Edit tour

Windows Analysis Report
Marcom Trade SS-04665.exe

Overview

General Information

Sample name:	Marcom Trade SS-04665.exe
Analysis ID:	1628931
MD5:	b9ce0eb55ba475c3e45c2acb43189cdd
SHA1:	d701648c7401deeed81906d3424306d021bd6edf
SHA256:	ad1170d032bdaafe43424eb33f74c42dffc04c3ffa044edd7a5bbfcbc0422a23
Tags:	exeuser-lowmal3
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Marcom Trade SS-04665.exe (PID: 8136 cmdline: "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" MD5: B9CE0EB55BA475C3E45C2ACB43189CDD)

Marcom Trade SS-04665.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" MD5: B9CE0EB55BA475C3E45C2ACB43189CDD)

Marcom Trade SS-04665.exe (PID: 5828 cmdline: "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\ioaz" MD5: B9CE0EB55BA475C3E45C2ACB43189CDD)

Marcom Trade SS-04665.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\tqfrvnu" MD5: B9CE0EB55BA475C3E45C2ACB43189CDD)

Marcom Trade SS-04665.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\vkkkwgfnmj" MD5: B9CE0EB55BA475C3E45C2ACB43189CDD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2544433074.0000000004A7F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.1712116191.00000000068B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Marcom Trade SS-04665.exe PID: 7592	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Marcom Trade SS-04665.exe PID: 7592	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Marcom Trade SS-04665.exe PID: 5828	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 2 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Marcom Trade SS-04665.exe, ProcessId: 7592, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:35:34.459441+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.10	49973	204.10.160.190	2404	TCP
2025-03-04T09:35:35.457403+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.10	49974	204.10.160.190	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:35:35.625388+0100	2803304	3	Unknown Traffic	192.168.2.10	49975	178.237.33.50	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:35:32.439292+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49972	204.10.160.191	80	TCP

HTTP traffic detected: GET /gTGrvYKmGWlNeIZNtjBakh112.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 204.10.160.191Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /gTGrvYKmGWlNeIZNtjBakh112.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 204.10.160.191Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A10000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Marcom Trade SS-04665.exe, 0000000A.00000003.1838881696.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Marcom Trade SS-04665.exe, 0000000A.00000003.1838881696.000000000096D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Marcom Trade SS-04665.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565596019.0000000035920000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565596019.0000000035920000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.bin
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.binV
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000003.1814139142.0000000004AFC000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000003.1814175354.0000000004AFE000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000003.1839620806.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544572701.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004A88000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpZ4j%
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphy=4u%
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gps
Source: Marcom Trade SS-04665.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825708360.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Marcom Trade SS-04665.exe, 0000000C.00000002.1825708360.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A10000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A10000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696501260359
Source: Marcom Trade SS-04665.exe, 0000000A.00000002.1839328155.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AF
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?ae1e93c052690ba0623cc864d4ad8ff9
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?d3f78c2c20f92f3d0890e3edc77b84b9
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Marcom Trade SS-04665.exe, 0000000A.00000003.1838949483.000000000212C000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000003.1838828431.000000000212C000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000003.1838763102.000000000212C000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000002.1840080262.000000000212D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033___W
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Marcom Trade SS-04665.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json?One
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=60046d
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Marcom Trade SS-04665.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvF2B2.tmp.10.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_004052D1

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_0040987A
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_004098E2
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_00406DFC
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_00406E9F
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	12_2_004068B5
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	12_2_004072B5

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544433074.0000000004A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Marcom Trade SS-04665.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	10_2_0040DD85
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00401806 NtdllDefWindowProc_W,	10_2_00401806
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_004018C0 NtdllDefWindowProc_W,	10_2_004018C0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004016FD NtdllDefWindowProc_A,	11_2_004016FD
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004017B7 NtdllDefWindowProc_A,	11_2_004017B7
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00402CAC NtdllDefWindowProc_A,	12_2_00402CAC
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00402D66 NtdllDefWindowProc_A,	12_2_00402D66

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_00403358
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		8_2_00403358

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File created: C:\Windows\resources\Bementite.ini

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_00404B0E	5_2_00404B0E
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_0040653D	5_2_0040653D
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_00404B0E	8_2_00404B0E
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_0040653D	8_2_0040653D
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A57194	8_2_35A57194
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A4B5C1	8_2_35A4B5C1
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044B040	10_2_0044B040
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0043610D	10_2_0043610D
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00447310	10_2_00447310
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044A490	10_2_0044A490
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0040755A	10_2_0040755A
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0043C560	10_2_0043C560
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044B610	10_2_0044B610
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044D6C0	10_2_0044D6C0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_004476F0	10_2_004476F0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044B870	10_2_0044B870
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044081D	10_2_0044081D
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00414957	10_2_00414957
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_004079EE	10_2_004079EE
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00407AEB	10_2_00407AEB
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044AA80	10_2_0044AA80
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00412AA9	10_2_00412AA9
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00404B74	10_2_00404B74
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00404B03	10_2_00404B03
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044BBD8	10_2_0044BBD8
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00404BE5	10_2_00404BE5
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00404C76	10_2_00404C76
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00415CFE	10_2_00415CFE
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00416D72	10_2_00416D72
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00446D30	10_2_00446D30
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00446D8B	10_2_00446D8B
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00406E8F	10_2_00406E8F
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00405038	11_2_00405038
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0041208C	11_2_0041208C
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004050A9	11_2_004050A9
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0040511A	11_2_0040511A
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0043C13A	11_2_0043C13A
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004051AB	11_2_004051AB
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00449300	11_2_00449300
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0040D322	11_2_0040D322
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0044A4F0	11_2_0044A4F0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0043A5AB	11_2_0043A5AB
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00413631	11_2_00413631
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00446690	11_2_00446690
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0044A730	11_2_0044A730
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004398D8	11_2_004398D8
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_004498E0	11_2_004498E0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0044A886	11_2_0044A886
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0043DA09	11_2_0043DA09
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00438D5E	11_2_00438D5E
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00449ED0	11_2_00449ED0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0041FE83	11_2_0041FE83
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00430F54	11_2_00430F54
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004050C2	12_2_004050C2
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004014AB	12_2_004014AB
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00405133	12_2_00405133
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004051A4	12_2_004051A4
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00401246	12_2_00401246
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_0040CA46	12_2_0040CA46
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00405235	12_2_00405235
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004032C8	12_2_004032C8
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004222D9	12_2_004222D9
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00401689	12_2_00401689
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00402F60	12_2_00402F60

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 004169A7 appears 86 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 00413025 appears 78 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: String function: 00402B38 appears 45 times

Source: Marcom Trade SS-04665.exe, 00000008.00000003.1839620806.0000000004B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe, 00000008.00000003.1822070050.0000000004AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe, 00000008.00000003.1820640600.0000000035541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe, 00000008.00000003.1820621029.0000000004AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A2B000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe	Binary or memory string: OriginalFileName vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe	Binary or memory string: OriginalFilename vs Marcom Trade SS-04665.exe
Source: Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Marcom Trade SS-04665.exe

