5D042589FCF15CFA9D4809DEBFF0FB6A310F24A05AE485A7211D236A946DF90

Function 010C1858 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 010C18FF

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 04b68d577e22f68bc624d0d7416c4e49db5a9debb1f5cec67c1ea434502e9efb
Instruction ID: 9f85a340ce09c38de88438d0d4ceebef002f67f71bf56ee26a4c1d65b0e2d5ad
Opcode Fuzzy Hash: 04b68d577e22f68bc624d0d7416c4e49db5a9debb1f5cec67c1ea434502e9efb
Instruction Fuzzy Hash: 0F3177B9D042589FCB10CFA9D584ADEFBF5BB19310F24902AE858B7210D375AA45CFA4

Function 010C9F98 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 010CA03F

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1edc6d419c72599a152f6b4c9b361f34b2f10bdd36733c9f1bd364a2bc5ada71
Instruction ID: f345dc32892f4cf7c46548038f3c420db962a8e9011aabc49724d7ca210cae1c
Opcode Fuzzy Hash: 1edc6d419c72599a152f6b4c9b361f34b2f10bdd36733c9f1bd364a2bc5ada71
Instruction Fuzzy Hash: C23197B9D04258DFCB10CFA9D484ADEFBF1BB19310F24902AE918B7210D339A945CFA4

Non-executed Functions

Function 010C66D8 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

frb, xrefs: 010C6737
L(QR, xrefs: 010C6811

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: L(QR$frb
API String ID: 0-1307681483
Opcode ID: 99ca8ad485c0445e7ec5a3329ab096c6376618a5d40533aed3060893f0b6aa6b
Instruction ID: b88544e37a6b4ea63c63c548b94e1d4a7fb9911ab5fea31b89405c24e228b73c
Opcode Fuzzy Hash: 99ca8ad485c0445e7ec5a3329ab096c6376618a5d40533aed3060893f0b6aa6b
Instruction Fuzzy Hash: C051F5B0E0460A8FCB44CFAAC5815AEFBF2BF88310F14D56AC555A6314E2399A428F94

Function 010C66E8 Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

frb, xrefs: 010C6737
L(QR, xrefs: 010C6811

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: L(QR$frb
API String ID: 0-1307681483
Opcode ID: 5d8160d70b6a012b941d696b3a76981144ef58955d2c8bdb3c04af05a0de7c83
Instruction ID: 851cd1f8811723e24768938558b19aeb955ea232b2587c3d81897700ad3fd0e5
Opcode Fuzzy Hash: 5d8160d70b6a012b941d696b3a76981144ef58955d2c8bdb3c04af05a0de7c83
Instruction Fuzzy Hash: 6151E9B0E0460A8FDB04CFAAC5815AEFBF2BF88700F14D56AC555A7354E3399642CF94

Function 010C1958 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

P!6A, xrefs: 010C19EE
`W, xrefs: 010C19DD

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: P!6A$`W
API String ID: 0-3493254120
Opcode ID: af8fa0fe7763b9a1516a694abe42617ef906829305aa18487deb4f7bf9df6081
Instruction ID: 1b0c88dbc97676e25f7cb8a0a46229a21bc37382e1e18a6af171d4f8ba220fa2
Opcode Fuzzy Hash: af8fa0fe7763b9a1516a694abe42617ef906829305aa18487deb4f7bf9df6081
Instruction Fuzzy Hash: 9121DA71E046188FEB18CFAB99406DEFBF3AFC9210F04C1BAC518A6265DB3405468F51

Function 010C2770 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2caf7828c83beaa462213bb37afca79081630469bfc5548932c2794c8e606d69
Instruction ID: 1b2a0b547b23e83c1cbba1122b6d8ffccc34a4ea6c295010853761b8b8c32aa3
Opcode Fuzzy Hash: 2caf7828c83beaa462213bb37afca79081630469bfc5548932c2794c8e606d69
Instruction Fuzzy Hash: 75B11D70E0121A9FCB54DFA8D940ADEFBB6FF88300F108669D459AB355DB34A946CF90

Function 010CB198 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d8acc5cc826d3494f45e3b9fa8ae95c4b4dc3dc96e250b3d239bf159e0b627
Instruction ID: 089f031d081fdeae34b2cf39fbb8f632598e968e407ade49ca6ab65923ffcb16
Opcode Fuzzy Hash: 94d8acc5cc826d3494f45e3b9fa8ae95c4b4dc3dc96e250b3d239bf159e0b627
Instruction Fuzzy Hash: 5FB1F874E14219CFCB14CFA9D581AAEFBB2BF89340F24C16AD458A7315D730A941CF60

Function 010C54F8 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f332b42d95f8f1d4e7a68c8c7ce8a77855661d76d62cbce28e734723283d041
Instruction ID: 6d5f3f49c53805995083c4a8c08df8214725c2c6a7231747c111e807f209f86e
Opcode Fuzzy Hash: 0f332b42d95f8f1d4e7a68c8c7ce8a77855661d76d62cbce28e734723283d041
Instruction Fuzzy Hash: D381C078E14219CFCB04CFA9D98499EFBF2FF88310B149569E455EB264D334AA42CF94

Function 010C54E8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0cd7eeb4487c2fc265c29953581431bef511e8dba268f2527d0ef6b6e776c9
Instruction ID: d3a2404e36ffee12cd67324cf20c9ce02520c5bac4ccda90110464e3c66dbd2d
Opcode Fuzzy Hash: be0cd7eeb4487c2fc265c29953581431bef511e8dba268f2527d0ef6b6e776c9
Instruction Fuzzy Hash: 6D81C078A1521ACFCB04CFA9C9849AEFBF2FF88310B149569D455EB264D334AA42CF54

Function 010C7810 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1321078cd714b8d9a4b8657194ca47f553c4730765ebe6ca7600388b8dfb41b
Instruction ID: a81e57b4c0f32c4f8827827bf0380c7bcdbf234db2bceaa601d6a2d07b02d927
Opcode Fuzzy Hash: e1321078cd714b8d9a4b8657194ca47f553c4730765ebe6ca7600388b8dfb41b
Instruction Fuzzy Hash: A961FBB1D017548BDB69CF6B894428EFBF3BFD5710F18C1AAC548A6225EB314A46CF11

Function 010C6949 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993ff043aa929be97266aea9391c01ac8ce9a05a547d38cf20d560cd82f24087
Instruction ID: ab63afff6bb8a5095dc53be6415e55d0c9dd5ccbb37f6d4a8398514513ae4773
Opcode Fuzzy Hash: 993ff043aa929be97266aea9391c01ac8ce9a05a547d38cf20d560cd82f24087
Instruction Fuzzy Hash: EF61FF74E05209CFCB18CFAAD9809EEFBF2EF89210F24946AD455B7324D3359A418F65

Function 010C6958 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5614de92ad6098672a9409ee2c8d59cd5cb741a0b4ed01a72c42954cc4754997
Instruction ID: 835e1625ecb59b6c393b93608c1415e842ecd1595154390d28d61452f19ff011
Opcode Fuzzy Hash: 5614de92ad6098672a9409ee2c8d59cd5cb741a0b4ed01a72c42954cc4754997
Instruction Fuzzy Hash: 0D71D474E05209CFCB28CFAAD5805EEFBF6FB88210F24946AD455BB324D33599418F65

Function 010C6078 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dfe05f3270edb2aabe1979f5d0a870f48753d5fcc2ea79d3cf2403712f2d50
Instruction ID: 61bf0afb7d6417049f32fc2789ce31b1b15c60b1f467c865d462da110be0c17a
Opcode Fuzzy Hash: 49dfe05f3270edb2aabe1979f5d0a870f48753d5fcc2ea79d3cf2403712f2d50
Instruction Fuzzy Hash: C37101B4E0420ADFCB54CF99D4808AEFBB2FF88711F28851AE455A7305C735A982CF91

Function 010C6069 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeba17144219e74517d5c2e3a60c33d223664868ed89c674140d71b3090c461
Instruction ID: 40e7e4708e3e82daabbd67576d5ada7c4d42f85e8f8f17231068dd3b75f81ff9
Opcode Fuzzy Hash: ddeba17144219e74517d5c2e3a60c33d223664868ed89c674140d71b3090c461
Instruction Fuzzy Hash: C06104B4E0420ADFCB54CF99D4808AEFBB2FF88711F18855AE455A7315C335A982CF91

Function 010C6BC1 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1afb2fc08ce62c7be1dab1c325e63b434a20038c815934261a62721e2c67448
Instruction ID: 1422864ad2a8a9edfca7237fc881cdbea1e20432e9ac0891ad991fbd26045ef6
Opcode Fuzzy Hash: c1afb2fc08ce62c7be1dab1c325e63b434a20038c815934261a62721e2c67448
Instruction Fuzzy Hash: 3B510270E0520A9FDB58CFA9C5814AEFBF2EF89310F24C56AC515B7314D3359A818FA0

Function 010C6BD0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058330760.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8086aaf5cd13982d50b6aedc6edbd0575cb6f96f376fec49827677bddafe85c
Instruction ID: 7cd156ae100757f4c4ebd486d3001f950d62b1c1aaaaf2af42e57811d177c618
Opcode Fuzzy Hash: c8086aaf5cd13982d50b6aedc6edbd0575cb6f96f376fec49827677bddafe85c
Instruction Fuzzy Hash: 0F51F3B0E0520A9BDB14CFAAC5815AEFBF2EF89300F24C56AC515B7315D3359A818FA5

Function 02EE3CA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064853711.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true

Associated: 00000000.00000002.2064776090.0000000002EC0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a89f140cbe30b34c71b3e055e149ecd6aab5b88f5e21918f13fadd902a82e43
Instruction ID: a0f8ec87e8a1b8276de53ec3112e1a1140dd4bcd0679484004be85b6e17caea3
Opcode Fuzzy Hash: 4a89f140cbe30b34c71b3e055e149ecd6aab5b88f5e21918f13fadd902a82e43
Instruction Fuzzy Hash: 8E110371E116198BDB58CFAAD840AAEFBF7ABC8210F14D06AE408A7214DB304A418B51

Analysis Process: 5fnrWlGa3H.exePID: 6564, Parent PID: 4320COMMON

Executed Functions

Function 01AA0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dnq, xrefs: 01AA0E64

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: dnq
API String ID: 0-3704129773
Opcode ID: 015cd3f11cd8f35586131b06e1c5b869bd1c07d13d591292806b2a0c7e19a284
Instruction ID: 0f01babff9e20ee49052de6a0aa0b6d7839f2efb795407286a0d60fcc07da2b0
Opcode Fuzzy Hash: 015cd3f11cd8f35586131b06e1c5b869bd1c07d13d591292806b2a0c7e19a284
Instruction Fuzzy Hash: FF828074A00229CFCB24CF68D984BDDBBB5FF49300F5486AAD419AB265D734AE85CF50

Function 01AA0A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77a10b8ca034e847846d4610e3c8fee0835d7bd04fa11d78f91c39420eee505
Instruction ID: cec40826f3ee7ba7fdc468d000daa75cd2511a15c655f797b7695222efa0b70a
Opcode Fuzzy Hash: e77a10b8ca034e847846d4610e3c8fee0835d7bd04fa11d78f91c39420eee505
Instruction Fuzzy Hash: 2F214A31E0024A9FCF45DFA8D5509DDBBB5FF89310F4582A6D460BB261D734A906CBA0

Function 01AA0839 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80e9454f820044826ad8f1a9cfadc72a06cecfca3194b4e0fac20e45c196fde
Instruction ID: 8cc22c8108be10ac47855dcf585e5430ae0540ffe55f30a9f3bc8d2a634b0f81
Opcode Fuzzy Hash: c80e9454f820044826ad8f1a9cfadc72a06cecfca3194b4e0fac20e45c196fde
Instruction Fuzzy Hash: 48213D70E01205DFCB45DF68F588A89BFB5FB49300F0086A5D4049F26AD7395D09CF91

Function 01AA0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1d9b2914f0ca5ca9ded01d52bb8f0442762035b434bd5855398e92a9c19db8
Instruction ID: 1232de8f395aa261e59293271e91a78e12a1c3b3b31f6bb9db6696d61887b776
Opcode Fuzzy Hash: 2c1d9b2914f0ca5ca9ded01d52bb8f0442762035b434bd5855398e92a9c19db8
Instruction Fuzzy Hash: 2C11FC70E01209DFCB45DF68F588A8DBBB5FB48304F5086A4D5049B269EB789E09DF91

Function 01AA1870 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b511ee6e0ac482d2f083020b21c8dcae54f92f82a2ef68e18a7a28c67cec60e7
Instruction ID: 73ae6559a1b92ec0e201f1566dab9bac64cb213e327938b05810c59fd0f53746
Opcode Fuzzy Hash: b511ee6e0ac482d2f083020b21c8dcae54f92f82a2ef68e18a7a28c67cec60e7
Instruction Fuzzy Hash: A0F014B4D042499FDF11DFA5D8042EEBBF4AB8E310F44902AD814B7251C7785A0ADF60

Function 01AA09DF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0096b82f4f0e5b5409b90f58ce2c827d2dd4ff92f13783bf617104e4b19ba95f
Instruction ID: a83f036b4edfaec9c646589eac58d85c2d357871f2cf0659a9875e19c9a4765d
Opcode Fuzzy Hash: 0096b82f4f0e5b5409b90f58ce2c827d2dd4ff92f13783bf617104e4b19ba95f
Instruction Fuzzy Hash: F2011470C04209DFCB41EFB8D884AADBBB1FF05300F0446EAD815AB355EB749A44DB91

Function 01AA09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2052061246.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1aa0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c3f04454774c442d14aa55072cd7e89c5eb042a1004faa66c602af4038d83d
Instruction ID: 2f9ed8d856f311f9a02007cfd585d95f76b37d9a82fac494a8a053d7ac05a90e
Opcode Fuzzy Hash: e1c3f04454774c442d14aa55072cd7e89c5eb042a1004faa66c602af4038d83d
Instruction Fuzzy Hash: 4BF0B270C00209DFCB55EFB8D545AAEBBB4FB04300F5046AAD425A7354EB709A54DB80

Analysis Process: 5fnrWlGa3H.exePID: 5492, Parent PID: 4320COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Executed Functions

Function 02C82760 Relevance: 8.1, Strings: 6, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_r, xrefs: 02C82960
(_r, xrefs: 02C828C3
(_r, xrefs: 02C82E9E
(_r, xrefs: 02C82DF5
(_r, xrefs: 02C82B97
(_r, xrefs: 02C82AF4

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r$(_r$(_r$(_r$(_r
API String ID: 0-206503010
Opcode ID: e8956287fcf58c757d701afa2b9feed77faf12fd4d6e124467ad0fbcee2920ac
Instruction ID: 1f77753f1db1167fdf601032de34d848533e42ca8fab489306bcbce8824140ed
Opcode Fuzzy Hash: e8956287fcf58c757d701afa2b9feed77faf12fd4d6e124467ad0fbcee2920ac
Instruction Fuzzy Hash: 7B629E74A01229CFCB24DF69C984BD9BBF1BF4A304F5082A9D449AB365D730AE85CF51

Function 02C82757 Relevance: 4.2, Strings: 3, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_r, xrefs: 02C82960
(_r, xrefs: 02C82E9E
(_r, xrefs: 02C82B97

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r$(_r
API String ID: 0-3939475923
Opcode ID: c63d4108fc21a1aa0585e67e1ff2884c7711fc297167a5ae1a2328a168afc851
Instruction ID: c5f6f5251e74b5e006f722c79db27b07e5f365092df86297e61b41d15de21c36
Opcode Fuzzy Hash: c63d4108fc21a1aa0585e67e1ff2884c7711fc297167a5ae1a2328a168afc851
Instruction Fuzzy Hash: 22229F74A012298FCB24CF69C984BD9BBF1BF4A304F5082E5D449AB365D734AE85CF51

Function 02C8E5F0 Relevance: 2.9, Strings: 2, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_r, xrefs: 02C8E874
(_r, xrefs: 02C8E7EE

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: 3ed06463e3931d3e661573f33e8a3e927fa96bfb5037c9cbc4026b3b63f6c703
Instruction ID: ad7de4da0f348fde62984c33cb5e858e63ae44236ff3d6c985ff49f8bb9a7c8c
Opcode Fuzzy Hash: 3ed06463e3931d3e661573f33e8a3e927fa96bfb5037c9cbc4026b3b63f6c703
Instruction Fuzzy Hash: CB02B374D04209CFDB14DFA9C480ADDBBF6BF89314F2492A9E409AB366D770A985CF50

Function 02C8ED18 Relevance: 2.9, Strings: 2, Instructions: 374
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_r, xrefs: 02C8EDCE
(_r, xrefs: 02C8EE4F

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: dd146ed7a7699aa341e57e12f90e22352af2c772d5bb912e5aeac5ad4537251c
Instruction ID: c04756d71cf1de305351e8487a90c67492ee0dec71c52caad486a65a222c16d2
Opcode Fuzzy Hash: dd146ed7a7699aa341e57e12f90e22352af2c772d5bb912e5aeac5ad4537251c
Instruction Fuzzy Hash: D802A574D00219CFCB14DFAAC984ADDBBF6BF49314F648269D405AB366D730AA45CF50

Function 02C80B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dnq, xrefs: 02C80E64

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: dnq
API String ID: 0-3704129773
Opcode ID: 3a42e84bca36c7e4bb3708ff582572330ba6005bc0a4650ada0438c2a6d0ca22
Instruction ID: ff9891ca271280caf7788927b8d27d93bca5c75fd788521346e014ea17737fa6
Opcode Fuzzy Hash: 3a42e84bca36c7e4bb3708ff582572330ba6005bc0a4650ada0438c2a6d0ca22
Instruction Fuzzy Hash: 3382B274900229CFCB24DFA9D984BDDBBB5BF49304F1482AAD409AB265D770AE85CF50

Function 02C8B8A0 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

\V~o, xrefs: 02C8BD80

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: \V~o
API String ID: 0-2753500597
Opcode ID: dca0e9539851e3cb2c219865d20f31b74f59ed2eda445283c42f20ccd1730233
Instruction ID: f145335464875abe7ca04738282d91b7f699f4b668bd3178069f7fc6c8d33db8
Opcode Fuzzy Hash: dca0e9539851e3cb2c219865d20f31b74f59ed2eda445283c42f20ccd1730233
Instruction Fuzzy Hash: D302E4B0D00219CFDB20DFA8C981BDDBBB1BF49308F1091AAD509A7254EB749E85CF55

Function 02C8DC80 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee30821853c47a356b9d80615b06e0acc7b49a956e4499984dbb48b56c12934
Instruction ID: 246b76300562c44c489e88e1610225a4bd1649145feda2c6b91c9c058c8f8a37
Opcode Fuzzy Hash: 3ee30821853c47a356b9d80615b06e0acc7b49a956e4499984dbb48b56c12934
Instruction Fuzzy Hash: 0A12A674E04219CFDB14DFA9C980ADDBBF6BF49314F2182A9D409AB366D730A985CF50

Function 02C8C6D0 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf0dc3bc930f76f27cfa479f72f6ff2ead7c72ac68ee39f3fd37e9e330d9441
Instruction ID: f6f7fa510271eb0c0fd7f754a04a4564fbc8b965ecf0833b62dd6e9840d49df3
Opcode Fuzzy Hash: cdf0dc3bc930f76f27cfa479f72f6ff2ead7c72ac68ee39f3fd37e9e330d9441
Instruction Fuzzy Hash: FAF1E2B0D00229CFDB24DFA9C981B9DBBF1BF49304F1491AAD909B7250EB749A84CF55

Function 02C8DC73 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb025d7b29c9f225314b108284c8bd9df3e1f963049b076fbd6b6c111e850ca
Instruction ID: 591ad926e7f722da383910779a272fdd701a76b383482084cb8ac08ffaac2deb
Opcode Fuzzy Hash: 0fb025d7b29c9f225314b108284c8bd9df3e1f963049b076fbd6b6c111e850ca
Instruction Fuzzy Hash: 4AE1C774E04219CFDB14DFA9C980ADDBBF6BF49314F2182A9D409AB366D730A985CF50

Function 02C87898 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172bbf9e29abd2b2a3298b7c211f9ef0783144a8bd2885834668ff81e6ddb855
Instruction ID: 7a374566ad3befe17e518b3f2cdea8af149d3e7c09ee7b33833a367e92370418
Opcode Fuzzy Hash: 172bbf9e29abd2b2a3298b7c211f9ef0783144a8bd2885834668ff81e6ddb855
Instruction Fuzzy Hash: 17D18374E003198FDB14DFA9DA84A9DBBF6BF89304F2181A5D408AB365D734AE45CF90

Function 02C83D60 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc27e993d6294021545306aed25a01fe236a491d9b2839aae9c9311c036a5ebb
Instruction ID: 115ccf8483401fab43ca069123b05a36e45e6f5ef94fac34b4f16e73462daf63
Opcode Fuzzy Hash: dc27e993d6294021545306aed25a01fe236a491d9b2839aae9c9311c036a5ebb
Instruction Fuzzy Hash: 39B1AF74E00309CFCB14DFA9C584ADDBBF2BF89314F2591A9E409AB265D730AA85CF40

Function 02C85C7B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0e4285d0b40ca0ad3134ec9d035719063e35d13f80d6b70c35295fbd39ddc7
Instruction ID: fde45f715366274fcae91331ba29ecdea48b37eaf7c4d4e3ab0313e91b80e2ea
Opcode Fuzzy Hash: 0f0e4285d0b40ca0ad3134ec9d035719063e35d13f80d6b70c35295fbd39ddc7
Instruction Fuzzy Hash: EB41E375E012199FDB04DFAAC984AEEFBF6BF88304F14C46AD404A7254EB745A46CF90

Function 02C83748 Relevance: 4.1, Strings: 3, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_r, xrefs: 02C838A3
(_r, xrefs: 02C83966
(_r, xrefs: 02C839EA

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r$(_r
API String ID: 0-3939475923
Opcode ID: 0f776b6f94282dab12e127a32fbcb0a79e36a681526bf13314917cd49975fa3f
Instruction ID: 151b4db45f74a7aee467b9742c1a0d554742306d0f73a2a99b4326851112dacc
Opcode Fuzzy Hash: 0f776b6f94282dab12e127a32fbcb0a79e36a681526bf13314917cd49975fa3f
Instruction Fuzzy Hash: 39E1AF74E002588FCB14DFA9D984A9DFBF5BF48314F14D2A6D818AB369D730A986CF40

Function 02C850E0 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C85215
(_r, xrefs: 02C85194

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: 2bc57b6218a7339bea50f0b51f01f3b325a88c2b29db47a15b1a8d940c610163
Instruction ID: 2be79202d5ec874d9e0324437673bc3f31105e28aafdd6a9e88675ac3e3450cc
Opcode Fuzzy Hash: 2bc57b6218a7339bea50f0b51f01f3b325a88c2b29db47a15b1a8d940c610163
Instruction Fuzzy Hash: 2DE1BD74A00318CFCB14DFA9C988ADDBBF6BF89304F5582A9E409AB365D770A945CF40