Source: Marcom Trade SS-04665.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@9/13@1/3

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

10_2_004182CE

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 12_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

12_2_00410DE1

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

5_2_004045C8

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

10_2_00413D4C

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_0040206A CoCreateInstance,

5_2_0040206A

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 10_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

10_2_0040B58D

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File created: C:\Users\user\AppData\Roaming\Rigsantikvarernes

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-GUFRHI

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File created: C:\Users\user\AppData\Local\Temp\nsz1C77.tmp

Jump to behavior

Source: Marcom Trade SS-04665.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000B.00000002.1823681438.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2565596019.0000000035920000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Marcom Trade SS-04665.exe, 0000000A.00000002.1840219591.0000000002148000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000003.1836389321.0000000002737000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000A.00000003.1836687605.0000000002737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000A.00000002.1839443041.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Marcom Trade SS-04665.exe

Virustotal: Detection: 18%

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File read: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_11-33172

Source: unknown	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe"
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe"
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\ioaz"
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\tqfrvnu"
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\vkkkwgfnmj"
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\ioaz"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\tqfrvnu"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\vkkkwgfnmj"	Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File opened: C:\Users\user\Desktop\Marcom Trade SS-04665.cfg

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Unpacked PE file: 10.2.Marcom Trade SS-04665.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Unpacked PE file: 12.2.Marcom Trade SS-04665.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Yara detected GuLoader

Source: Yara match

File source: 00000005.00000002.1712116191.00000000068B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406252

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_10002DB0 push eax; ret	5_2_10002DDE
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A42806 push ecx; ret	8_2_35A42819
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044693D push ecx; ret	10_2_0044694D
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044DB70 push eax; ret	10_2_0044DB84
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0044DB70 push eax; ret	10_2_0044DBAC
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_00451D54 push eax; ret	10_2_00451D61
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0044B090 push eax; ret	11_2_0044B0A4
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_0044B090 push eax; ret	11_2_0044B0CC
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00451D34 push eax; ret	11_2_00451D41
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00444E71 push ecx; ret	11_2_00444E81
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00414060 push eax; ret	12_2_00414074
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00414060 push eax; ret	12_2_0041409C
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00414039 push ecx; ret	12_2_00414049
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_004164EB push 0000006Ah; retf	12_2_004165C4
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00416553 push 0000006Ah; retf	12_2_004165C4
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00416555 push 0000006Ah; retf	12_2_004165C4

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

File created: C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 11_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_004047CB

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API/Special instruction interceptor: Address: 6D80A1A
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API/Special instruction interceptor: Address: 3AE0A1A

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	RDTSC instruction interceptor: First address: 6D4050C second address: 6D4050C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F18A8B11BE5h 0x00000006 inc ebp 0x00000007 test dx, bx 0x0000000a inc ebx 0x0000000b test cl, al 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	RDTSC instruction interceptor: First address: 3AA050C second address: 3AA050C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F18A8E24EC5h 0x00000006 inc ebp 0x00000007 test dx, bx 0x0000000a inc ebx 0x0000000b test cl, al 0x0000000d rdtsc

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

10_2_0040DD85

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Window / User API: threadDelayed 3906	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Window / User API: threadDelayed 5603	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Window / User API: foregroundWindowGot 1768	Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API coverage: 4.5 %
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API coverage: 9.8 %

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 1816	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 1816	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 6472	Thread sleep count: 3906 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 6472	Thread sleep time: -11718000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 6472	Thread sleep count: 5603 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe TID: 6472	Thread sleep time: -16809000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405770
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_0040622B FindFirstFileW,FindClose,	5_2_0040622B
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 5_2_0040276E FindFirstFileW,	5_2_0040276E
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_35A410F1
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A46580 FindFirstFileExA,	8_2_35A46580
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,	10_2_0040AE51
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407EF8
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00407898

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 10_2_00418981 memset,GetSystemInfo,

10_2_00418981

Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvF2B2.tmp.10.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhvF2B2.tmp.10.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API call chain: ExitProcess graph end node	graph_5-4412
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API call chain: ExitProcess graph end node	graph_5-4416
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	API call chain: ExitProcess graph end node	graph_11-34064

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 8_2_35A460E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_35A460E2

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

10_2_0040DD85

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406252

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 8_2_35A44AB4 mov eax, dword ptr fs:[00000030h]

8_2_35A44AB4

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 8_2_35A4724E GetProcessHeap,

8_2_35A4724E

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A460E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_35A460E2
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A42B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_35A42B1C
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: 8_2_35A42639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_35A42639

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: NULL target: C:\Users\user\Desktop\Marcom Trade SS-04665.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: NULL target: C:\Users\user\Desktop\Marcom Trade SS-04665.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Section loaded: NULL target: C:\Users\user\Desktop\Marcom Trade SS-04665.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\ioaz"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\tqfrvnu"	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Process created: C:\Users\user\Desktop\Marcom Trade SS-04665.exe "C:\Users\user\Desktop\Marcom Trade SS-04665.exe" /stext "C:\Users\user\AppData\Local\Temp\vkkkwgfnmj"	Jump to behavior

Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\*\|~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544572701.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\u~4%
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544572701.0000000004B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager!
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\*4~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\I~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\4d
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\-~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\59:~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\&~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\11P~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\{~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHI\*_~
Source: Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 8_2_35A42933 cpuid

8_2_35A42933

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 8_2_35A42264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_35A42264

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 11_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

11_2_004082CD

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 5_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

5_2_00405F0A

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544433074.0000000004A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Marcom Trade SS-04665.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: ESMTPPassword	11_2_004033F0
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	11_2_00402DB3
Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	11_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: Marcom Trade SS-04665.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Marcom Trade SS-04665.exe PID: 5828, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-GUFRHI

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2544433074.0000000004A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Marcom Trade SS-04665.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\Marcom Trade SS-04665.exe

Code function: 11_2_0042DE27 RpcBindingCreateW,

11_2_0042DE27

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	112 Process Injection	1 Software Packing	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	1 Credentials In Files	228 System Information Discovery	Distributed Component Object Model	11 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	2 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Marcom Trade SS-04665.exe	18%	Virustotal		Browse
Marcom Trade SS-04665.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.binV	0%	Avira URL Cloud	safe
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc	0%	Avira URL Cloud	safe
http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.bin	0%	Avira URL Cloud	safe
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191	0%	Avira URL Cloud	safe
http://www.imvu.coma	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.bin	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	bhvF2B2.tmp.10.dr	false		high
http://www.imvu.comr	Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A10000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gpl	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingth	bhvF2B2.tmp.10.dr	false		high
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191	bhvF2B2.tmp.10.dr	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gphy=4u%	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.imvu.com	Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825708360.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=wsb	bhvF2B2.tmp.10.dr	false		high
http://geoplugin.net/json.gps	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004ADE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.imvu.coma	Marcom Trade SS-04665.exe, 0000000C.00000002.1825708360.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	Marcom Trade SS-04665.exe, 0000000A.00000002.1839328155.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaotak	bhvF2B2.tmp.10.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvF2B2.tmp.10.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	Marcom Trade SS-04665.exe	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	Marcom Trade SS-04665.exe, 00000008.00000002.2565791542.0000000035A10000.00000040.10000000.00040000.00000000.sdmp, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://www.google.com	Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AF	bhvF2B2.tmp.10.dr	false		high
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL	bhvF2B2.tmp.10.dr	false		high
http://geoplugin.net/	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004A88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaot	bhvF2B2.tmp.10.dr	false		high
http://204.10.160.191/gTGrvYKmGWlNeIZNtjBakh112.binV	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://maps.windows.com/windows-app-web-link	bhvF2B2.tmp.10.dr	false		high
http://geoplugin.net/json.gpZ4j%	Marcom Trade SS-04665.exe, 00000008.00000002.2544450062.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc	bhvF2B2.tmp.10.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhvF2B2.tmp.10.dr	false		high
https://www.google.com/accounts/servicelogin	Marcom Trade SS-04665.exe	false		high
https://login.yahoo.com/config/login	Marcom Trade SS-04665.exe	false		high
http://www.nirsoft.net/	Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://www.ebuddy.com	Marcom Trade SS-04665.exe, Marcom Trade SS-04665.exe, 0000000C.00000002.1825408087.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
204.10.160.190	unknown	Canada	64236	UNREAL-SERVERSUS	true
204.10.160.191	unknown	Canada	64236	UNREAL-SERVERSUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1628931
Start date and time:	2025-03-04 09:33:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Marcom Trade SS-04665.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@9/13@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 177 Number of non-executed functions: 318
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.72, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:34:43	API Interceptor	301550x Sleep call for process: Marcom Trade SS-04665.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
204.10.160.190	PO 4512590075.exe	Get hash	malicious	Remcos, GuLoader	Browse
178.237.33.50	Payment_Slip..pdf.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SIP_202527014509862345786434560975457234678.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.DropperX-gen.18777.24979.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	K627 - Bill of Lading (Draft)..PDF.scr.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	ArrivalNotice_MEDUEG679552.PDF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	rDB_YAK_838327E.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	Telex Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	SIP_202527015400980863464865312156.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	nicepersonforsweetkissinggirlformygirl.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp
	PO 536120 - Purchase Order R43500 V5560001.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	Payment_Slip..pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SIP_202527014509862345786434560975457234678.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.18777.24979.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	K627 - Bill of Lading (Draft)..PDF.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ArrivalNotice_MEDUEG679552.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	rDB_YAK_838327E.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Telex Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	SIP_202527015400980863464865312156.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	nicepersonforsweetkissinggirlformygirl.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	PO 536120 - Purchase Order R43500 V5560001.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNREAL-SERVERSUS	libvlc.dll.dll	Get hash	malicious	Remcos	Browse	185.202.173.24
	libvlc.dll.dll	Get hash	malicious	Remcos	Browse	185.202.173.24
	Upd#U0430te.js	Get hash	malicious	Unknown	Browse	172.96.15.103
	PO 4512590075.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.10.160.192
	CUSTOMER DATA.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.10.160.132
	FBhxr49KdH.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	162.251.123.206
	FBhxr49KdH.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	162.251.123.206
	22.exe	Get hash	malicious	Remcos	Browse	192.188.88.248
	REF#1162025.exe	Get hash	malicious	Remcos	Browse	212.162.149.149
	FACTURA PROFORMA MATRICULACI#U00d3N.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.165
UNREAL-SERVERSUS	libvlc.dll.dll	Get hash	malicious	Remcos	Browse	185.202.173.24
	libvlc.dll.dll	Get hash	malicious	Remcos	Browse	185.202.173.24
	Upd#U0430te.js	Get hash	malicious	Unknown	Browse	172.96.15.103
	PO 4512590075.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.10.160.192
	CUSTOMER DATA.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.10.160.132
	FBhxr49KdH.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	162.251.123.206
	FBhxr49KdH.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	162.251.123.206
	22.exe	Get hash	malicious	Remcos	Browse	192.188.88.248
	REF#1162025.exe	Get hash	malicious	Remcos	Browse	212.162.149.149
	FACTURA PROFORMA MATRICULACI#U00d3N.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.165
ATOM86-ASATOM86NL	Payment_Slip..pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SIP_202527014509862345786434560975457234678.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.18777.24979.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	K627 - Bill of Lading (Draft)..PDF.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ArrivalNotice_MEDUEG679552.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	rDB_YAK_838327E.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Telex Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	SIP_202527015400980863464865312156.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	nicepersonforsweetkissinggirlformygirl.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	PO 536120 - Purchase Order R43500 V5560001.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll	Hermaean.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SecuriteInfo.com.FileRepMalware.23885.29286.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	OqqrLiFWKC.exe	Get hash	malicious	Mindspark	Browse
	Factura Honorarios 2024-11-04.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3319169319867985
Encrypted:	false
SSDEEP:	3:rgl+lZglNWliClDl5JWRal2Jl+7R0DAlBG45klovDl6v:MlF+jb5YcIeeDAlOWAv
MD5:	D5F8A958068380F574593247E66B213A
SHA1:	9EA5203FCB724DA92322F7651AF2BF2D6B0A7B4B
SHA-256:	C7DA22F4059B5F0FFBE5DBCD78FF7502631E43BD874E125B00ECC3F85A7784F2
SHA-512:	9BA884AF4A49DF1252484517090287FDD50E517CA80F91A75E3114AADF214263FFB117C3286310927BA0F7643C0E434DD35667FB9BCDCD098F602C7641C0D463
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.3./.0.4. .0.3.:.3.5.:.3.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.018421233492188
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkv:qlupdVauKyGX85jvXhNlT3/7XcV7Wro
MD5:	EB2FF94DBB57A448547893913F07269C
SHA1:	DF7B8498413BA06578D4743941ED5664A88945FC
SHA-256:	0FAD6CBFD4862A474081C36DF3E5E29F45A5EAC652C02BEF9E3637A7EB388B96
SHA-512:	F2D29C38E688792AC270E45DC9213ED1C58ACEE67B7C18F4873296A9FC3D1B2F79B317712EFBCB1CDC9A637070C87605DE39387B5246A7B9644B15EF25494374
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7126",. "geoplugin_longitude":"-74.0066",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhvF2B2.tmp