Function 02C8E5E7 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C8E874
(_r, xrefs: 02C8E7EE

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: 278fe4c01610e37c3a148e17ff6ffa88593f54a505a162f7fadd2e72e249fb5f
Instruction ID: e16366526b3a238df1c65a90bbd563c219bd5161350f5937ae0c37298d6f97a6
Opcode Fuzzy Hash: 278fe4c01610e37c3a148e17ff6ffa88593f54a505a162f7fadd2e72e249fb5f
Instruction Fuzzy Hash: AAA1C374E04208CFDB24DFA9C480ADDBBF2BF89314F259269E405AB366D730A985CF50

Function 02C87538 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C875BD
(_r, xrefs: 02C8763E

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: 28a59657eed120017a0c610de4f279e9541cfee5895e64b8fadbe31c8e38d635
Instruction ID: c36f69e18dc89764620e5322532f117149437905a481da8041d74132137e7ac1
Opcode Fuzzy Hash: 28a59657eed120017a0c610de4f279e9541cfee5895e64b8fadbe31c8e38d635
Instruction Fuzzy Hash: D151BE74E012089FCB08DFA9D5849DDFBF6BF89314F248269E415AB365E730A985CF50

Function 02C837ED Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C838A3
(_r, xrefs: 02C83821

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r$(_r
API String ID: 0-1507555547
Opcode ID: 3db8f8db8a8d7d18262b6446060b8b351e52607ccd6f0b0768f8691191ad6121
Instruction ID: 0051012e1f8fc0004539a25f137d5340b3a7a3abad6f8579093210133221a859
Opcode Fuzzy Hash: 3db8f8db8a8d7d18262b6446060b8b351e52607ccd6f0b0768f8691191ad6121
Instruction Fuzzy Hash: 00318174E002498FCB08DF99D584ADDFBF6BF89304F109166D415AB369D734AA4ACF50

Function 02C83C31 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

hkq, xrefs: 02C83C91
hkq, xrefs: 02C83CFC

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: hkq$hkq
API String ID: 0-880793452
Opcode ID: c658d80186de2ac67ad7f45c3162607455581836a37f92b59e602370c65e8abf
Instruction ID: 4c9d45bde811cbc4029b263fcf8e967ca02bcc74cbb743a10d93f4428bc0f5e6
Opcode Fuzzy Hash: c658d80186de2ac67ad7f45c3162607455581836a37f92b59e602370c65e8abf
Instruction Fuzzy Hash: FE317C74E0025A8FCB05DFA8DA409EEBBF5FF89304F008666E454B7255D730A906CBA1

Function 02C83238 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hkq, xrefs: 02C832E8
hkq, xrefs: 02C83286

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: hkq$hkq
API String ID: 0-880793452
Opcode ID: 130ff9b4dd291549c25b76521fc8833e76c6d5682f804d214ed214a744af1f1a
Instruction ID: d77398f79d41d0a12a4583b15d154e353553713d40767466f61f96e75a8bf763
Opcode Fuzzy Hash: 130ff9b4dd291549c25b76521fc8833e76c6d5682f804d214ed214a744af1f1a
Instruction Fuzzy Hash: 64213874E0015E8FCB45DFA8D6409DDBBF6EF88310F1082A6D424BB269DB30A946CF90

Function 02C83233 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hkq, xrefs: 02C832E8
hkq, xrefs: 02C83286

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: hkq$hkq
API String ID: 0-880793452
Opcode ID: 8d84f0c53b1b3cc589ef7a606204d184597118e35654153c7df38a25ac37acb5
Instruction ID: a79ca40d9dd1a7d5bd3c6b929ca4f63104976ec6da00e9d49c4764625abe3312
Opcode Fuzzy Hash: 8d84f0c53b1b3cc589ef7a606204d184597118e35654153c7df38a25ac37acb5
Instruction Fuzzy Hash: CF213874E0015A8FCB55DFA8D6509DDBBF6EF88310F1082A6D464BB269DB30A946CF90

Function 02C87428 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hkq, xrefs: 02C87476
hkq, xrefs: 02C874D8

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: hkq$hkq
API String ID: 0-880793452
Opcode ID: f9d1e24419095e4ed497b44b4e52328f0e4c2d66f79ce204387d3c1219d3e4e6
Instruction ID: e8e156a3a25d91d56f863334948fb2eb5f1984166e8248eb8014ad91ff6c260e
Opcode Fuzzy Hash: f9d1e24419095e4ed497b44b4e52328f0e4c2d66f79ce204387d3c1219d3e4e6
Instruction Fuzzy Hash: 3C213974E0014E8FCB09DFA8D5549DEBBB5EF88310F1181A6D420B7255DB30E946CBA1

Function 02C87423 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hkq, xrefs: 02C87476
hkq, xrefs: 02C874D8

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: hkq$hkq
API String ID: 0-880793452
Opcode ID: 4a749d795529c400f86a2dbc8039c11b4b4ce087822cff33396a8fc6dbd795ce
Instruction ID: 43d7a9242c04ac30f694c9312349e256dd82516b695903d24883eece9f32689d
Opcode Fuzzy Hash: 4a749d795529c400f86a2dbc8039c11b4b4ce087822cff33396a8fc6dbd795ce
Instruction Fuzzy Hash: 96215C34E0014A8FCF19DFA8E5509DEBBB5EF88300F1181A6D410B7255D730E946CBA1

Function 02C8B71D Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

\V~o, xrefs: 02C8BD80

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: \V~o
API String ID: 0-2753500597
Opcode ID: 175c1b2b75cc35fc67d43d3f81fdecc8de946ec208cda05852b95fb50bc30697
Instruction ID: ec9c3929085cfdcdf0a1969822879cfc0c36471f586c0c1bb131f405d890ba1c
Opcode Fuzzy Hash: 175c1b2b75cc35fc67d43d3f81fdecc8de946ec208cda05852b95fb50bc30697
Instruction Fuzzy Hash: E0225A71D042998FDB21DF68C890BDDBBB1FF4A308F0481AAD449A7261EB345E85CF55

Function 02C8B89B Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

\V~o, xrefs: 02C8BD80

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: \V~o
API String ID: 0-2753500597
Opcode ID: 28b9e4a65f58097b7599499488ef2585fdbf71ff37db2d472266ca97616328a8
Instruction ID: 0715f824dc0e98321217a3361f6cd51e794bbb4328fdb30b7748e2400cf08892
Opcode Fuzzy Hash: 28b9e4a65f58097b7599499488ef2585fdbf71ff37db2d472266ca97616328a8
Instruction Fuzzy Hash: 41F104B0D00219CFDB20DFA8C985BEDBBB1BF49308F1091AAD519A7250EB749E85CF55

Function 02D088C0 Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 02D08959

Memory Dump Source

Source File: 00000003.00000002.4524351548.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d00000_5fnrWlGa3H.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 17dd7b15a4a46afac91a4635f4bf7ccb2971aecdac7f3b062b59ef564680839d
Instruction ID: 5f1d980897dd33b9d450260b551fd67c86641333b33b06360682fe467d1e92da
Opcode Fuzzy Hash: 17dd7b15a4a46afac91a4635f4bf7ccb2971aecdac7f3b062b59ef564680839d
Instruction Fuzzy Hash: EE31BCB8D01219DFCB10DFA9D984A9EFBF1BB49310F14906AE408B7350D335A945CF95

Function 02D088C8 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 02D08959

Memory Dump Source

Source File: 00000003.00000002.4524351548.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d00000_5fnrWlGa3H.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba3a8fba0533799b4093dc810f047a279e5238ae95f60c831e7624ee94eb23b6
Instruction ID: 136320e45df899bd88b2cd79f675e402393db55be66e2164d940a594831bf01e
Opcode Fuzzy Hash: ba3a8fba0533799b4093dc810f047a279e5238ae95f60c831e7624ee94eb23b6
Instruction Fuzzy Hash: 2631BBB4D01218DFCB10CFAAD988A9EFBF5BB49310F14906AE808B7360D334A945CF65

Function 02C8ED13 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C8EE4F

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r
API String ID: 0-4211479794
Opcode ID: 0e3d2df2cbe0a077e5644ba22388d24f68db1f1eabeff63f3321f6c194df52bc
Instruction ID: 088b401fbaf2ea7260cb80a99f2f083017ecd7c48024b84c0afe0ab443b33a59
Opcode Fuzzy Hash: 0e3d2df2cbe0a077e5644ba22388d24f68db1f1eabeff63f3321f6c194df52bc
Instruction Fuzzy Hash: 0AD1B574D00219CFCB14DFAAC984ADDBBF6BF49314F248269D409AB366D730AA45CF50

Function 02C84B48 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

(nq, xrefs: 02C84BCA

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: bede5552e4e7b0872eb173a7deeef2c758250adab9d677242306ec504d8205d6
Instruction ID: f613c0699887cedc801fb1a2f00216b0fe5c07f089ef22d6578055773e5d1404
Opcode Fuzzy Hash: bede5552e4e7b0872eb173a7deeef2c758250adab9d677242306ec504d8205d6
Instruction Fuzzy Hash: F7D1BF74A00259CFCB14DFA8D984A9DFBF5FF48314F1582A9E409AB36AD730A985CF50

Function 02C850D3 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C85215

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r
API String ID: 0-4211479794
Opcode ID: 3733bc86012c48093ac769368e1e342024175e1449ac1bc736cf0698af44bc92
Instruction ID: b3e873cda2407841713a6d73c5ec87cce3e067cde719791e4aa46d48ec9cd562
Opcode Fuzzy Hash: 3733bc86012c48093ac769368e1e342024175e1449ac1bc736cf0698af44bc92
Instruction Fuzzy Hash: C3C1AF74A00318CFCB14DFA9C888ADCBBF6BF89314F5586A9D419AB265D770A945CF40

Function 02C84B43 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

(nq, xrefs: 02C84BCA

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: 560e428fb642252f0d719a00a461501536a4ef820b48bc2eec011635b5d3d1a7
Instruction ID: 57dda4f9ac869a2d1b209cbfe5a3671795167954529b8a4b0e1e9acca6327436
Opcode Fuzzy Hash: 560e428fb642252f0d719a00a461501536a4ef820b48bc2eec011635b5d3d1a7
Instruction Fuzzy Hash: 06C1B074A00259CFDB14DFA8C984A9DFBF1FF48314F1582A5D408AB36AD770A989CF50

Function 02C85A73 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

Tejq, xrefs: 02C85B49

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: ee4e8694fc7e567f96633f855bdca35d1b86fa6f73f89d83772b0869c166debd
Instruction ID: defc3ed659e3daef275488ea3d5a46b6aec6af311e4c57d215e2ca707b371c22
Opcode Fuzzy Hash: ee4e8694fc7e567f96633f855bdca35d1b86fa6f73f89d83772b0869c166debd
Instruction Fuzzy Hash: 1C51A078E01218DFDB48DFA9D99499DBBF2FF89314F208069E815AB365DB31A845CF04

Function 02C8F93B Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02C8F9B7

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 1605e54e021d6e6e34aab855e609dacc249f56c1df255172abefe8491894beb5
Instruction ID: df5e471f12b83a38936044142b0725e99c8dd9e88e2ed5130455f564df6217b9
Opcode Fuzzy Hash: 1605e54e021d6e6e34aab855e609dacc249f56c1df255172abefe8491894beb5
Instruction Fuzzy Hash: AD518E74E012188FCB14DFA9D984AEDBBF2BF89304F609029D419BB364DB34A946CF44

Function 02C85863 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

Tejq, xrefs: 02C8593A

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: da4fea9ae98e231489e8a2482b828c088667260e606db2f4df2cfbe898d8be12
Instruction ID: ee651e28408fdb49759150f4ec73791314a684ea3082f48c512866745396369f
Opcode Fuzzy Hash: da4fea9ae98e231489e8a2482b828c088667260e606db2f4df2cfbe898d8be12
Instruction Fuzzy Hash: B051AF78E00218DFDB58DFA9D98499DBBF2BF89314F208069E805AB365DB31AC45CF00

Function 02C87E88 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02C87F20

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 72381df01f11c7cd206ea5b01f2e09c7fb1272c924a4a15af330b2dd24bfa6c7
Instruction ID: 29f68f986e55c9e5dba83a08e8537b6bc4acbb38aeb0fbd2f2b9446f4afd723f
Opcode Fuzzy Hash: 72381df01f11c7cd206ea5b01f2e09c7fb1272c924a4a15af330b2dd24bfa6c7
Instruction Fuzzy Hash: 604190B4E012199FCB08DFAAD5808DEFBB2FF89300B64916AD415AB354DB35A945CF90

Function 02C87E83 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02C87F20

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 76f291aba575f6b716949e089044512f2f007fc902ddd28d021e7b685831e8b7
Instruction ID: 47d4d0072c259b72396cce70bd09764641f533509d10d8aeec23300902cbda7b
Opcode Fuzzy Hash: 76f291aba575f6b716949e089044512f2f007fc902ddd28d021e7b685831e8b7
Instruction Fuzzy Hash: 9D41A174E012199FCB08DFAAD5809EEBBF2BF89300B14C06AE415AB364DB359945CF50

Function 02C87533 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

(_r, xrefs: 02C875BD

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (_r
API String ID: 0-4211479794
Opcode ID: 5b2bed156c46db64161b0266b486c038671950cef0cfba4b4a3f28deb8ec18ae
Instruction ID: eb452a263039f9510550a7382082fe1816bde16546d4e6075a21af9414a9d75c
Opcode Fuzzy Hash: 5b2bed156c46db64161b0266b486c038671950cef0cfba4b4a3f28deb8ec18ae
Instruction Fuzzy Hash: 1C31E174E012189FCB09DFA9D880ADDFBF6BF89314F14816AE401AB324E7719949CF50

Function 02C826A8 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

(nq, xrefs: 02C8271D

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: e990e464e7b151102fc57f5b92670c35fe466401dbfa62fbd20f67aa132b0bf5
Instruction ID: d4cd15583b73a8640950817fe609fa60048484055f77bca6b4e19c88869558a8
Opcode Fuzzy Hash: e990e464e7b151102fc57f5b92670c35fe466401dbfa62fbd20f67aa132b0bf5
Instruction Fuzzy Hash: 73012631A142898FDB1A9F34C4286AFBFB6AF85340F15846AC442EB294CF745906C792

Function 02C86948 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

(nq, xrefs: 02C8698F

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: 21b897eb4a2573e39d4c12519e7cd3d113baa500d0a72a4ec60fc2323c12b5ba
Instruction ID: 3590c41adcf6967f5d2caab174def7214ca828d79f52f4f859329c73c36432f3
Opcode Fuzzy Hash: 21b897eb4a2573e39d4c12519e7cd3d113baa500d0a72a4ec60fc2323c12b5ba
Instruction Fuzzy Hash: 2D01B131E1422B8FCB44EFB898151EFBFB2FF86201B108566C514F7240EB301A4AC791

Function 02C8C6CB Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c296197b8567eebbaa9d2da29fb3216b33cf3b9cbdc4ed3f517b30056b474d0d
Instruction ID: 4ea8aebfd93e46912ebb2180c8dbf262f5c2ce4f2407b2db6250b649d86f2243
Opcode Fuzzy Hash: c296197b8567eebbaa9d2da29fb3216b33cf3b9cbdc4ed3f517b30056b474d0d
Instruction Fuzzy Hash: 05F1F5B0D00219CFDB24DFA8C985BEDBBB1BF49308F1491AAD509B7250EB749A84CF55

Function 02C8D678 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffdc5ef7a5478037801b1d371fa7409294421f8d87bed74cd80da0d61065c49
Instruction ID: 8f1711fcf8a1cb8ea56d345e8ff8a7ce83255bca392ac3b2eb202ee816a6ecb2
Opcode Fuzzy Hash: 0ffdc5ef7a5478037801b1d371fa7409294421f8d87bed74cd80da0d61065c49
Instruction Fuzzy Hash: A4E19B74A00318CFCB18DFA9D9889DDBBB6FF4A314F149269E40AAB365D730A945CF50

Function 02C8120B Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc358af2fe437055685eb33d9593a233fe42f5ab497a3c89294a6b622db5b28
Instruction ID: d419aa60735122536b0b1a73e6c4db8f927f3def5df2354e8243e37b0f5d2fa9
Opcode Fuzzy Hash: fbc358af2fe437055685eb33d9593a233fe42f5ab497a3c89294a6b622db5b28
Instruction Fuzzy Hash: EAA1C474A00229CFCB24DF99D984BD9B7B6FF49304F1082A6D41DAB265E770AA85CF50

Function 02C8D66F Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de17901722e3c0b72a1fd25da43d7f3b87d952843d09da3e002ed575d564208
Instruction ID: 57dfcaf724b9b2c534ad694e8be01501ef75336de0532f3a0a367e779cdd0bc5
Opcode Fuzzy Hash: 6de17901722e3c0b72a1fd25da43d7f3b87d952843d09da3e002ed575d564208
Instruction Fuzzy Hash: 9A81CF74A00319CFCB08DFA9D8889DDBBB6FF8A314F159265E40AAB365D730A945CF50

Function 02C82230 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad25a2274ba728c41a43a987cd554872e91e129cdfc30812248c0f40c0a1c416
Instruction ID: 23876e7594cf35b33d4d464f75e3f386d6334c1d4923c9caf48e9a820e66b221
Opcode Fuzzy Hash: ad25a2274ba728c41a43a987cd554872e91e129cdfc30812248c0f40c0a1c416
Instruction Fuzzy Hash: BC61E374E00258CFCB08DFA9C984ADDFBB6FF89314F148169E809AB365D770A946CB51

Function 02C88F08 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9b1eef5c0f103b21a7160b92ab1c6a9ae9614114fa0240dd67d73d6fd5568b
Instruction ID: d58b0d387ddd694839b29d17bd096a57845e2bc00240f63205619e0cd04a6629
Opcode Fuzzy Hash: 7b9b1eef5c0f103b21a7160b92ab1c6a9ae9614114fa0240dd67d73d6fd5568b
Instruction Fuzzy Hash: B351ABB4D04258DFDF10DFA9D984AAEFBB1BF49304F20906AE818B7211DB359985CF94

Function 02C88F07 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acd9ed228a551db2feb6c2ada213c795815b41330faf113255f34594feffd8a
Instruction ID: 4677941c250da22475a3d05ad9daa0e9ce9967bb5ad3a4e83a7c618c9ee60ead
Opcode Fuzzy Hash: 4acd9ed228a551db2feb6c2ada213c795815b41330faf113255f34594feffd8a
Instruction Fuzzy Hash: 4351ABB4D04258DFDF10DFA9D984AAEFBB1BF49304F20906AE808B7211DB359985CF54

Function 02C81F0C Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2ffff9659d78c329de881256d6639eaf23fd51b08eab15a79e3c67126d2a7
Instruction ID: eac2de899bda3626524e26de95cf30ae1281885d1d198ea271f0be27f66d6b28
Opcode Fuzzy Hash: 05a2ffff9659d78c329de881256d6639eaf23fd51b08eab15a79e3c67126d2a7
Instruction Fuzzy Hash: F051E0B4D04248DFCF10DFA5C984AEEBBB1AF49300F24902AE809BB254CB359A45CF54

Function 02C87FE3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257fdc11e66e65fb7e114a53a44333680f67f821a9f577bbd5aebb7c2813db05
Instruction ID: d74c2c6e6d1ec6ea64e365a1ec9c02633370d1a343a715383c862f2a40d5a11d
Opcode Fuzzy Hash: 257fdc11e66e65fb7e114a53a44333680f67f821a9f577bbd5aebb7c2813db05
Instruction Fuzzy Hash: 4651E074E00218DFDB18EFA9D944AADBBB2FF89309F508629E405AB364DB356945CF40

Function 02C8CE6B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af475486e86565538308bee82a955d2ccbc3fabdc65f28bb318e7ab68cd2e54
Instruction ID: e27d325c408ee43e107fd7310ea6c6be0fc9097db6220ff26f7f27e9552bb765
Opcode Fuzzy Hash: 0af475486e86565538308bee82a955d2ccbc3fabdc65f28bb318e7ab68cd2e54
Instruction Fuzzy Hash: 7351C274D01308CFDB18EFB5D554AADBBB2BF89308F208529D415AB364DB35A946CF44

Function 02C81F18 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3462fe375101362bff8b526a6a5c0e8aa5cb6f9d4dab294227e62d5275aabd
Instruction ID: 1844442df3ac75a76ec1a3c8442e6359b22471917a70daf1280e0f3f60e2e7c8
Opcode Fuzzy Hash: 6e3462fe375101362bff8b526a6a5c0e8aa5cb6f9d4dab294227e62d5275aabd
Instruction Fuzzy Hash: 0C41C0B4D042489FDB10DFAAD984A9EBBB1BF49300F20902AE809BB254DB359945CF54

Function 02C8F378 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64872da402a56656fb91bb994d2c6eeeec02d7b8a009d14f47b5cbedfe3cb50
Instruction ID: 7b937db7a901cca75cbf1f20f4bec1b6896527d672e647e77634d0bed2d08d98
Opcode Fuzzy Hash: a64872da402a56656fb91bb994d2c6eeeec02d7b8a009d14f47b5cbedfe3cb50
Instruction Fuzzy Hash: A151C074E012089FCB08DFA9E5849DDBBF6BF88314F508669E405AB365D734A945CF90

Function 02C8D240 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d2062e367ec4c6534dd4eeba841d47a25f64acfa24ba3183e19651330f122e
Instruction ID: e2df400c3be3235f3dbf99c2a3a4c69ed12709f5096df37fded8594f8855563f
Opcode Fuzzy Hash: 99d2062e367ec4c6534dd4eeba841d47a25f64acfa24ba3183e19651330f122e
Instruction Fuzzy Hash: 9951CF74E00218CFCB04DFA9C984ADDBBB6BF89314F148169E41ABB3A5D774A946CF50

Function 02C82221 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9cfb01eaccd26ece96166b8b6d4a348886e87fef8a4effdbd66e63156e7c69
Instruction ID: b537636307d6e4231363f4e9dd75878f37ad45ed3b4b750fe9beb7b2019bdd4c
Opcode Fuzzy Hash: 8b9cfb01eaccd26ece96166b8b6d4a348886e87fef8a4effdbd66e63156e7c69
Instruction Fuzzy Hash: BA51E374E00218CFCB09DFA8D984ADDFBB2FF89314F148169D805AB364D770A986CB51

Function 02C869CB Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9fff010028b2fb6b9e00af210f2703e7d334a5a164c9b85fd78b01670953cd
Instruction ID: df7636541d633da253b77f29de1412047507d717cd25dafe04b497848b3cb7ef
Opcode Fuzzy Hash: 4a9fff010028b2fb6b9e00af210f2703e7d334a5a164c9b85fd78b01670953cd
Instruction Fuzzy Hash: CA413E30E401089FDB19EFA9D594BEEBBF6BF88354F24C069E416A7254DB719C80CB64