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2fcd744f, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	18874368
Entropy (8bit):	0.8289302659256177
Encrypted:	false
SSDEEP:	6144:AA/kqb7hP0u1fM1iM15Sd+qk5J/p1CUNL5NCAMPqpXqp5qpkQFeX+SQFFqpDvoQa:LD88+zewCevKKNb+EsUq3
MD5:	2BD7C0B5B55785F2C80D144525CC4956
SHA1:	581B44A6E575A6D87A4BE7C9973511352AD7406D
SHA-256:	0C4CD5568FB63923537542136F241B9B4A996FD2CDF2DB4FB807C813F4C6495E
SHA-512:	5CE0AFDAB032C0A96DAFF3B903633DD1FD661303922DF8CC621B6DD042AD82E9750E17491B911CF212A1CFD74E137E5A6438D5D556C28C41BA15B4F937BB095E
Malicious:	false
Reputation:	low
Preview:	/.tO... ....................1...{........................v..........{W..#...}W.h.x..............................1...{..............................................................................................d...........eJ......n........................................................................................................... ............{..............................................................................................................................................................................................3....{...................................e.a.#...}u:...................~.#...}W..........................#......h.x.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ioaz

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Temp\nso1C87.tmp

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	1153860
Entropy (8bit):	4.47342937205468
Encrypted:	false
SSDEEP:	6144:yTrjYIPvlNipYneFdUVvUNLS5WFu39IYgIP1e2AEjRm5hW/WXLMnpfRdlLV2/eMz:yTrj92z2lcEIFGH1DUdQ+
MD5:	D87C8D8452459BEF361E5BD0076AD172
SHA1:	382DFF460138BFDFCD2451F0E8A8DE13664BB7B5
SHA-256:	81241C6DB8A29CD326D38905C45976C4D4B32E553D693F5E43391C8AE2DE9F9D
SHA-512:	B582C3370D4C9EFEBF10656FEAF1B5A9CED75B81538201D338D3291FC2667098C968994B1886D327F37929E0DAB87A38A2812E91626087EFB7801B6A6D571989
Malicious:	false
Reputation:	low
Preview:	87......,.......,.......D...m...0.......B6......87..........................n...............................................................................................................................................................................................................G...\...............j...............................................................................................................................g...............................................................h...........................................................................6...(...Q...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Hermaean.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.23885.29286.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24375.4894.exe, Detection: malicious, Browse Filename: OqqrLiFWKC.exe, Detection: malicious, Browse Filename: Factura Honorarios 2024-11-04.exe, Detection: malicious, Browse Filename: EL GINER.exe, Detection: malicious, Browse Filename: u9aPQQIwhj.exe, Detection: malicious, Browse Filename: Shipping documents 000293994900.exe, Detection: malicious, Browse Filename: whatsappjpg.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Rigsantikvarernes\Negrillo162.nov

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	284577
Entropy (8bit):	1.255078923587751
Encrypted:	false
SSDEEP:	6144:kMnpfRdlLV2/eMUsM3C7WcXAj8iJIRpofbRYAUpOYPJLL8DStXMkO6nsCm:lx
MD5:	E19CE796159C3BDE707DD283EC175450
SHA1:	EFC8FA6D949A4939A01D9C380F6946AA311AA584
SHA-256:	F742C0F0F0B306BBA3C99E7B3CBF13D8197AFA3DC8A26DEBCED77D894103A7A7
SHA-512:	84D6AA4A917C94CC4E17EBE4DCA6A8D2BC1AEB81D313EB7F07980D3CCBFF6134007CB7ECC3B9ABC00F0510AECD26E92AEE0634A1084813A18ACDD70E3952E9F4
Malicious:	false
Preview:	....................&...................b...........Md........!................................................................+........................................................................................(....a................................3......................q.....................................[...................r.........,.........................Q........................................................+...........................................................................................`..Z..........+...................y2......................................&............................................Z..........................................+.....................................................S.........J....................................................................z....<..............................................y......................C...........................Y........P.....................................

C:\Users\user\AppData\Roaming\Rigsantikvarernes\Palmes.Uni

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	298372
Entropy (8bit):	7.716443589207443
Encrypted:	false
SSDEEP:	6144:ZIPvlNipYneFdUVvUNLS5WFu39IYgIP1e2AEjRm5hW/WXI:22z2lcEIFGH1t
MD5:	038EAB8DF93644EDCEDA11E7883F0D21
SHA1:	0AB953A69E2797B56E2FDAAE9E5CDE488B85964D
SHA-256:	0179520E75610C0CC38FAC22F4CE98A66B4891E2D183F073583FDB9593956CB5
SHA-512:	5FABD0393A930A9FC2470F7201A1D5A5D97AA5921EE454733996693AD4B50C6F100CA58D3C737C1DF0C83EA89BAF5605F4ECF76147C4977C8E2FB4E2942B2012
Malicious:	false
Preview:	.........000......................4........................<.......{.vv......W...PPPP....R.................N.888....ii..........O................eee..........@..............l....II..........v....Y...n..zzzz................''.MM.......W.............kkkk....................----..k...tt.........................nnn..........6.L...........$$$$.......J........??????....WW....[[.....00........w.................P......^^....[........zzzzzzz......Z......!!.......2222........................Z.<<<...:..M....:::.....&&&&..=.......xxx..=..............nn...../................kk.=.......R....p....QQ.n.........OOOO..................................................}..................`..................W.WW.........>....2.s.....(......tttt.A..........ll..........@............@@@............l.....DD..............d............c...........".......@...........h.'....................T.....................O............ff......}..ff......\|...............II..............g.5..::.z.?.....^.....---...............6

C:\Users\user\AppData\Roaming\Rigsantikvarernes\anticipatively.ini

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	667
Entropy (8bit):	4.5176817284957815
Encrypted:	false
SSDEEP:	12:3vOruGoCjuWKfHb8aMt+JX4yESglsw1kKKh6BgOxuFlsFOsSsv:3bCUfnOCIZHGs0e
MD5:	6C74C3D34F8CC5E305E5085FF917D020
SHA1:	20773526DBD9495B5E6D11E9B2AF205C81B49CC1
SHA-256:	1A953DC54649B2E6ED53F12C1B1AED83493E75C2068D3DB8206A87A0D1215E83
SHA-512:	C7C7A68E64E151FD7AE069AA475CD1E0FC37C4C9251231CC73EA4B9EEFBB0EA3FFC65DC11BE8CF8D5FBCF270CCA12F658C23ABA5682DBAE87051515C080D7DF0
Malicious:	false
Preview:	[REOLPLJEDE ENAMELWARE]..ephestian sexologs kabelfejl forflytninger tidsrammen nonrevoltingly heptarchical geochemist lustre inoffensively gasometre.Bordeauxrdt ttheden trainable kautioneringer voksenbillet driftsbidragene ankesag osteriets..motionlessly crewing kluntekroer festrusen obducenten.Tetrabasic tilbagekaldelsesgrundes afskallingen guilds widenesses aquinist..;federaliseringens underskudsforretningerne halvmaskers filmiest,indskuddenes serne beslaas sortskjortens..Telefonautomats jernbaneforbindelse lustless appomattoc hovmestre turio..gemma encyclic ere americanize gaslighterne.Philologists breblger cheroots modtages metallisk constrains yashmaks..

C:\Users\user\AppData\Roaming\Rigsantikvarernes\folketingsformand.txt

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	530
Entropy (8bit):	4.431710325153932
Encrypted:	false
SSDEEP:	12:4/k2m2UmKg9FKgDq+0G/UerFEJ6T9lfLfWqpTk+Nt7MZ:rdrmP930G/PFEJqrfFO+nIZ
MD5:	8A7A9974B9C55BF8AC94710B477A662E
SHA1:	B7D0D00BB0FDFBC172B92C62464768CA630EB0C3
SHA-256:	7C448A6C8E8DE6460AC05834DE6F9042467ACDA9FFD9923352C42F2904C59782
SHA-512:	B14074DD2E2255D106F18508649F38B3C30EF20CF5AAB8144A5E7EF22ADF329A3FE18A4B4D136A43F6E9C4ACB4CD0336672B1AC01384EA299C1382B211EFC4B0
Malicious:	false
Preview:	atlas eftersmkket skibspapiret uncollectibly alarmsignals.Haematein inddatafelters parapsychologists guide doubleness..[solus anisophyllous]..;invisibly generindret coralene landemrke seringas brahmanhood unbreathable.Pressmanship encephalitic skrkslagent fyrmestres midtpunktsjusteringers swingometer allelopathy..;serges forbundsformnd delikatessehandlerens ascogonia.Atomfysikers incitament gynantherous thumlungur velrenommeret decentralises changements........Rehydrating udhvilede kalkbrnder vedligeholdets knotty besvimer..

C:\Users\user\AppData\Roaming\Rigsantikvarernes\levnedsmiddelets.sva

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	473258
Entropy (8bit):	1.248788570764183
Encrypted:	false
SSDEEP:	1536:cSG9iToxeAQXFzDmk6As6vQRMWHzm2OhzdipTMhKxPY+oi6ZeJ5Ejq2pYMm1C/i+:QcxsNNd4FOITURiN
MD5:	336BDDA1E77424F8F50C8FF0AA64D146
SHA1:	5E475F772C80DDB47E3CEC3F181DC493D2C6D60D
SHA-256:	E7D5C4A66EAD0A6935C952CB287E6839BB68A44A1C8508C88CC5EC9AE4411D01
SHA-512:	3FBF475C651B94CCD5E645216864D264E032D6B5122B3759B1E78D606B24163395141DAE76F2362F413E313C4232DD4D2C884D4D6ED1BC3564781191CF125C8C
Malicious:	false
Preview:	..........h...........................................B.u........................p...............-.......................................j.........................................I............................0...V............4..........#.................................+.....................9............................................5...................................................................`......................................T....Z..................................................................!...............................................3........K............W.`.....................v...................5....................................................................n.........2..................../......?.....................................................)............p.....................{...........,...................gy.....................g...T.............4................o.............2.........................).......#...........[...

C:\Users\user\AppData\Roaming\Rigsantikvarernes\pray.kry

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	data
Category:	dropped
Size (bytes):	70351
Entropy (8bit):	1.2598388117953725
Encrypted:	false
SSDEEP:	384:M37raR0TFnugVoTVnb93oEZw78Ih/izqcxB3S4Y:O3aR0TQgeTlNPwYIUzq6B3Sp
MD5:	54E646BCD4B09075BE0D4ECE1ED62685
SHA1:	17A4525BC6FCEEA6B1A92536D23749E11619E96C
SHA-256:	D34CC96D389EDFAC6047EB41DC22EAA9A5EA26A64A36EB733BC95FC4ED570E72
SHA-512:	04A0B74320AD2131AE0113D35B5AF2CF3D76A81D560E46A7EB65C7C45FE907103F4B55645585E1632C5D691152DD536D9456FEB5954F26E91ECE11F595605DF1
Malicious:	false
Preview:	.................................................................................................A......................................L..................................................e...b......................................._....................................................................f.............0....{................................................P...............................<......t....................................................L........~...e.............................v.............V.........................#...............................@......\.............................@...............................................F..............].........................H..............................................................,..s=.........W.........g..............................................................m...................................................j...................................\.........................................Q........L.........

C:\Users\user\AppData\Roaming\Rigsantikvarernes\respirationsstoppene.txt

Download File

Process:	C:\Users\user\Desktop\Marcom Trade SS-04665.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	661
Entropy (8bit):	4.502730296156622
Encrypted:	false
SSDEEP:	12:/Hi8sSTbFHPjdTJYQT44hR+ZgM0R3RIkWxz4dX6NOW1m4QwT2TbFTD2MoyEnV:/H+WPBT69rC5Qz+6N9rP2PFPo5
MD5:	04CE2396C7300E78E16AA6A3E1050BF4
SHA1:	E0E3BE532ECD63E46C149751EB546752123F68BE
SHA-256:	1B746C6A7D78152EFC91E1B7107E1EE013249ECC45023FA52D9022446BAF4224
SHA-512:	B53DB842727156076DEB0345F506260A6A717C81411209B39BB99774D6862508DE95427078975FAC8220396B117469E30077D874B112AE8E8BCC3119B245FBFB
Malicious:	false
Preview:	Kurfyrsten tillgsbevillingens rdnet bleakness,achromobacter pseudoparasitism cytherella..redlined nordstjernen htel koorka hovedsalaterne sjlegruppers.Gazette borgerreprsentanten nullify hegelianer unsystemisables preintelligent eklektiker materialprvninger..spillable aktivitetscentret bremsens indflyvningernes interpenetrative.Dull politistyrkers plainclothesmen observantist..[FORGIFTNINGERNE KILOMETRES]..;cartesian legislation havgus zirbanit anmasselses divorceuse.Grnttrrings kontiene lumens paaholdende ondograph stib..Svinemiklernes dumbest prelunch svaleurter allegorisk visitkortets afmagnetiseringernes,knstte assimilationer forgaber differenciel..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.274355917407752
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Marcom Trade SS-04665.exe
File size:	694'173 bytes
MD5:	b9ce0eb55ba475c3e45c2acb43189cdd
SHA1:	d701648c7401deeed81906d3424306d021bd6edf
SHA256:	ad1170d032bdaafe43424eb33f74c42dffc04c3ffa044edd7a5bbfcbc0422a23
SHA512:	0224c778374d603413e22faef34f99e7d9193ba9ebab6c611fe0e2a27f0b19b34af475e0cda9781eca636eefdb4061cd47936fac761da1305946936147f865f4
SSDEEP:	12288:tt4DeGebNSNGYzJGvohJd/NDPdP1bYcKT:CPyNSnzMQDPdP1oT
TLSH:	61E412147FE8C477C3805D710EA1E6FDA2F9AC4058240E4B7BAF7F6E2D32A65680A5C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	0d0e1f1d1b874f0c