Function 02C83D5B Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970635898eff4170caf4bd21cea51d002e4de44dea6e53d379500ff3925a89bb
Instruction ID: 7fe48540b66fb82b1147a91b2f5de49d49eec6271abd5368e587e67d3d91bb65
Opcode Fuzzy Hash: 970635898eff4170caf4bd21cea51d002e4de44dea6e53d379500ff3925a89bb
Instruction Fuzzy Hash: 4541C470D003198FCB14DFA9C584ADDBBF2FF89314F6191A9D458AB265D770AE86CB80

Function 02C87CFB Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207d8d36255ae508095360f035f51693133094c92ed15961e9727860a8574578
Instruction ID: 0e1afd9caa5c0d9c3753925ebfdf4110eec44ace2b7748071afe688c5aa9ce8f
Opcode Fuzzy Hash: 207d8d36255ae508095360f035f51693133094c92ed15961e9727860a8574578
Instruction Fuzzy Hash: 2A41B4B4D00258DFCB04DFA9D954A9DFBB6FF89300F208429D819AB369DB345D06CB50

Function 02C8F36F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c605bb2aa28a00c976f1d06fff450a04956a50b232b4165d1815f986acbc0725
Instruction ID: 711b2588191aeef7dd02b2b816ea78f9eb5d0d105fbb2321e342d36a3908f036
Opcode Fuzzy Hash: c605bb2aa28a00c976f1d06fff450a04956a50b232b4165d1815f986acbc0725
Instruction Fuzzy Hash: 3541EF74E01208DFCB05DFA8E5849DDBBB6FF88314F14866AE405AB329D734A985CF80

Function 02C8E16F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1b927647acdd3b536c64aeff6708a75afe6bb126aba65d11149f1ecd50a7fc
Instruction ID: fa4d4c672242b5cc17bd762d3e1c52b6518fc9b34144fa5d7165fea09d84dca1
Opcode Fuzzy Hash: ee1b927647acdd3b536c64aeff6708a75afe6bb126aba65d11149f1ecd50a7fc
Instruction Fuzzy Hash: A341F974D05219CFDB24DFA5D980ADDBBB5FF49314F209269E409AB366D730A984CF40

Function 02C862F0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79175c0bcce578500885ff83c529b04c5c75ac669476dcfe7af769f889da6d87
Instruction ID: 1281c7d60fc5d6107aa487245d6dd48a6d51a92c17e91738c1e623f3a1d18234
Opcode Fuzzy Hash: 79175c0bcce578500885ff83c529b04c5c75ac669476dcfe7af769f889da6d87
Instruction Fuzzy Hash: 7041E274E012199FCB08DFA9E584AEEBBF6BF88314F108029E425B7394DB745945CF50

Function 02C845B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b9075071a71867d4c09d51fb1363df0758212f1f67d3ebc8abe7e76541e156
Instruction ID: 2ea8794e5f2fd8dc0dc1ac511d97d2277c785c90ef9dab02d6dfba3ae4b50326
Opcode Fuzzy Hash: 33b9075071a71867d4c09d51fb1363df0758212f1f67d3ebc8abe7e76541e156
Instruction Fuzzy Hash: 2731AC30B0010A9FDB18DB69C840A9FF7EAEFC8294F14C12AE406EB354DB30ED418B90

Function 02C8D233 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b996eedaeeb6a8ed4576c220f3f9c3874406587fda907882a89cda18e75df7d6
Instruction ID: 00c3d4fe6df1db97b57d1c92b928f4a4592db5c05cb77c39b17cff46aefd6ab9
Opcode Fuzzy Hash: b996eedaeeb6a8ed4576c220f3f9c3874406587fda907882a89cda18e75df7d6
Instruction Fuzzy Hash: B231F275E00218DFCB05DFA9D884ADDFBB2FF89314F14816AD806A7265DB74A846CF90

Function 02C8E330 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f7d9e7aa8135a09fc3022fc76447984237fb80c82b84c35f6598d8262b44c
Instruction ID: cb184d96d3fd7b5580febfad0b8f792f0ba9f33e1a0c1a9292826cf3543b97a0
Opcode Fuzzy Hash: 271f7d9e7aa8135a09fc3022fc76447984237fb80c82b84c35f6598d8262b44c
Instruction Fuzzy Hash: 6621F131B001099FCB06DB68C840A9EBBF6EFC8254F18C07AE44ADB356DB31ED468790

Function 0110D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4523232825.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110d000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84aee1ba762dee4079792b3b92c08153086bcca657eb400651d02cab40a6182d
Instruction ID: 56c20c106995d0aabbfb6beae701494473928bc0c54581fb3f75d03a40bbd09b
Opcode Fuzzy Hash: 84aee1ba762dee4079792b3b92c08153086bcca657eb400651d02cab40a6182d
Instruction Fuzzy Hash: 67210B71900240DFDF1ADF94E9C0F16BF65FB88314F24C669E9090B296C37AD416CBA2

Function 02C820E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a059b4e08cb7f7dd871deeced323dc3e95a3b20fb84a243e014de962a244b2
Instruction ID: 8bd8d671ff1410db754590973efcfa04569ec227b87de16ad38cc5d0868736e0
Opcode Fuzzy Hash: 12a059b4e08cb7f7dd871deeced323dc3e95a3b20fb84a243e014de962a244b2
Instruction Fuzzy Hash: A431CA74E0015A9FCB05DFA8D6409DDFBB5FF48310F1082A6D914AB365D734EA46CB94

Function 02C8DB43 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae68685c6ab4b6e0032f0bac8f3e780a6a247fd9ab5486c949a20369de0db379
Instruction ID: 7d0b09dff4bd1f57d12830ab72689611f485f9b71580006dd9fc42ddd9ef20ec
Opcode Fuzzy Hash: ae68685c6ab4b6e0032f0bac8f3e780a6a247fd9ab5486c949a20369de0db379
Instruction Fuzzy Hash: 71310A74E0021A8FCF45DFA8D9409EEBBB5FF88314B408666E455AB365D730AD46CB90

Function 02C8E4C9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a567389ff8fb7e692d23e737f98501fd329876278fa0ae063ed4709579ccee
Instruction ID: 913d4e7506c2e861e479f0e690c136979336e929acc0deaea7fef0519e5b3b14
Opcode Fuzzy Hash: 87a567389ff8fb7e692d23e737f98501fd329876278fa0ae063ed4709579ccee
Instruction Fuzzy Hash: 44315770E0021A9FCF06DFA8D9509DDBBB5EF49300F0482A6E454BB255D770AE06CF90

Function 02C8F24F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc20bae6558ab121697806ac309ab48d6aab45afea8d1298536004d698aa239
Instruction ID: d0cb796c43fcdce36f263a8069df011a514cfe1b1e6588b7f8d63e48c88cf973
Opcode Fuzzy Hash: cdc20bae6558ab121697806ac309ab48d6aab45afea8d1298536004d698aa239
Instruction Fuzzy Hash: FD31F930D4014E9FCF09DFA8D8509DDBBB5EF4A314F4482A6D450AB265DB74AD46CB90

Function 02C87893 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332e12159e7adc08f2b02eee1e4a315d9ad153921a28cd68bd380c883e0ca423
Instruction ID: 6f7e704cc18b7c1de7e40ca2401cc943637d3ee03f78029a9299f3328a198d1a
Opcode Fuzzy Hash: 332e12159e7adc08f2b02eee1e4a315d9ad153921a28cd68bd380c883e0ca423
Instruction Fuzzy Hash: 68212A70E017188FDB08DFAAC644BDDFBF2AF8D314F158169D408AB261E7359A44CB50

Function 02C82583 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8618263d08916c7aaaa0d4c41bf60d7896db13bbcc841a584da8e66a4f9f26
Instruction ID: be59f27693a482e297441d71dcec37bc59c8a10318d90d995817684134e5889b
Opcode Fuzzy Hash: dc8618263d08916c7aaaa0d4c41bf60d7896db13bbcc841a584da8e66a4f9f26
Instruction Fuzzy Hash: D73108B0D0021A9FCB49DFA9D9909EDBBB5FF49310F408566E821B7365D730AD46CB90

Function 02C80A49 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab058449cb924e12837915e47e09ec79f6e7fa3cd762b9a2e0a2b742664bd10
Instruction ID: 95b1d6f0e84a201489a805d74297e88c95f9cb718723af90a671a7ee658dc13c
Opcode Fuzzy Hash: 1ab058449cb924e12837915e47e09ec79f6e7fa3cd762b9a2e0a2b742664bd10
Instruction Fuzzy Hash: 39218931E0124E9FCF45DFA8C5509DDBBB1EF8A304F4482A6D460BB265EB30AD46CB90

Function 02C8EBFB Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50e254d1fe405209787a43a85bfe2a47ec7762362c6aea5e020a4267b1d6338
Instruction ID: e23bb958c33bdabc59c3dbfc4d411d987b2d6544130e38eedd4fdf39617fffa2
Opcode Fuzzy Hash: a50e254d1fe405209787a43a85bfe2a47ec7762362c6aea5e020a4267b1d6338
Instruction Fuzzy Hash: 5821F570D0011E9FCB05DFA8D9509DDBBB5FF49304F4082A6D495AB265DB70AE46CB90

Function 02C8777B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6deafbeae0bf2544dc2b57b455a774f40de80c92b26f343f9b0e2b575933dd31
Instruction ID: 1679e84d0b71befad3a642478e04d7ac7fbceeccdaa2b563a6dc1bd065fafdaf
Opcode Fuzzy Hash: 6deafbeae0bf2544dc2b57b455a774f40de80c92b26f343f9b0e2b575933dd31
Instruction Fuzzy Hash: E421F570E0011E9FCB05DFA8D9509DDBBB5FF49314F0082A6D464BB265DB30AD46CB94

Function 02C8D55B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70445db4295bb2a8f005b5c9bf794608008b1d968f328e03ad6dd7fadc1db61
Instruction ID: f1b2e0b86331bb01fe52253f59c0036c1f7768b218636ce7ed02d0c378763de6
Opcode Fuzzy Hash: d70445db4295bb2a8f005b5c9bf794608008b1d968f328e03ad6dd7fadc1db61
Instruction Fuzzy Hash: C121F570D0011A9FCF05DFA8D9509DDBBB5FF49304F0482A6D4A4AB265DB70AA46CF90

Function 02C8FACB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e53687ce2789559dee9bf2cc5ac9edb9fa30a9e2425f84583fe091f8fd49af
Instruction ID: 4eb1965ceddbd1fa7a41e1211e8b6aeccb903e833bfbb895df096e5a0f9ec16d
Opcode Fuzzy Hash: e2e53687ce2789559dee9bf2cc5ac9edb9fa30a9e2425f84583fe091f8fd49af
Instruction Fuzzy Hash: 2D21B9B4D012489FCB10DFA9D584ADEFBF0EB49324F24905AE818B7310C739A945CFA4

Function 02C8FAD0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ea59f9da50dfbd89e7d3191008256ec9086cb7690e3ee24e1e17d5c8986faf
Instruction ID: 6317a340bbc46963fb80310cc40a54d1b0c39c56f60f1fc80a72458d81feabd7
Opcode Fuzzy Hash: 54ea59f9da50dfbd89e7d3191008256ec9086cb7690e3ee24e1e17d5c8986faf
Instruction Fuzzy Hash: 8C219AB4D012489FCB10DFA9D584ADEFBF4EB49324F24905AE818B7310D739A945CFA4

Function 02C84A2B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef79595f55124767ffa1f586af94a90cb1c4a34adde7b291c47ccbb544a7711f
Instruction ID: bdc74b2a41ccdac9b8aa8eedd4a6cd2d9fd0798486e48d9cd10a949db5397869
Opcode Fuzzy Hash: ef79595f55124767ffa1f586af94a90cb1c4a34adde7b291c47ccbb544a7711f
Instruction Fuzzy Hash: DE212770E0015E9FCF09DFA8DA909DDBBB1FF49304F0182A6D424BB265D730AA46CB90