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F18A8B40BACh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F18A8B40817h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F18A8B40805h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F18A8B3DCFAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F18A8B40256h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007F18A8B3DDBEh
push 00000020h
pop edx
cmp cx, dx
jne 00007F18A8B3DCF9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F18A8B3DCEBh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x3b330	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x26000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0x3b330	0x3b400	2d2028b91a53c942835f80f84c194200	False	0.5409620582805907	data	5.258649495088397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x50478	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x507e0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3344522654678812
RT_ICON	0x61008	0x10637	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9980931666840467
RT_ICON	0x71640	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.3632278747109523
RT_ICON	0x7aae8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.36206099815157117
RT_ICON	0x7ff70	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3579357581483231
RT_ICON	0x84198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3853734439834025
RT_ICON	0x86740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4080675422138837
RT_ICON	0x877e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5439765458422174
RT_ICON	0x88690	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4459016393442623
RT_ICON	0x89018	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6583935018050542
RT_ICON	0x898c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5743087557603687
RT_ICON	0x89f88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4046242774566474
RT_ICON	0x8a4f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.49556737588652483
RT_DIALOG	0x8a958	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x8aaa0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x8abe0	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x8ad00	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8ae20	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8ae80	0xbc	data	English	United States	0.6542553191489362
RT_MANIFEST	0x8af40	0x3ea	XML 1.0 document, ASCII text, with very long lines (1002), with no line terminators	English	United States	0.5179640718562875