Function 02C84A30 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64398698d796e2e02d2018c7a09190d79ddea52fd67505bbffaf1a1b541fccca
Instruction ID: 65890fb6dfeb302caa920f70faa036d6262bef69c86dbfceba64fe35acb0630e
Opcode Fuzzy Hash: 64398698d796e2e02d2018c7a09190d79ddea52fd67505bbffaf1a1b541fccca
Instruction Fuzzy Hash: 90210770E0015E9FCF09DFA8DA909DDBBB5FF49304F4182A6D424BB265D730AA46CB90

Function 02C8D128 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6ebb647f19878fe0515a0d3760674d6c91459aa2ddfe9cf5a3f3660e24aefc
Instruction ID: f151776ae3c743940b7fabd2676215b066a57375caceeb9c0975240555a9bdc0
Opcode Fuzzy Hash: 7f6ebb647f19878fe0515a0d3760674d6c91459aa2ddfe9cf5a3f3660e24aefc
Instruction Fuzzy Hash: 69210730E0014A9FCF09DFA8E9849DDBBB5FF48310F4082A6D415BB265D771EA46CB91

Function 02C8D123 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615e2c141f72ff75a89b0738c890174f89e6ecd9ef726b65a4e15e3010906a89
Instruction ID: 9e74900bd6b7b0cd3302f5aec5fb6d6da06684af0f3f81d08b36e529f8fbd229
Opcode Fuzzy Hash: 615e2c141f72ff75a89b0738c890174f89e6ecd9ef726b65a4e15e3010906a89
Instruction Fuzzy Hash: 4D210730E0014A9FCF09DFA8E9949DDBBB5FF49310F0082A6D415BB265D771EA46CB91

Function 02C84FD3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e772dd3e37b7c8289cf5d4e33b076e6e3f7dca3dc69f2198ba887bfdb1c0713
Instruction ID: 488376ee8b7430cc4615b568732f5aa23381aa1e19caf2d3c624b302b4883b50
Opcode Fuzzy Hash: 6e772dd3e37b7c8289cf5d4e33b076e6e3f7dca3dc69f2198ba887bfdb1c0713
Instruction Fuzzy Hash: C8210730D1010E9FCF59DFA8D4509EDBBB5EF49314F0082A6D460BB265DB70A946CB94

Function 0110D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4523232825.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110d000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 780f89f31bc0d9b6ba71fa555c181a53eafcb9a3394484cc7068d1a155a68042
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 8121C076904280DFCF06CF94E9C4B16BF72FB88314F24C6A9E9480A257C37AD426CB91

Function 02C82698 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10406e58686c326509c6301340b36d3c63aedc0c54d5cdb13498658873897a5
Instruction ID: 0f3d098743b2e1fe654b197196c0f1114864ac4a87c82b4f9840ed498a413310
Opcode Fuzzy Hash: a10406e58686c326509c6301340b36d3c63aedc0c54d5cdb13498658873897a5
Instruction Fuzzy Hash: AB01BD31C013848FD706CF34C4095EABFB2AF41308F0884BEC882EB252DB30550ACB81

Function 02C80848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5107d6ff72dcdbc93f34595cbb2e984a4a7b244d3e41c2c95660eed5a44751b9
Instruction ID: f67ceef84d9c99b8f06095c0223fb504a92bb96b7d2cf2b54072596aa29f21dc
Opcode Fuzzy Hash: 5107d6ff72dcdbc93f34595cbb2e984a4a7b244d3e41c2c95660eed5a44751b9
Instruction Fuzzy Hash: E6116D70D0020DAFCB49EFA9F648A8DBBB6FF44305F508674C1149B669DB746A49CF81

Function 0110D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4523232825.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110d000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d5860b1780dfb628d64db9273895d110d54ca8201e74ca227dd662484bf718
Instruction ID: 4f117a2153eb785ed888397f2f0836dee1f8d0f9fb9615bbfcf09d51c565acc5
Opcode Fuzzy Hash: 61d5860b1780dfb628d64db9273895d110d54ca8201e74ca227dd662484bf718
Instruction Fuzzy Hash: 6401FC7150430099EB2A8AD9DD84767BFDCEF45320F18C52AED084A2C6C7B99441CA72

Function 02C857DB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093b58d04dfee7e0e1375571fc513aab18635388d6484ab7bf872159808eb76b
Instruction ID: 90f7248a2feb3d98294f1d4a3415ca095c0d664e52e020af896df34e853714f4
Opcode Fuzzy Hash: 093b58d04dfee7e0e1375571fc513aab18635388d6484ab7bf872159808eb76b
Instruction Fuzzy Hash: 6311D3B4D05208AFCB05DFA9C940AAEBBF1BF49300F10C1AAE818A7355D7709A41DF91

Function 02C871C3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6788dfe5e832bfdb2ab659dc0b470ebc185b5b4fc0bc78a20a6762b82fc276b
Instruction ID: cfc4db0ae938e0c1fb9ae981ca276d596355249fb51b76004d5f4f6645799375
Opcode Fuzzy Hash: f6788dfe5e832bfdb2ab659dc0b470ebc185b5b4fc0bc78a20a6762b82fc276b
Instruction Fuzzy Hash: 060102B4D04109DFCB14DFA9D580AEEFBF5AB48304F20C1A9E814A7215E3349A44CFA1

Function 02C82460 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e7b7e0084b15dfd568009aa9a8356cdbe3b54f894397e22a362cdab9224e61
Instruction ID: 25952368b1fd1baac2050015cf6ed1fd3e8852ecddf3eed59adbf33f3433703b
Opcode Fuzzy Hash: 98e7b7e0084b15dfd568009aa9a8356cdbe3b54f894397e22a362cdab9224e61
Instruction Fuzzy Hash: 7B018C70A01209DFCB05DF68D640D9DBBB1EF82308F14C2A9C80867266D7759E45DF81

Function 02C86930 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fe0780164e99291989fc2986a5049240000a9065ab3e1992234dac2a284baa
Instruction ID: c6d92c22f6ae2e1e9423d1d9cca1eb2e6ca99d62e6e9a864f91516568800f55d
Opcode Fuzzy Hash: 78fe0780164e99291989fc2986a5049240000a9065ab3e1992234dac2a284baa
Instruction Fuzzy Hash: 77016D31C0939B8FCB02DBB8C8114EEBFB5FE86204B1545AAD554EB056E7702A5ACB91

Function 0110D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4523232825.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110d000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e1a45caab21afb6b5691f46bb10bd32cdbbe5ca49859aa97189de2b407e956
Instruction ID: d5cc80821337dad64b5e98c3de6279d53085ffdf81d8d3083a6b385110c78586
Opcode Fuzzy Hash: c2e1a45caab21afb6b5691f46bb10bd32cdbbe5ca49859aa97189de2b407e956
Instruction Fuzzy Hash: 82F0C271404344AAFB258A4ADC84B62FFE8EF81634F18C45AED084B2C6C3B99840CAB1

Function 02C809DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e985b0be4efc93b30d6bf9884fbf9ef48123ed161482fca8d976f4aa5e18fe21
Instruction ID: 11c9dde184c0689752ddb5ffbc44703e3ffb8385da59c35999a44d3a2083662d
Opcode Fuzzy Hash: e985b0be4efc93b30d6bf9884fbf9ef48123ed161482fca8d976f4aa5e18fe21
Instruction Fuzzy Hash: 7101D270805309DFCB46DFB8C9449ADBBB0FF06304F1445EAC455A7266EB759A85CB81

Function 02C8D1FB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e647419c4bc8f5e77d4aa75c96056fcb3328c877c0844c721eb59137134c532
Instruction ID: f3274900caa8c6b0cfab982e5ff77a016c657428e048afd0fa83193bd432dda6
Opcode Fuzzy Hash: 1e647419c4bc8f5e77d4aa75c96056fcb3328c877c0844c721eb59137134c532
Instruction Fuzzy Hash: 0EF09A31A4508A9FCB06DBB8A451AFEBFB0AF82229F4481E6D485A7162C7209D13CB51

Function 02C81880 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2996c29911dd1291b975068711a9f98e5238fc464d1fac250555cb9aefd4090b
Instruction ID: 960af7f72f8d738b0cc40ffcfcd227d531ecb61d7cb818ad7758fc829a59138b
Opcode Fuzzy Hash: 2996c29911dd1291b975068711a9f98e5238fc464d1fac250555cb9aefd4090b
Instruction Fuzzy Hash: 85F017B4D0420D8BCF00EFA6D4047EEBBF4AF89315F049025D41877240D7795A4ACFA1

Function 02C831D8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa619fe191f5cf222baa7f4da0df37a04148c498a957a3ae328ae83d96fbcbc
Instruction ID: 7e7113bd7ab30d2f891bb0316b4b8e338641aa6a6338dd1481241cdba48f8f00
Opcode Fuzzy Hash: 0fa619fe191f5cf222baa7f4da0df37a04148c498a957a3ae328ae83d96fbcbc
Instruction Fuzzy Hash: C2F06770806384AFCB15CFB8DA4589CBFF0AF46315F2481EAC80867222C3359A49CB41

Function 02C81DD8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31622f7b2f31c64cd5f351ac1f13a75f57b62eb8cfbdb6389b8dcdc3ffdd4eb4
Instruction ID: 6440d52f95219ff974b65e1ca258e81d146646a44290b94c6183b491c541d4a4
Opcode Fuzzy Hash: 31622f7b2f31c64cd5f351ac1f13a75f57b62eb8cfbdb6389b8dcdc3ffdd4eb4
Instruction Fuzzy Hash: DAE06D32B04144AF8718DE4AE444D6ABBEAFBC9260758C02BF84DC7305DBB1DD42CB90

Function 02C809F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf32e6934bbb22b3a677c7a11ab8e3773a0978e3a6fd25906f2e7feca411011d
Instruction ID: 5828dd09f8cb7a54057ce8774d5156f16ed6380c5774879c1d0e317bbf0d462b
Opcode Fuzzy Hash: bf32e6934bbb22b3a677c7a11ab8e3773a0978e3a6fd25906f2e7feca411011d
Instruction Fuzzy Hash: ABF0B270C00209DFCB55EFB8D545AEEBBB4FB04304F1046AAC415A7354EB709A84CB81

Function 02C823DF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55db672c97f999bf329f39e5e30ce7940e7bf152fd49d37babfa502e78762806
Instruction ID: 64a33c8f61c16dde3e499e2016d21d8b6e72d2d3ee2c6e05ebd87c6f5b642889
Opcode Fuzzy Hash: 55db672c97f999bf329f39e5e30ce7940e7bf152fd49d37babfa502e78762806
Instruction Fuzzy Hash: 51E01A74E00258CBCB28DFAAD9448ADF7B1FFC4324B009565D515AB268D770DD12CB41

Function 02C8717B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e095b4b3aa498f7ec04ddba6922af6411fd32b5da82a74c9984eca3d68a9a3e
Instruction ID: eabba5bd2eb5201a4714ab64ff7799c617c21378dde0fb9bea00fef2c6b70223
Opcode Fuzzy Hash: 8e095b4b3aa498f7ec04ddba6922af6411fd32b5da82a74c9984eca3d68a9a3e
Instruction Fuzzy Hash: 9CE0DF70D01204DFC318CF78D904AADF3F5EF89318F50C0A89408AB324E7319A01DB00