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-04T09:35:32.439292+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49972	204.10.160.191	80	TCP
2025-03-04T09:35:34.459441+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.10	49973	204.10.160.190	2404	TCP
2025-03-04T09:35:35.457403+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.10	49974	204.10.160.190	2404	TCP
2025-03-04T09:35:35.625388+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.10	49975	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2025 09:35:31.912523985 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:31.917757034 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:31.917901993 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:31.923501015 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:31.928519964 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439148903 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439188957 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439224958 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439258099 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439294100 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439291954 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.439291954 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.439291954 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.439346075 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.439352036 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.439352036 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.439384937 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.477319956 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.477344990 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.477361917 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.477380037 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.477427006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.477957010 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.477972984 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.478002071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.478017092 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.478020906 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.478060961 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526101112 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526138067 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526164055 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526171923 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526185989 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526206017 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526227951 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526242018 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526252985 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526278973 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526606083 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526638985 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526659012 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526670933 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.526760101 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.526812077 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565222979 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565256119 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565270901 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565306902 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565335989 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565371037 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565417051 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565450907 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565469027 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565495968 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565509081 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565530062 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565546036 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.565572977 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.565628052 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.566323042 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.566360950 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.566375971 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.566378117 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.566400051 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.566414118 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.566521883 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.566536903 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.566560030 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.566576958 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.567342043 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.567358971 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.567375898 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.567388058 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.567392111 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.567406893 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.567434072 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612709045 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612751007 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612768888 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612770081 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612791061 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612822056 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612845898 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612864017 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612880945 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.612881899 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612907887 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.612926006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613076925 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613127947 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613141060 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613157988 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613178968 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613197088 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613226891 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613245964 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613264084 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.613266945 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613286018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.613303900 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.614017010 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.614044905 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.614062071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.614065886 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.614104986 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652240992 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652260065 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652277946 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652301073 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652318001 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652354956 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652401924 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652419090 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652436972 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652462959 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652473927 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652822971 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652839899 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652859926 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652877092 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652882099 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652899027 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652901888 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652919054 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.652921915 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652944088 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.652961969 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653642893 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653693914 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653696060 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653712988 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653728962 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653745890 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653850079 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653867960 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653886080 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.653892040 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653904915 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.653919935 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654541016 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654591084 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654599905 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654609919 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654632092 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654643059 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654697895 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654714108 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654731035 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.654733896 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654753923 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.654777050 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.655443907 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655486107 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.655502081 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655519962 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655543089 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.655559063 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.655582905 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655600071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655616999 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.655632019 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.655647993 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.656380892 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.656409979 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.656426907 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.656430006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.656449080 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.656466007 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699703932 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.699738026 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.699754953 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.699759960 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699775934 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699796915 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699827909 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.699846029 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.699865103 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699878931 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.699963093 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700002909 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700015068 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700033903 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700056076 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700073957 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700098038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700114965 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700139046 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700153112 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700206995 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700225115 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700241089 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700248003 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700262070 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700350046 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.700860023 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700876951 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700895071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.700979948 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701020956 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701037884 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701056957 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701061010 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701077938 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701081991 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701103926 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701118946 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701134920 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701174974 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.701649904 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.701761007 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739377975 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739412069 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739427090 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739437103 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739449978 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739490986 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739496946 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739515066 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739547014 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739554882 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739558935 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739593029 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739598989 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739645958 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739676952 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739712954 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739717007 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739759922 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.739787102 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.739824057 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740159988 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740184069 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740202904 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740209103 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740221024 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740238905 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740263939 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740281105 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740303993 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740330935 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740614891 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740664005 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740689039 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740706921 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740730047 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740751982 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740792990 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740811110 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740833044 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740847111 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.740847111 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.740884066 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741292953 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741323948 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741341114 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741342068 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741358995 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741383076 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741431952 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741453886 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741465092 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741492987 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741614103 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741631031 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741647959 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.741652966 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741672993 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.741683960 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742167950 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742218018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742219925 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742238998 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742259026 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742274046 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742336035 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742353916 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742371082 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742377043 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742391109 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742408037 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742439985 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742459059 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.742477894 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.742490053 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743067980 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743115902 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743133068 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743176937 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743199110 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743216038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743244886 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743263006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743364096 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743381023 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743398905 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743410110 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743416071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.743421078 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743438005 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743454933 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.743952036 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744000912 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744071960 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744088888 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744132042 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744136095 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744147062 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744153976 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744172096 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744172096 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744194031 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744209051 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744263887 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744281054 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744307041 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744321108 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744812012 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744839907 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744857073 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744858980 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744878054 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744891882 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.744934082 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.744976044 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.780072927 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.780143976 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.780162096 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.780173063 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.780196905 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.786784887 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.786850929 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.786861897 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.786895990 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.786900997 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.786917925 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.786940098 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.786953926 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.786958933 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.786995888 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787086964 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787103891 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787121058 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787127018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787142038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787144899 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787159920 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787163019 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787183046 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787193060 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787204027 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787235975 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787359953 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787410021 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787417889 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787434101 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787458897 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787472010 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787504911 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787520885 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787547112 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787563086 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787697077 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787741899 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787748098 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787764072 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787781954 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787795067 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787898064 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787914991 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787931919 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787939072 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787950039 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787961006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787972927 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.787986994 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.787992001 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788024902 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788218021 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788247108 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788264036 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788264036 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788284063 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788295031 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788444996 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788460970 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788477898 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788487911 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788492918 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788507938 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788511038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788522959 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788541079 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788552999 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788588047 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788626909 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788696051 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788712025 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788727999 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788743973 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.788748980 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788769007 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.788795948 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789242983 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789258957 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789275885 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789288998 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789308071 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789315939 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789323092 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789340019 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789356947 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789365053 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789372921 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.789377928 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789400101 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.789407969 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.826292038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.826349974 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.826383114 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.826448917 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.826488018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827023983 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827059031 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827081919 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827114105 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827115059 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827148914 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827152967 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827187061 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827193022 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827223063 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827228069 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827264071 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827299118 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827348948 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827368021 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827408075 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827431917 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827442884 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827471972 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827516079 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827524900 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827558994 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827565908 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827578068 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827611923 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827655077 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827687025 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827721119 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827738047 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827755928 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827756882 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827797890 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827840090 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827873945 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827884912 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827909946 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.827918053 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827955961 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.827966928 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828011990 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828082085 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828114033 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828125000 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828154087 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828162909 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828198910 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828202009 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828233004 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828233957 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828269005 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828270912 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828305006 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828305006 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828344107 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828530073 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828564882 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828579903 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828603029 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828618050 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828651905 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828655005 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828689098 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828692913 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828722954 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828726053 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828763008 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828778028 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828810930 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828824997 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828850985 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828864098 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828897953 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828912973 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828933001 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828936100 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.828968048 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.828970909 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829004049 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829009056 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829041958 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829062939 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829108000 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829412937 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829459906 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829467058 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829500914 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829507113 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829538107 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829538107 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829572916 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829576969 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829610109 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829749107 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829783916 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829796076 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829822063 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829824924 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829859018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829862118 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829900026 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829914093 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829947948 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829956055 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.829982996 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.829986095 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.830017090 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.830019951 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.830053091 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.830055952 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.830096960 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.830317974 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.830367088 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867136002 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867166996 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867238045 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867264032 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867273092 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867302895 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867336988 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867355108 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867389917 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867400885 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867425919 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867429018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867460966 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.867464066 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.867506027 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874273062 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874320030 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874336004 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874340057 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874367952 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874378920 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874387026 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874417067 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874425888 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874463081 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874469042 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874485016 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874501944 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874525070 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874608040 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874629021 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874648094 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874655008 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874672890 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874686003 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874718904 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874736071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874757051 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874774933 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.874934912 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874955893 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874965906 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874968052 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874977112 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.874996901 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875107050 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875138998 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875180960 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875322104 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875339031 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875356913 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875369072 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875386000 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875401974 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875478029 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875494003 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875510931 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875521898 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875528097 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875539064 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875556946 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875571012 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875576973 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875612020 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875688076 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875705004 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875711918 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875720978 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875729084 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875736952 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875750065 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875755072 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.875778913 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875793934 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.875986099 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876003027 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876028061 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876044989 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876310110 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876326084 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876343012 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876348972 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876364946 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876380920 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876451969 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876467943 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876485109 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.876492977 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876507998 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.876524925 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.913618088 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913678885 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913714886 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913767099 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913800001 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913832903 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913849115 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.913889885 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913906097 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.913924932 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913933992 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.913960934 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.913968086 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.913997889 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914004087 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914030075 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914037943 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914066076 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914103985 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914139032 