Function 02C831E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d13e0db67f5f868cac40ad707dc9e7151cb2244f22eb5269e209651a333127c
Instruction ID: 79a820d701ec0b339b7916e3a74fc01315a21700eeb828648689af26cc11b56b
Opcode Fuzzy Hash: 5d13e0db67f5f868cac40ad707dc9e7151cb2244f22eb5269e209651a333127c
Instruction Fuzzy Hash: 69E01A74901208EFC704DFA8D54599DFBF5EB45315F50D1E9D80823315C735AE84DB85

Function 02C86263 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883ee4059f7b67aea9bcab4b4369c313fdf7f16ddae8484f87f8620bc4729faf
Instruction ID: 23eb60bd23ea53a11308385e8fa1883d831f4a7aeec152fb1b873a21c2c556bd
Opcode Fuzzy Hash: 883ee4059f7b67aea9bcab4b4369c313fdf7f16ddae8484f87f8620bc4729faf
Instruction Fuzzy Hash: 95E09A30906288DFCB09EFB8F604AACBFB5EF5A304F1082A9C01593224C7324A04DB41

Function 02C86268 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb12addb32aeaf6bfe99167fd762148652b0e3f7f1739027d9337c9950d3a73
Instruction ID: 07d5e29a3815b875d8162f02ff080ed759272f2d51cbfeb68ef13cff36e158c9
Opcode Fuzzy Hash: 3fb12addb32aeaf6bfe99167fd762148652b0e3f7f1739027d9337c9950d3a73
Instruction Fuzzy Hash: 62E04F7091211CEFCB09EFB4F604A9DBBB8EF46304F1086A9941493254DB725E44DB41

Function 02C83BB6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b7dd4966bd36e2f6d4cf6208264705971b8a4601b6da75e8326ee0d6af71f6
Instruction ID: 5d6d3d796596b15151808b43acec9ac2c5af6a1fbae06dbe703645c7f33ca8d2
Opcode Fuzzy Hash: 38b7dd4966bd36e2f6d4cf6208264705971b8a4601b6da75e8326ee0d6af71f6
Instruction Fuzzy Hash: 3FE04678E0421C8BCB24EFAAD8404ACB772EFC1320F00A266C069BB268C7708916CB40

Function 02C8DC38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044b9aa6bb2943c92bcdc0873bd5d9b02f10d96adabcf698c5483cac40f8ed5b
Instruction ID: 0db452088a3d43dbd42c84859efa945698c1d9968adcbe275ea48e9e68aaaae5
Opcode Fuzzy Hash: 044b9aa6bb2943c92bcdc0873bd5d9b02f10d96adabcf698c5483cac40f8ed5b
Instruction Fuzzy Hash: 81E02676A0818A8FCB41DBBCD8108DDBFB5FE86214F4080D2C5D1A76A6C2209C47C791

Function 02C8EB83 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f673b30b11e3655ec880eb38da55b33e334b85673feb0b4bf0054c1eeaaa0d65
Instruction ID: e34feeaab5529670a251be22719216dc2624a176f6ca6ae98f739d72c597d070
Opcode Fuzzy Hash: f673b30b11e3655ec880eb38da55b33e334b85673feb0b4bf0054c1eeaaa0d65
Instruction Fuzzy Hash: 08E08C3090A208DFC709EFB4E4049ACBBB1EB82315F54C1E9D80423351C3328A84DB85

Function 02C84F07 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524149086.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c80000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deed2e0d0fdca6ab02eba77ae088795fbf30a637c20524e31f6a798d5a0b34ba
Instruction ID: aefb30930e3e96bfaf1847bdf226a72567dd16da943105ed937270143e4f78fb
Opcode Fuzzy Hash: deed2e0d0fdca6ab02eba77ae088795fbf30a637c20524e31f6a798d5a0b34ba
Instruction Fuzzy Hash: 49E08C34E002088BCB24DFE9E8805ECBBB0EFC5324F1051A6D005BB268C630CD91CB44

Analysis Process: 5fnrWlGa3H.exePID: 6640, Parent PID: 6564COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.2%
Total number of Nodes:	293
Total number of Limit Nodes:	9

Executed Functions

Function 055F7FE2 Relevance: 1.9, APIs: 1, Instructions: 415
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 055F84AF

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d4f695d315e239fce6232ac5a503a1bf9756859fcc72c6d9617e6a080d17b7b1
Instruction ID: 2cb6f602d683262665a1fec46c6b3001725a6d7f3c2f54947c6be6df6f60dea2
Opcode Fuzzy Hash: d4f695d315e239fce6232ac5a503a1bf9756859fcc72c6d9617e6a080d17b7b1
Instruction Fuzzy Hash: 5702F270E04219DFEB24CFA9CC85B9DBBB2FF49304F1485AAE519A7250DB34A984CF54

Function 055F8060 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 055F84AF

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b55911e320cf8b567fa4c55b2216bfcf73407233e4a08bf93086b1c8965a7e7b
Instruction ID: 50e89b66bbaeb168255c951a6165e733bf1f5121d1c93409c1f2bc38fc36f95b
Opcode Fuzzy Hash: b55911e320cf8b567fa4c55b2216bfcf73407233e4a08bf93086b1c8965a7e7b
Instruction Fuzzy Hash: AA02D170E01229DFDB24CFA9C885B9DBBB2BF49304F1481A9E519B7360DB34A984CF54

Function 055F94A8 Relevance: 1.6, APIs: 1, Instructions: 116
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 055F9580

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0319b90dd3d8c731ccf836a74f276ca5efe61d761966d235540c7ae4f2ab05c7
Instruction ID: 90b79cb63f6f6d1e5bb8f36380f6556a2fd5b7d71091883412bcdd018376b054
Opcode Fuzzy Hash: 0319b90dd3d8c731ccf836a74f276ca5efe61d761966d235540c7ae4f2ab05c7
Instruction Fuzzy Hash: 8941AAB5D012589FCF00CFA9D984AEEFBF1BF49310F24942AE919B7210D738AA45CB54

Function 055F94B0 Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 055F9580

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e264d669fdf4ae2e9248c3df044fb3df58d98f76981a1217ff496217e8454d5e
Instruction ID: c4c2ffa5ca74a3f022b497a8978e51813ae8090c149f573e5b9a332624e1cf70
Opcode Fuzzy Hash: e264d669fdf4ae2e9248c3df044fb3df58d98f76981a1217ff496217e8454d5e
Instruction Fuzzy Hash: 3C41ABB4D012589FCF00CFA9D984AEEFBF1BF49310F10902AE919B7210D738AA45CB54

Function 055F90D8 Relevance: 1.6, APIs: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 055F918A

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 3b9cd2f5ad331b90c6a6627ecd1458290166b95db9f922ccdd5fb1eb57becfe4
Instruction ID: 7e53d86b5c2d18019f7ae9ae8cb7cb81578ac17c12803826b186cb0a776cfb92
Opcode Fuzzy Hash: 3b9cd2f5ad331b90c6a6627ecd1458290166b95db9f922ccdd5fb1eb57becfe4
Instruction Fuzzy Hash: F74199B5D042589FCF10CFAAD984AEEFBB1BF49310F10942AE915B7210D735A945CF68

Function 055F90D1 Relevance: 1.6, APIs: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 055F918A

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 173acf751a5b28097279a1d7f192422a05d1f97eb56bdff52363cefb078f56e8
Instruction ID: a5b065d96668cdc12c6e828ef385a44f41f8470ced0d5878f33e6b25a73e038b
Opcode Fuzzy Hash: 173acf751a5b28097279a1d7f192422a05d1f97eb56bdff52363cefb078f56e8
Instruction Fuzzy Hash: D441A9B9D002589FCF10CFA9D984AEEFBB1BF09310F10942AE815B7210D735A945CF64

Function 055F9600 Relevance: 1.6, APIs: 1, Instructions: 97
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL(?,?), ref: 055F96B7

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2aaafa4ddeba013bb6d79b7ad8d67382c8c443bdab841b531870fcd4a2da38e1
Instruction ID: c08b8164df42604ca1e6a9291ffb459339f5b27bd1b47cbf1761007cde5f6837
Opcode Fuzzy Hash: 2aaafa4ddeba013bb6d79b7ad8d67382c8c443bdab841b531870fcd4a2da38e1
Instruction Fuzzy Hash: 6D41DCB5D012189FCB10DFAAD984AEEFBF1BF49310F14842AE419B7210D738A985CF94

Function 055F9608 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 055F96B7

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e3570e5cd910a23b528848bc305dec9baa4b3659775bdb1b210e648aeef5ab13
Instruction ID: 0efcfa25f3288db9e501c0bd45745baadbec27d284f1038b84b20a4f01b71aef
Opcode Fuzzy Hash: e3570e5cd910a23b528848bc305dec9baa4b3659775bdb1b210e648aeef5ab13
Instruction Fuzzy Hash: 7E31CBB4D012589FCB10DFAAD984AEEFBF1BF49310F14802AE419B7250D738A985CF94

Function 055F9288 Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 055F9319

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 48d68dc32012a43f985a07c72ecc6ae13ff2231373c5a2fd1b0fb47ab2a5ebf9
Instruction ID: 6202c02e357279f9c59c95004016192838f96a144da48ce67491c6ea78396bda
Opcode Fuzzy Hash: 48d68dc32012a43f985a07c72ecc6ae13ff2231373c5a2fd1b0fb47ab2a5ebf9
Instruction Fuzzy Hash: 6F31CAB9D052189FCB10CFA9D980AEEFBF1BF49310F10942AE419B7250D739A945CF94

Function 055F9290 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 055F9319

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a903a960c5173ee61b4c61c66671191f0acc814deb2fc213f0b096b6e7edecd5
Instruction ID: 68e282068275ab566a871b4405e312e7716586e593ce131a729c09860b89f04b
Opcode Fuzzy Hash: a903a960c5173ee61b4c61c66671191f0acc814deb2fc213f0b096b6e7edecd5
Instruction Fuzzy Hash: DE31A7B4D052189FCB10CFA9D980AAEFBF5BB49310F10942AE815B7240D779A945CFA4

Function 01601788 Relevance: 1.7, APIs: 1, Instructions: 179
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 016018FF

Memory Dump Source

Source File: 00000007.00000002.2065879356.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1600000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f63cae7a069b4804c41c8844f3e33adad39e239131b3e42f4f9167f8fcb9c6ad
Instruction ID: e8f401a81bafbb6bd8942d90f99d627b00bf42de3c8e24925992b96ffed4d947
Opcode Fuzzy Hash: f63cae7a069b4804c41c8844f3e33adad39e239131b3e42f4f9167f8fcb9c6ad
Instruction Fuzzy Hash: A16143B4C0534A9FCB92CFA4D845ADEFFF0EF4A320F14806AE454AB611E375A946CB50

Function 055F9390 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 055F943A

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebfd6ca8c5551f1941c9bcd8760bd79149f0bdba4b1b435817b24292d9f01c9a
Instruction ID: 0e15ccc2d432c714d5970a6224c7b2f08666a69b9871f8e8d7880c6c2ebaee59
Opcode Fuzzy Hash: ebfd6ca8c5551f1941c9bcd8760bd79149f0bdba4b1b435817b24292d9f01c9a
Instruction Fuzzy Hash: BC3197B8D002589FCF10CFA9D984AEEFBB1BB59310F10942AE915B7210D735A941CFA8

Function 055F9389 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 055F943A

Memory Dump Source

Source File: 00000007.00000002.2070503926.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_55f0000_5fnrWlGa3H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0210787293da62e7eb48ce236c2381411b6f7bb9a665e615b4c32b7a0a9a8f8c
Instruction ID: 8835c4c3049f224fdd946fbb861b49db75e1147a56a473b98f326b9e4d50a92e
Opcode Fuzzy Hash: 0210787293da62e7eb48ce236c2381411b6f7bb9a665e615b4c32b7a0a9a8f8c
Instruction Fuzzy Hash: 7C3187B9D002589FCF10CFA9D984AEEBBB1BF59310F10A42AE915B7210D735A945CFA4

Function 01601858 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 016018FF

Memory Dump Source

Source File: 00000007.00000002.2065879356.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1600000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4a8e36d1cc7ce281bfcabb8eee1bf968dfa2a1f8579556c958db4722938a7b03
Instruction ID: 36b043b57aab6c822fbd22f9151069612121a8b2c6cd88a5558e6ca76e32f47a
Opcode Fuzzy Hash: 4a8e36d1cc7ce281bfcabb8eee1bf968dfa2a1f8579556c958db4722938a7b03
Instruction Fuzzy Hash: 6C3199B9D042589FCB14CFA9D884ADEFBB5BB19310F14902AE814B7250D375A945CFA4

Function 01609F98 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0160A03F

Memory Dump Source

Source File: 00000007.00000002.2065879356.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1600000_5fnrWlGa3H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bf22bae2055cb958a7c372e02d88f507896f045093590579bc0e13f3d5ae9e19
Instruction ID: ce584a8a59d7ff7324dfcf0acdec0ec3931387caa7cac215e621f53d485bd287
Opcode Fuzzy Hash: bf22bae2055cb958a7c372e02d88f507896f045093590579bc0e13f3d5ae9e19
Instruction Fuzzy Hash: 2B3199B9D002589FCB14CFA9D884ADEFBB1BB19310F14902AE814B7250D375A945CFA4

Analysis Process: 5fnrWlGa3H.exePID: 6604, Parent PID: 6640COMMON

Executed Functions

Function 05110B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dnq, xrefs: 05110E64

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: dnq
API String ID: 0-3704129773
Opcode ID: 866021420f2375d63e6715982d90e494510e042a33cad1bdba80bdb7ef4584a5
Instruction ID: 8d51e1aa0ea9e65fccf30bdf4ecfc33899e8abfa9b882c448c57659f03e4d3ea
Opcode Fuzzy Hash: 866021420f2375d63e6715982d90e494510e042a33cad1bdba80bdb7ef4584a5
Instruction Fuzzy Hash: 7C827274A002298FCB24DF68D984BDDBBB6BF49304F1085E6D809AB265D730AE85CF54

Function 05110630 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4467e3a51c5e70d4a160400d92e0ec5a2265d2259bfeab376182b427797e674c
Instruction ID: 9e1801cc9865a3fcbd38155e3d6ed4780903f74abc9d9aaf1bbdc499da1771c2
Opcode Fuzzy Hash: 4467e3a51c5e70d4a160400d92e0ec5a2265d2259bfeab376182b427797e674c
Instruction Fuzzy Hash: 8D2126709012499FDB06FF78F954A897BB9FF46304F1085A9C0048B269EB795E4ACF81

Function 051105F9 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed709aed06dfb7738ab8a3c3a5816fe8f0e238b6e98d52bf11b37ddfba149e9c
Instruction ID: 351079b31a46cd99315e34626257db3e4a6449456fe5c6320991b507addb3a11
Opcode Fuzzy Hash: ed709aed06dfb7738ab8a3c3a5816fe8f0e238b6e98d52bf11b37ddfba149e9c
Instruction Fuzzy Hash: 8B3118309053859FDB02EF78E958A893FB5EF46304B1445EAC044CF56AEB789D4ACB92

Function 05110A49 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f06a9f514a3d52b26dc67440db8f6f584a1f53c374b7d26b320e8d1a4a658d0
Instruction ID: ddf253bd98fe7b51c2773eecc1f20c396bb27c540dafc000b8b0b0abd263e7e8
Opcode Fuzzy Hash: 9f06a9f514a3d52b26dc67440db8f6f584a1f53c374b7d26b320e8d1a4a658d0
Instruction Fuzzy Hash: ED214831E0114A9FCF01EFADD5549DDBBB5EF49304F4482A6D460BB261DB30A946CB90

Function 05110848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a91a9834489555f959cb438f95eef637c63b347c53793cb08ae0ef73fac67f
Instruction ID: a4d608c3c0fe7ee398bc883db99c7a6875ccde2688af569871cb2dfb309325ba
Opcode Fuzzy Hash: 15a91a9834489555f959cb438f95eef637c63b347c53793cb08ae0ef73fac67f
Instruction Fuzzy Hash: 5111FC70A002499FCB55FFA8F548B9D7BB9FF44305F1086A590049B269DB749E49CF81

Function 05111870 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e975ec80cb809dd32cf3ddea24002fb7368e1c1f6d4acfa7f55a65d6ae7e1de
Instruction ID: eea4d116928fb162609cf3eadf0c96503cbd48b2d3f4ad736d7e88c09770d82e
Opcode Fuzzy Hash: 2e975ec80cb809dd32cf3ddea24002fb7368e1c1f6d4acfa7f55a65d6ae7e1de
Instruction Fuzzy Hash: 04F04FB5D0424DDBCF10DF96E4083EEBBF4BB49310F409065D514B6240DB384509CFA4

Function 051109DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d967b3d188901a16d78cecf9aa443df5599f93ae9ddbb07afbe6b922dcf0e2d1
Instruction ID: aa96daadabd902933a5223e256cd86041e42f2edd423bf160280cd105c83dc57
Opcode Fuzzy Hash: d967b3d188901a16d78cecf9aa443df5599f93ae9ddbb07afbe6b922dcf0e2d1
Instruction Fuzzy Hash: 4E01D270805349DFCB02EFB8D5485ADBBB0FF06204F1445EAC455A72A1EB719A95CB81

Function 051109F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2063480766.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5110000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846376fe361a143baef7fae9b7db831d49aae5423cccb0433b2f2da30f598fc9
Instruction ID: 6d8c29ca5bd591f814c2a491f80dfbda5e24faa0ffd185326b67579be21ee495
Opcode Fuzzy Hash: 846376fe361a143baef7fae9b7db831d49aae5423cccb0433b2f2da30f598fc9
Instruction Fuzzy Hash: 05F0B270C01209DFCB55EFB8D549AAEBBB4FB04304F5046EAC419A7254EB709A45CB80

Analysis Process: 5fnrWlGa3H.exePID: 5036, Parent PID: 6640COMMON

Executed Functions

Function 00EC0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dnq, xrefs: 00EC0E64

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID: dnq
API String ID: 0-3704129773
Opcode ID: 0708d6ac6f7d1f21555d8c2543d7601a9a11870ac3349d75a0975bebeb8528f3
Instruction ID: 5049e1322082f5529cf5fc7a6b86100007760399d902d495326acb9694367c4b
Opcode Fuzzy Hash: 0708d6ac6f7d1f21555d8c2543d7601a9a11870ac3349d75a0975bebeb8528f3
Instruction Fuzzy Hash: 27829E749002298FCB24DFA8D984BDDBBB5FF49304F1096AAD409BB265D731AE85CF50

Function 00EC05E7 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bc04b269e9fd2c273ff4ce87346b2c6b185a5f0666356bbf1c302572c22938
Instruction ID: 1503e939cdecabdb01327272b04e071cb0b7cb790005f92756743880895c029e
Opcode Fuzzy Hash: c1bc04b269e9fd2c273ff4ce87346b2c6b185a5f0666356bbf1c302572c22938
Instruction Fuzzy Hash: 61318DB09093858FCB07EF68E954B887FB5EF42300F0545EAC0458F2B6D778594ACB91

Function 00EC0A49 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b615d00eecf1eb3c934bcecea65277ed27e877a2e7fbb9de1e0a20757ef243ef
Instruction ID: 82a195a576bc2e7f467c5f32b65d26a71ba91799f2695993526535c5b1350bf9
Opcode Fuzzy Hash: b615d00eecf1eb3c934bcecea65277ed27e877a2e7fbb9de1e0a20757ef243ef
Instruction Fuzzy Hash: 7F215470E0024A9FCF05DFA9D950ADDBFB1EF49300F4582A6D464BB262DB30A946CF94

Function 00EC0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ea9e727306802dad7b65a70bd86a838f6cc37b497a2f0c69f18ce0b5f66fe2
Instruction ID: b06957e665b9c7084bf28cfad043ab60dba0f7ef214db92c3996d530afc35566
Opcode Fuzzy Hash: b8ea9e727306802dad7b65a70bd86a838f6cc37b497a2f0c69f18ce0b5f66fe2
Instruction Fuzzy Hash: 3411EFB4D01209DFCF45EFA8F984B9D7BB5FB84304F508669D0099B269DB745A4ACF80

Function 00EC1870 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad66b3235abea4b03b431222c8c41f388d6cb8a7322d19b98f0e112790141ff
Instruction ID: 684cdc5100e8a1bc0e9cdee3cbe3e25ff74b010326df7b3abc51082fb6dcba66
Opcode Fuzzy Hash: 3ad66b3235abea4b03b431222c8c41f388d6cb8a7322d19b98f0e112790141ff
Instruction Fuzzy Hash: FFF0AFB5C08249CECF04CFA5D5047EDBBF0AB4A310F0460A9C11477202D739461ACF50

Function 00EC09DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405f9a27e9121d1175371956d3416e8180cae8afde2c5a1778243440b4152ff9
Instruction ID: 3540a217c179d0cc0eef38e319dca02913eb7a42e13dd2b7e157c32dce1b3e72
Opcode Fuzzy Hash: 405f9a27e9121d1175371956d3416e8180cae8afde2c5a1778243440b4152ff9
Instruction Fuzzy Hash: 0B013C70804249DFCB16CFA8D844A9DBFB1FF06314F1446EED455AB2A2EB355A41CB81

Function 00EC09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2064194567.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_5fnrWlGa3H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0481adb7d397af0634e8a2f6df28d0879852f40d893f1af62670d75c5a0a8c03
Instruction ID: 078ca94bbf347f66912e51c9c22c5221ea99dac6cafdf19a7a131b1158bb98ad
Opcode Fuzzy Hash: 0481adb7d397af0634e8a2f6df28d0879852f40d893f1af62670d75c5a0a8c03
Instruction Fuzzy Hash: 6AF0B270C00209DFCB45EFB8D945AAEBBB4FB04304F104AAAD419A7260EB719A94CB80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5fnrWlGa3H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5fnrWlGa3H.exe.log

C:\Users\user\AppData\Local\Temp\1hhrgjc2.tor

C:\Users\user\AppData\Local\Temp\2tif1pqf.0vs

C:\Users\user\AppData\Local\Temp\a3mi0qv1.bas

C:\Users\user\AppData\Local\Temp\dgbhmv4f.xlt

C:\Users\user\AppData\Local\Temp\mguezme5.xtc

C:\Users\user\AppData\Local\Temp\p405dcok.vya

C:\Users\user\AppData\Local\Temp\srm3hadz.ivn

C:\Users\user\AppData\Local\Temp\wqr5mayt.mmg

C:\Users\user\AppData\Local\Temp\zoiygpwj.rc5

C:\Users\user\AppData\Local\Temp\zvhdt0ay.gqh

C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe

C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
5fnrWlGa3H.exe

Function 010C6DD8 Relevance: 3.8, Strings: 3, Instructions: 71
COMMON

Function 010C240A Relevance: 2.8, Strings: 2, Instructions: 259
COMMON

Function 010C24A0 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Function 010C2D38 Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Function 010CBDD0 Relevance: 1.4, Strings: 1, Instructions: 143
COMMON

Function 010C08F8 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Function 010C3750 Relevance: 1.3, Strings: 1, Instructions: 73
COMMON