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914144993 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914174080 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914177895 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914210081 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914212942 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914248943 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914350986 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914385080 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914400101 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914417982 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914422989 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914453983 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914457083 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914495945 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914495945 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914540052 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914551973 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914587021 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914597988 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914622068 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914628983 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914658070 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914664984 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914693117 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914697886 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914729118 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914735079 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914767981 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914820910 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914855003 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914865971 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914887905 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914897919 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914925098 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914933920 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.914961100 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.914968014 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915004015 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915033102 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915076971 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915112019 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915157080 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915164948 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915199041 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915205002 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915242910 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915342093 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915376902 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915394068 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915414095 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915414095 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915448904 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915452003 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915487051 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915492058 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915524960 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915577888 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915626049 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915643930 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915679932 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915689945 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915716887 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915752888 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915786028 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915798903 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915821075 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.915823936 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.915860891 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916033030 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916068077 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916079044 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916102886 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916105032 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916143894 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916148901 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916179895 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916182041 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916214943 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916233063 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916276932 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916282892 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916316986 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916325092 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916352987 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916353941 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916388035 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916390896 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916429043 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916554928 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916599989 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916634083 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916667938 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916678905 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916707039 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916721106 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916755915 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916764021 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916791916 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.916791916 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.916866064 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954296112 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954350948 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954396963 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954401970 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954435110 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954437017 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954442024 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954483986 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954489946 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954526901 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954535961 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954560995 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954570055 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954596996 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.954603910 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.954646111 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961352110 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961407900 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961420059 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961442947 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961447954 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961493969 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961517096 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961559057 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961572886 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961612940 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961622000 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961659908 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961674929 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961709976 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961721897 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961745977 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961755037 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961786032 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961834908 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961885929 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961885929 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961920977 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961925030 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961956024 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.961961031 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.961996078 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962009907 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962043047 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962054968 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962088108 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962095022 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962129116 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962140083 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962166071 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962167978 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962203026 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962203979 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962240934 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962241888 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962280035 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962292910 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962327957 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962333918 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962363005 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962373018 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962400913 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962405920 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962438107 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962438107 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962481022 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962528944 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962563038 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962574959 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962702990 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962714911 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962738991 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962742090 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962779045 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962793112 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962827921 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962835073 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962862015 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962865114 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962899923 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962901115 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962934971 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962937117 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.962971926 CET	80	49972	204.10.160.191	192.168.2.10
Mar 4, 2025 09:35:32.962975979 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:32.963012934 CET	49972	80	192.168.2.10	204.10.160.191
Mar 4, 2025 09:35:33.862095118 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:33.867288113 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:33.867423058 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:33.872632027 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:33.877666950 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.414170980 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.459440947 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.545530081 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.549885035 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.554980993 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.555036068 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.560157061 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.769963980 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.771250010 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.776329041 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.864979982 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.866070986 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.871125937 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.871217012 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.874515057 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.879812002 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:34.910535097 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:34.993567944 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.012518883 CET	49975	80	192.168.2.10	178.237.33.50
Mar 4, 2025 09:35:35.017724991 CET	80	49975	178.237.33.50	192.168.2.10
Mar 4, 2025 09:35:35.017803907 CET	49975	80	192.168.2.10	178.237.33.50
Mar 4, 2025 09:35:35.017966986 CET	49975	80	192.168.2.10	178.237.33.50
Mar 4, 2025 09:35:35.022969961 CET	80	49975	178.237.33.50	192.168.2.10
Mar 4, 2025 09:35:35.036381006 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.406181097 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.457402945 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.537372112 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.541728020 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.548146963 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.548320055 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.554231882 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.619350910 CET	80	49975	178.237.33.50	192.168.2.10
Mar 4, 2025 09:35:35.625387907 CET	49975	80	192.168.2.10	178.237.33.50
Mar 4, 2025 09:35:35.640868902 CET	49973	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.647408962 CET	2404	49973	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876265049 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876281977 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876327991 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876384974 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876386881 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.876396894 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876445055 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.876490116 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.876537085 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.916182995 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916227102 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916238070 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916378021 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.916409969 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916448116 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916459084 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916460037 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.916497946 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.916546106 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916557074 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.916595936 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.964745998 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964791059 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964804888 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964829922 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964844942 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964854002 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.964879036 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.964917898 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964951038 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.964998007 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.965641022 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.965694904 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.965714931 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:35.965749025 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.965764046 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:35.965766907 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004781961 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004802942 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004815102 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004859924 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004861116 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.004873037 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.004901886 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.004925966 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.005165100 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005191088 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005203009 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005244017 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.005284071 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005326033 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.005789042 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005808115 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005819082 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005850077 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.005930901 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.005970001 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.005975962 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.006700039 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.007447958 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.053081989 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053108931 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053154945 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053167105 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.053222895 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053236961 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053276062 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.053294897 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053348064 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.053827047 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.053998947 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054011106 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054022074 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054033995 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054054022 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.054086924 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.054739952 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054789066 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.054810047 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054820061 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.054857016 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.055131912 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.055175066 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.055188894 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.055241108 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.055264950 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.055278063 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.055310011 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.056050062 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.056083918 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.056093931 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.056099892 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.056140900 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093234062 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093261957 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093278885 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093291998 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093306065 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093349934 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093410969 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093467951 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093525887 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093540907 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093554974 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093609095 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093621969 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093633890 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093635082 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093667984 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.093746901 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.093795061 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.094423056 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094435930 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094446898 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094481945 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.094520092 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094532013 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094548941 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094559908 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.094577074 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.094609976 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.095288038 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095336914 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095344067 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.095350981 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095397949 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.095431089 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095444918 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095474958 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095485926 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.095489979 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.095539093 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.096195936 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.133558989 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.133573055 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.133584023 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.133649111 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.141601086 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141645908 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141664028 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141674995 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141697884 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.141719103 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.141727924 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141845942 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141856909 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.141900063 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.141994953 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142007113 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142018080 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142030001 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142050982 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.142066956 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.142126083 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142174006 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.142446041 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142533064 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142545938 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142591000 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.142618895 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142631054 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142642975 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.142666101 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.142693996 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.143142939 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143155098 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143166065 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143197060 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.143210888 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143229008 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143240929 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143253088 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.143260956 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.143292904 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.143340111 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.145080090 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.181735992 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181749105 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181761026 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181835890 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.181850910 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181863070 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181875944 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181898117 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.181926012 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.181931973 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181945086 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.181973934 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182005882 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182143927 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182183027 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182228088 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182291985 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182351112 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182354927 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182363033 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182410002 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182440996 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182452917 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182495117 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182502985 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182516098 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182527065 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182545900 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.182583094 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.182627916 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.183192968 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183212996 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183224916 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183264971 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.183356047 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183367968 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183399916 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.183470964 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183482885 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183491945 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183502913 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.183514118 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.183532953 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184150934 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184163094 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184175014 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184210062 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184231997 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184232950 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184243917 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184256077 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184267998 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184282064 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184312105 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184417009 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184428930 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184477091 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.184967995 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184987068 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.184997082 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185055017 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.185118914 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185129881 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185141087 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185165882 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.185194016 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.185209036 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185250998 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185261965 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185305119 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.185946941 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185957909 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.185969114 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.186002970 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.186013937 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.186013937 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.186027050 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.186038971 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.186050892 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.186067104 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.186096907 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.221894979 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.221923113 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.221939087 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.221988916 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.221990108 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.222002983 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.222016096 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.222057104 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.222057104 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230010033 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230029106 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230062962 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230082989 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230113029 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230169058 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230191946 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230237007 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230279922 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230300903 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230345964 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230360031 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230398893 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230422974 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230473995 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230488062 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230500937 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230535030 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230634928 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230647087 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230680943 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230694056 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230719090 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230736017 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230742931 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.230798960 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230875969 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230887890 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.230927944 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231008053 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231019974 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231030941 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231036901 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231077909 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231141090 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231153011 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231164932 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231188059 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231426954 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231439114 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231450081 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231476068 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231502056 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231559992 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231570959 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231584072 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231595039 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231605053 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231637955 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231693983 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231760025 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231771946 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231782913 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231795073 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.231796980 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.231817961 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.232047081 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232059956 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232072115 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232083082 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232096910 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.232116938 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.232492924 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232505083 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232517958 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232537985 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.232578993 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.232655048 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232666969 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232676983 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.232697010 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270025015 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270045042 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270050049 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270116091 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270127058 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270145893 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270165920 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270204067 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270204067 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270250082 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270373106 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270422935 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270440102 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270451069 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270482063 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270484924 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270510912 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270529985 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270565033 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270571947 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270580053 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270622969 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270812035 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270822048 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270833969 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270844936 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270855904 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270864010 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270865917 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270879984 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270899057 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270921946 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.270983934 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.270994902 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271004915 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271034002 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271073103 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271184921 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271225929 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271244049 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271255970 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271270990 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271296024 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271362066 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271502018 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271512985 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271526098 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271547079 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271580935 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271604061 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271622896 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271642923 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271646023 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271667004 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271733999 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271747112 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271769047 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271783113 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271794081 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.271816969 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.271838903 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.272151947 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.272164106 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.272176027 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 2025 09:35:36.272218943 CET	49974	2404	192.168.2.10	204.10.160.190
Mar 4, 2025 09:35:36.272222042 CET	2404	49974	204.10.160.190	192.168.2.10
Mar 4, 20

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49974 -> 204.10.160.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49973 -> 204.10.160.190:2404

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49972 -> 204.10.160.191:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49975 -> 178.237.33.50:80

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Marcom Trade SS-04665.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

C:\Users\user\AppData\Local\Temp\bhvF2B2.tmp

C:\Users\user\AppData\Local\Temp\ioaz

C:\Users\user\AppData\Local\Temp\nso1C87.tmp

C:\Users\user\AppData\Local\Temp\nsy401E.tmp\System.dll

C:\Users\user\AppData\Roaming\Rigsantikvarernes\Negrillo162.nov

C:\Users\user\AppData\Roaming\Rigsantikvarernes\Palmes.Uni

C:\Users\user\AppData\Roaming\Rigsantikvarernes\anticipatively.ini

C:\Users\user\AppData\Roaming\Rigsantikvarernes\folketingsformand.txt

C:\Users\user\AppData\Roaming\Rigsantikvarernes\levnedsmiddelets.sva

C:\Users\user\AppData\Roaming\Rigsantikvarernes\pray.kry

C:\Users\user\AppData\Roaming\Rigsantikvarernes\respirationsstoppene.txt

Windows Analysis Report
Marcom Trade SS-04665.exe